From MailScanner at ecs.soton.ac.uk Fri Aug 1 10:09:53 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 1 10:10:11 2008 Subject: dying children? In-Reply-To: References: <488EF29A.6C9D.008D.0@usm.maine.edu> <7d9b3cf20807290752l1a422d5fm841727198b337990@mail.gmail.com> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> Message-ID: <4892D2E1.1010109@ecs.soton.ac.uk> Richard Siddall wrote: > Julian Field wrote: >> Someone else showed me a message that suffered the same problem a few >> weeks ago. Unfortunately I don't think there's anything I can do >> about it, sorry. It's to do with nesting in the HTML analysis code. >> Once it gets too nested up, Perl segfaults. >> >> Jules >> > > Jules, > > Does that mean it's something like an out-of-memory error in one of > the CPAN modules? Can we fix it by getting the module author to > handle excessive nesting? The most likely culprit is HTML::Parser, but I have direct evidence to back that. I just know that it's in the HTML parsing where it falls over. Does HTML::Parser contain any non-Perl code? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From housey at sme-ecom.co.uk Fri Aug 1 10:48:07 2008 From: housey at sme-ecom.co.uk (Paul Houselander (SME)) Date: Fri Aug 1 10:48:35 2008 Subject: Spam from Free mail accounts Message-ID: <00a101c8f3bb$b387e240$1a97a6c0$@co.uk> Hi Just wondered if anyone else was experiencing a lot of spam getting through that has been sent from yahoo.com, hotmail.com accounts etc.. Have seen a big increase in the last couple of weeks, they do actually come from hotmails and yahoo's servers so the network based checks don't flag anything. I added a plugin from http://sa.hege.li/FreeMail.pm which just checks if the message is from a freemail account, which is working but a lot of my users receive legitimate mail from hotmail etc. so I can't score to highly (currently set to 1). The messages aren't really hitting any other rules (I use SA 3.2.5, sa-update daily, SARE, KAM, DCC, razor, pyzor) - my BAYES db has been running for some time so I've removed it and started again with the starter one from fsl.com Subjects are pretty random Beauty latin girl posing bill pain Kuuimshot on boiiobs hole teeth Inteirraciial pee threesome bat cook Cindy gaping snatch and Office glrIs in stockings Just wondered if anyone else was seeing the same? Cheers Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080801/ae95152c/attachment.html From steve.freegard at fsl.com Fri Aug 1 11:35:42 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Aug 1 11:35:54 2008 Subject: Spam from Free mail accounts In-Reply-To: <00a101c8f3bb$b387e240$1a97a6c0$@co.uk> References: <00a101c8f3bb$b387e240$1a97a6c0$@co.uk> Message-ID: <4892E6FE.7050902@fsl.com> Hi Paul, Paul Houselander (SME) wrote: > Hi > > > Just wondered if anyone else was experiencing a lot of spam getting > through that has been sent from yahoo.com, hotmail.com accounts etc?. > > Have seen a big increase in the last couple of weeks, they do actually > come from hotmails and yahoo?s servers so the network based checks don?t > flag anything. I've been getting a lot of hits from these on our spam trap too. You can get network tests to work on Yahoo and Hotmail as they supply the injection IP address in the headers (either through a Received or X-Originating-IP). The CBL (e.g. Spamhaus XBL works pretty good on some of these injection addresses) however SpamAssassin isn't configured to do these tests. These rules will enable XBL tests on all the received headers for messages from Yahoo and Hotmail and should not cause FPs: # Freemailers header __FSL_HOST_YAHOO Received =~ /\.yahoo\.com/ header __FSL_HOST_HOTMAIL Received =~ /\.hotmail\.com/ # Check for SBL/XBL listings for all received headers from Yahoo and Hotmail header __FSL_DEEP_RCVD_IN_SBLXBL eval:check_rbl_sub('zen','127.0.0.[2345678]') tflags __FSL_DEEP_RCVD_IN_SBLXBL net meta FSL_FREEMAIL_SBLXBL __FSL_DEEP_RCVD_IN_SBLXBL && (__FSL_HOST_YAHOO || __FSL_HOST_HOTMAIL) score FSL_FREEMAIL_SBLXBL 4.0 I've also got another rule that nukes all the mail to the trap, but isn't really tested well for FPs: header __FSL_RCVD_YAHOO_BOT Received =~ /from unknown \(HELO (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) \(\S+@\1 with login\)/ meta FSL_YAHOO_BOT __FSL_HOST_YAHOO && __FSL_RCVD_YAHOO_BOT score FSL_YAHOO_BOT 3.0 Feel free to score it low and see if it hits the junk you are getting and then increase the score if it does. > I added a plugin from http://sa.hege.li/FreeMail.pm which just checks if > the message is from a freemail account, which is working but a lot of my > users receive legitimate mail from hotmail etc? so I can?t score to > highly (currently set to 1). FreeMail.pm isn't really meant for scoring messages from freemail providers (although you can do this like you are); but it's more for catching 419 scams that typically come from one FreeMail address and ask you to send details to another different freemail address (which it works pretty well on). > > Just wondered if anyone else was seeing the same? > Yup - I'm scoring them just high enough to mark them as spam: Jul 31 22:19:18 mail spamd[18417]: spamd: result: Y 6 - BMX_GREY,FROM_FREEMAIL,FSL_YAHOO_BOT,RCVD_NUMERIC_HELO,FSL_FREEMAIL_SBLXBL scantime=1.5,size=2311,user=(unknown),uid=99,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=35384,mid=,autolearn=disabled,shortcircuit=no Kind regards, Steve. From ram at netcore.co.in Fri Aug 1 12:42:48 2008 From: ram at netcore.co.in (ram) Date: Fri Aug 1 12:43:08 2008 Subject: Custom spam scanner score not getting added Message-ID: <1217590968.1894.45.camel@darkstar.netcore.co.in> I have MailScanner 4.64 on my servers where I see that sometimes the score given by is not added to the total score while marking a mail spam So if SpamAssassin returns 0 score and Custom Scanner returns 7 the mail should be marked as spam. In most cases this works but some mails strangely enough dont get marked spam It happens rarely , 3-4 times in a day , and is not replicated , so I dont now how do I check this Any pointers ?? Thanks Ram From davejenx at googlemail.com Fri Aug 1 12:58:57 2008 From: davejenx at googlemail.com (Dave Jenkins) Date: Fri Aug 1 12:59:06 2008 Subject: Basic Postfix/MS question: avoid scanning mail for invalid recipients Message-ID: Hi, We have Postfix/MS/SA running on our main & backup mail servers. The main server is both incoming MX and outgoing, auth required. We'd like every mail to a valid recipient to be scanned, but don't want to waste CPU scanning mail to invalid recipients. Main MX: am I right in thinking Postfix will remove mail to invalid recipients before it gets to MS & so that setting MS to scan everything will achieve what we want? Backup MX: I've written a script to turn /etc/postfix/virtusertable from the main MX into a valid rules file to be rsync'd to the backup MX's rules directory, is that a sensible approach? Does MS need to be restarted when the rules files are updated? Thanks and sorry for the basic nature of the question, Dave CentOS 5.2 postfix-2.3.3-2 mailscanner-4.69.8-1 spamassassin-3.1.9-1.el5 From ram at netcore.co.in Fri Aug 1 13:50:39 2008 From: ram at netcore.co.in (ram) Date: Fri Aug 1 13:50:55 2008 Subject: Basic Postfix/MS question: avoid scanning mail for invalid recipients In-Reply-To: References: Message-ID: <1217595039.1894.59.camel@darkstar.netcore.co.in> On Fri, 2008-08-01 at 12:58 +0100, Dave Jenkins wrote: > Hi, > > We have Postfix/MS/SA running on our main & backup mail servers. The > main server is both incoming MX and outgoing, auth required. We'd like > every mail to a valid recipient to be scanned, but don't want to waste > CPU scanning mail to invalid recipients. > MailScanner is not involved here at all Deal with invalid recipients at postfix level. Do not accept mails for invalid recipients at all by using recipient checks right at the entry point. That way you save a lot of resources and avoid sending misdirected bounces > Main MX: am I right in thinking Postfix will remove mail to invalid > recipients before it gets to MS & so that setting MS to scan > everything will achieve what we want? > > Backup MX: I've written a script to turn /etc/postfix/virtusertable > from the main MX into a valid rules file to be rsync'd to the backup > MX's rules directory, is that a sensible approach? Does MS need to be > restarted when the rules files are updated? > Yes Using a virtusertable with all valid recipients is a good way for this Use a hash/CDB database. You will not have restart anything. Just postmap the file and you are done Thanks Ram From drew.marshall at technologytiger.net Fri Aug 1 14:30:11 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Aug 1 14:30:24 2008 Subject: dying children? In-Reply-To: <4892D2E1.1010109@ecs.soton.ac.uk> References: <488EF29A.6C9D.008D.0@usm.maine.edu> <7d9b3cf20807290752l1a422d5fm841727198b337990@mail.gmail.com> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> Message-ID: <628C0D7B-180D-4595-BFD8-2202512AA5A7@technologytiger.net> On 1 Aug 2008, at 10:09, Julian Field wrote: > > Richard Siddall wrote: >> Julian Field wrote: >>> Someone else showed me a message that suffered the same problem a >>> few weeks ago. Unfortunately I don't think there's anything I can >>> do about it, sorry. It's to do with nesting in the HTML analysis >>> code. Once it gets too nested up, Perl segfaults. >>> >>> Jules >>> >> >> Jules, >> >> Does that mean it's something like an out-of-memory error in one of >> the CPAN modules? Can we fix it by getting the module author to >> handle excessive nesting? > The most likely culprit is HTML::Parser, but I have direct evidence > to back that. I just know that it's in the HTML parsing where it > falls over. Does HTML::Parser contain any non-Perl code? Jules I seem to get a number of, what I think are, these types of mail that choke MS and hold the child process up until it times out. Is there any way that a mail that causes this sort of time out to be automatically quarantined? Perhaps by changing the scan time out from a batch time out to a message time out? The problem that I see is that if a batch has 10 messages in it (Often mainly Spam) 1 of the messages chokes spam scanning, the whole batch times out and lets the all the other spam messages through for delivery. The benefit of quarantining is that: 1. I can find the dodgy message and perhaps we can find a solution to a common problem 2. If it's spam the user won't care 3. Users will be notified as normal (E.g. through Mail Watch notification or warning message etc depending on set up) 4. All other users still get their mail scanned While I can't code, I'm happy to test! Kind regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From MailScanner at ecs.soton.ac.uk Fri Aug 1 14:36:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 1 14:37:03 2008 Subject: dying children? In-Reply-To: References: <488EF29A.6C9D.008D.0@usm.maine.edu> <7d9b3cf20807290752l1a422d5fm841727198b337990@mail.gmail.com> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> Message-ID: <4893116A.6040902@ecs.soton.ac.uk> Drew Marshall wrote: > On 1 Aug 2008, at 10:09, Julian Field wrote: >> >> Richard Siddall wrote: >>> Julian Field wrote: >>>> Someone else showed me a message that suffered the same problem a >>>> few weeks ago. Unfortunately I don't think there's anything I can >>>> do about it, sorry. It's to do with nesting in the HTML analysis >>>> code. Once it gets too nested up, Perl segfaults. >>>> >>>> Jules >>>> >>> >>> Jules, >>> >>> Does that mean it's something like an out-of-memory error in one of >>> the CPAN modules? Can we fix it by getting the module author to >>> handle excessive nesting? >> The most likely culprit is HTML::Parser, but I have direct evidence >> to back that. I just know that it's in the HTML parsing where it >> falls over. Does HTML::Parser contain any non-Perl code? > > > Jules > > I seem to get a number of, what I think are, these types of mail that > choke MS and hold the child process up until it times out. Is there > any way that a mail that causes this sort of time out to be > automatically quarantined? Perhaps by changing the scan time out from > a batch time out to a message time out? > > The problem that I see is that if a batch has 10 messages in it (Often > mainly Spam) 1 of the messages chokes spam scanning, the whole batch > times out and lets the all the other spam messages through for delivery. It's not a timeout issue. If it hits this, it brings the entire Perl system crashing down. Wrapping it in an eval and timeout may not help. It would certainly add more overhead. I am open to all suggestions though! > > The benefit of quarantining is that: > 1. I can find the dodgy message and perhaps we can find a solution to > a common problem > 2. If it's spam the user won't care > 3. Users will be notified as normal (E.g. through Mail Watch > notification or warning message etc depending on set up) > 4. All other users still get their mail scanned > > While I can't code, I'm happy to test! > > Kind regards > > Drew > > -- > In line with our policy, this message has been scanned for viruses and > dangerous > content by Technology Tiger's Mail Launder system > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at technologytiger.net Fri Aug 1 14:50:57 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Aug 1 14:51:14 2008 Subject: dying children? In-Reply-To: <4893116A.6040902@ecs.soton.ac.uk> References: <488EF29A.6C9D.008D.0@usm.maine.edu> <7d9b3cf20807290752l1a422d5fm841727198b337990@mail.gmail.com> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> <4893116A.6040902@ecs.soton.ac.uk> Message-ID: <690B1A23-E2F2-4FC3-82A1-4FD4D5C53681@technologytiger.net> On 1 Aug 2008, at 14:36, Julian Field wrote: > > > Drew Marshall wrote: >> On 1 Aug 2008, at 10:09, Julian Field wrote: >>> >>> Richard Siddall wrote: >>>> Julian Field wrote: >>>>> Someone else showed me a message that suffered the same problem >>>>> a few weeks ago. Unfortunately I don't think there's anything I >>>>> can do about it, sorry. It's to do with nesting in the HTML >>>>> analysis code. Once it gets too nested up, Perl segfaults. >>>>> >>>>> Jules >>>>> >>>> >>>> Jules, >>>> >>>> Does that mean it's something like an out-of-memory error in one >>>> of the CPAN modules? Can we fix it by getting the module author >>>> to handle excessive nesting? >>> The most likely culprit is HTML::Parser, but I have direct >>> evidence to back that. I just know that it's in the HTML parsing >>> where it falls over. Does HTML::Parser contain any non-Perl code? >> >> >> Jules >> >> I seem to get a number of, what I think are, these types of mail >> that choke MS and hold the child process up until it times out. Is >> there any way that a mail that causes this sort of time out to be >> automatically quarantined? Perhaps by changing the scan time out >> from a batch time out to a message time out? >> >> The problem that I see is that if a batch has 10 messages in it >> (Often mainly Spam) 1 of the messages chokes spam scanning, the >> whole batch times out and lets the all the other spam messages >> through for delivery. > It's not a timeout issue. If it hits this, it brings the entire Perl > system crashing down. Wrapping it in an eval and timeout may not > help. It would certainly add more overhead. > > I am open to all suggestions though! Ahh, I see. Can I request this anyway? I am seeing a number of time outs (Like upwards of 50 since midnight today!) from SpamAssassin which I just can't diagnose. The problem message always seems to stop at the point it starts running body checks (Or at least that's the line it displays last before hanging). I have done all the usual stuff but as I can't easily capture the problem messages as they are delivered after the time out limit is hit, I am struggling to put them somewhere for some expert help. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From MailScanner at ecs.soton.ac.uk Fri Aug 1 14:59:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 1 14:59:41 2008 Subject: dying children? In-Reply-To: References: <488EF29A.6C9D.008D.0@usm.maine.edu> <7d9b3cf20807290752l1a422d5fm841727198b337990@mail.gmail.com> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> <4893116A.6040902@ecs.soton.ac.uk> Message-ID: <489316BA.9090304@ecs.soton.ac.uk> Drew Marshall wrote: > On 1 Aug 2008, at 14:36, Julian Field wrote: > >> >> >> Drew Marshall wrote: >>> On 1 Aug 2008, at 10:09, Julian Field wrote: >>>> >>>> Richard Siddall wrote: >>>>> Julian Field wrote: >>>>>> Someone else showed me a message that suffered the same problem a >>>>>> few weeks ago. Unfortunately I don't think there's anything I can >>>>>> do about it, sorry. It's to do with nesting in the HTML analysis >>>>>> code. Once it gets too nested up, Perl segfaults. >>>>>> >>>>>> Jules >>>>>> >>>>> >>>>> Jules, >>>>> >>>>> Does that mean it's something like an out-of-memory error in one >>>>> of the CPAN modules? Can we fix it by getting the module author >>>>> to handle excessive nesting? >>>> The most likely culprit is HTML::Parser, but I have direct evidence >>>> to back that. I just know that it's in the HTML parsing where it >>>> falls over. Does HTML::Parser contain any non-Perl code? >>> >>> >>> Jules >>> >>> I seem to get a number of, what I think are, these types of mail >>> that choke MS and hold the child process up until it times out. Is >>> there any way that a mail that causes this sort of time out to be >>> automatically quarantined? Perhaps by changing the scan time out >>> from a batch time out to a message time out? >>> >>> The problem that I see is that if a batch has 10 messages in it >>> (Often mainly Spam) 1 of the messages chokes spam scanning, the >>> whole batch times out and lets the all the other spam messages >>> through for delivery. >> It's not a timeout issue. If it hits this, it brings the entire Perl >> system crashing down. Wrapping it in an eval and timeout may not >> help. It would certainly add more overhead. >> >> I am open to all suggestions though! > > Ahh, I see. Can I request this anyway? I am seeing a number of time > outs (Like upwards of 50 since midnight today!) from SpamAssassin > which I just can't diagnose. The problem message always seems to stop > at the point it starts running body checks (Or at least that's the > line it displays last before hanging). I have done all the usual stuff > but as I can't easily capture the problem messages as they are > delivered after the time out limit is hit, I am struggling to put them > somewhere for some expert help. I've actually got a couple of things to go to this weekend, so may well not have much time for coding. It may be the start of next week.... Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at technologytiger.net Fri Aug 1 15:25:30 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Aug 1 15:25:48 2008 Subject: dying children? In-Reply-To: <489316BA.9090304@ecs.soton.ac.uk> References: <488EF29A.6C9D.008D.0@usm.maine.edu> <7d9b3cf20807290752l1a422d5fm841727198b337990@mail.gmail.com> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> <4893116A.6040902@ecs.soton.ac.uk> <489316BA.9090304@ecs.soton.ac.uk> Message-ID: <8376FFE8-E233-4F29-B8C2-48EAB869CB93@technologytiger.net> On 1 Aug 2008, at 14:59, Julian Field wrote: > I've actually got a couple of things to go to this weekend, so may > well not have much time for coding. > > It may be the start of next week.... That would be really, really great! Thanks! Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From richard.siddall at elirion.net Fri Aug 1 15:30:22 2008 From: richard.siddall at elirion.net (Richard Siddall) Date: Fri Aug 1 15:30:42 2008 Subject: dying children? In-Reply-To: <4892D2E1.1010109@ecs.soton.ac.uk> References: <488EF29A.6C9D.008D.0@usm.maine.edu> <7d9b3cf20807290752l1a422d5fm841727198b337990@mail.gmail.com> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> Message-ID: <48931DFE.1030600@elirion.net> Julian Field wrote: > The most likely culprit is HTML::Parser, but I have direct evidence to > back that. I just know that it's in the HTML parsing where it falls > over. Does HTML::Parser contain any non-Perl code? > > Jules > Looks like it contains some 'C'. The Makefile.PL on http://search.cpan.org lists this: > H => [ "hparser.h", "hctype.h", "tokenpos.h", "pfunc.h", > "hparser.c", "util.c", Regards, Richard. From andrew at gdcon.net Fri Aug 1 17:37:47 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Aug 1 17:36:52 2008 Subject: Stable release Message-ID: One for Julian I guess - Are you able to give any indication of when the next stable release will be? Thanks, Andrew -- This message was scanned by ESVA and is believed to be clean. From housey at sme-ecom.co.uk Fri Aug 1 17:51:16 2008 From: housey at sme-ecom.co.uk (Paul Houselander (SME)) Date: Fri Aug 1 17:51:43 2008 Subject: Spam from Free mail accounts In-Reply-To: <4892E6FE.7050902@fsl.com> References: <00a101c8f3bb$b387e240$1a97a6c0$@co.uk> <4892E6FE.7050902@fsl.com> Message-ID: <006301c8f3f6$d09a59e0$71cf0da0$@co.uk> > > Just wondered if anyone else was experiencing a lot of spam getting > > through that has been sent from yahoo.com, hotmail.com accounts etc.. > > > > Have seen a big increase in the last couple of weeks, they do > actually > > come from hotmails and yahoo's servers so the network based checks > don't > > flag anything. > > > I've been getting a lot of hits from these on our spam trap too. > > You can get network tests to work on Yahoo and Hotmail as they supply > the injection IP address in the headers (either through a Received or > X-Originating-IP). > > The CBL (e.g. Spamhaus XBL works pretty good on some of these injection > addresses) however SpamAssassin isn't configured to do these tests. > > These rules will enable XBL tests on all the received headers for > messages from Yahoo and Hotmail and should not cause FPs: > > # Freemailers > header __FSL_HOST_YAHOO Received =~ /\.yahoo\.com/ > header __FSL_HOST_HOTMAIL Received =~ /\.hotmail\.com/ > > # Check for SBL/XBL listings for all received headers from Yahoo and > Hotmail > header __FSL_DEEP_RCVD_IN_SBLXBL > eval:check_rbl_sub('zen','127.0.0.[2345678]') > tflags __FSL_DEEP_RCVD_IN_SBLXBL net > meta FSL_FREEMAIL_SBLXBL __FSL_DEEP_RCVD_IN_SBLXBL && (__FSL_HOST_YAHOO > || __FSL_HOST_HOTMAIL) > score FSL_FREEMAIL_SBLXBL 4.0 > > Thanks steve above rule seems to have done the trick! Catching quite a few with zero fp's so far Thanks again! Paul From rpoe at plattesheriff.org Fri Aug 1 18:56:28 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Fri Aug 1 18:57:26 2008 Subject: Spamassassin is slow - any tips or good commercial alternative? In-Reply-To: <491b01c8d1a5$1fa51260$0300a8c0@CharlieCompaq> References: <491b01c8d1a5$1fa51260$0300a8c0@CharlieCompaq> Message-ID: <489307FB.65ED.00A2.0@plattesheriff.org> >>> The concern is that I am eventually looking to have over 10,000 >>> users, so will be receiving, and then sending, multiple emails per >>> second. >>> Even now, with only 1,500 users, people have started reporting "Too >> many concurrent SMTP connections; Please try again later" > > Thank you James - this will be very helpful I suspect. > We also are using Exim as the MTA, so any specific config advice for Exim > would also be greatly appreciated :) > BTW we are using one server (Pentium 4, 2.4GHz, 1GB RAM), currently have > 1500 active paid users, > and am expecting up to 10,000-15,000 active paid users in the future (say, > 1 or 2 years from now). I'd expect that only ONE P4 2.4 1g isn't enough ... If it were my configuration and I had that many users, I'd probably go more into the Core2/Xeon/some other kind of multi-core or multi processor setup, and go with at least 4 gigs of ram, making sure you also focus on using FAST drives (10k SAS raid0+1) From MailScanner at ecs.soton.ac.uk Fri Aug 1 20:34:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 1 20:34:06 2008 Subject: Stable release In-Reply-To: References: Message-ID: <48936528.2010300@ecs.soton.ac.uk> Once there's enough new stuff to justify it. At a guess, probably the start of September. Things are usually pretty quiet at this time of year, and the Change Log for the current beta is still pretty short. Hope that's enough to answer your question. Do you need a release earlier than that? The current beta doesn't have any "beta" code in it, it could become a stable release at any time. Jules. Andrew MacLachlan wrote: > One for Julian I guess - Are you able to give any indication of when the > next stable release will be? > > Thanks, > Andrew > > > -- > This message was scanned by ESVA and is believed to be clean. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Aug 1 20:36:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 1 20:37:00 2008 Subject: Spamassassin is slow - any tips or good commercial alternative? In-Reply-To: References: <491b01c8d1a5$1fa51260$0300a8c0@CharlieCompaq> Message-ID: <489365D3.3070408@ecs.soton.ac.uk> Rob Poe wrote: >>>> The concern is that I am eventually looking to have over 10,000 >>>> users, so will be receiving, and then sending, multiple emails per >>>> second. >>>> Even now, with only 1,500 users, people have started reporting "Too >>>> >>> many concurrent SMTP connections; Please try again later" >>> >> Thank you James - this will be very helpful I suspect. >> We also are using Exim as the MTA, so any specific config advice for Exim >> would also be greatly appreciated :) >> BTW we are using one server (Pentium 4, 2.4GHz, 1GB RAM), currently have >> 1500 active paid users, >> and am expecting up to 10,000-15,000 active paid users in the future (say, >> 1 or 2 years from now). >> > > I'd expect that only ONE P4 2.4 1g isn't enough ... > > If it were my configuration and I had that many users, I'd probably go more into the Core2/Xeon/some other kind of multi-core or multi processor setup, and go with at least 4 gigs of ram, making sure you also focus on using FAST drives (10k SAS raid0+1) > Get an evaluation licence for BarricadeMX from Fort Systems (www.fsl.com). This is a *very* good anti-spam system that costs less than any of the other decent commercial alternatives. Even an old server should be able to handle near 1 million SMTP connections per day without any difficulty. Put MailScanner and SpamAssassin behind it to clean up what it misses and you have a *superb* system for very little money. They do 30 day eval licences for free so you can try it out. It's very quick to deploy and test, and they will happily help you with that, as will I. Give it a go, you won't be disappointed. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andrew at gdcon.net Fri Aug 1 21:09:10 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Aug 1 21:08:13 2008 Subject: Stable release In-Reply-To: <48936528.2010300@ecs.soton.ac.uk> References: <48936528.2010300@ecs.soton.ac.uk> Message-ID: No rush - it's just so I can set expectations for the next major update for ESVA (and o I have an idea myself!) To be honest, the longer between releases the better for me anyway... Thanks again, - Andy On Fri, August 1, 2008 8:34 pm, Julian Field wrote: > Once there's enough new stuff to justify it. At a guess, probably the > start of September. Things are usually pretty quiet at this time of > year, and the Change Log for the current beta is still pretty short. > > Hope that's enough to answer your question. Do you need a release > earlier than that? The current beta doesn't have any "beta" code in it, > it could become a stable release at any time. > > Jules. -- This message was scanned by ESVA and is believed to be clean. From william at observi.com.br Fri Aug 1 21:23:39 2008 From: william at observi.com.br (William A. Knob) Date: Fri Aug 1 21:22:15 2008 Subject: Allow/Deny Filenames by user Message-ID: <489370CB.2010503@observi.com.br> Hi, I need to make diferent rules for diferent users, but is not working... That`s my setup: MailScanner.conf: Allow Filenames = %etc-dir%/rules/filename-allow.rules Deny Filenames = %etc-dir%/rules/filename-deny.rules On filename-allow.rule I have: To: william@domain.com \.jpg$ On filename-deny.rule I have: To: bira@domain.com \.jpg$ And what happens? When I send an "jpg" file to this both users, the file is accepted for both users! But only "william@domain.com" could receive it. What is the problem? Regards, William -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From MailScanner at ecs.soton.ac.uk Fri Aug 1 21:33:24 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 1 21:33:44 2008 Subject: Allow/Deny Filenames by user In-Reply-To: References: Message-ID: <48937314.8040406@ecs.soton.ac.uk> Now send the mail to william, then a separate email to bira. A messages with 2 recipients is still 1 message. If you need this, you need to get your MTA to split the message up so that a message only ever has 1 recipient. There are instructions on how to do this in the wiki at wiki.mailscanner.info. Jules. William A. Knob wrote: > Hi, > > I need to make diferent rules for diferent users, but is not working... > > That`s my setup: > > MailScanner.conf: > Allow Filenames = %etc-dir%/rules/filename-allow.rules > Deny Filenames = %etc-dir%/rules/filename-deny.rules > > > On filename-allow.rule I have: To: william@domain.com \.jpg$ > > On filename-deny.rule I have: To: bira@domain.com \.jpg$ > > > And what happens? When I send an "jpg" file to this both users, the > file is accepted for both users! But only "william@domain.com" could > receive it. > > > What is the problem? > > > Regards, > > > William > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From william at observi.com.br Fri Aug 1 21:51:23 2008 From: william at observi.com.br (William A. Knob) Date: Fri Aug 1 21:49:55 2008 Subject: MTA split message Message-ID: <4893774B.2070403@observi.com.br> Julian, I've read the documentation on the wiki. But, that's the only way ? Running 2 instances of MTA ? Regards, -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From andrew at gdcon.net Fri Aug 1 22:01:12 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Aug 1 22:01:30 2008 Subject: MTA split message In-Reply-To: <4893774B.2070403@observi.com.br> References: <4893774B.2070403@observi.com.br> Message-ID: <48937998.8050900@gdcon.net> William A. Knob wrote: > Julian, > > I've read the documentation on the wiki. But, that's the only way > ? Running 2 instances of MTA ? > > > Regards, > > Not sure about other MTAs but for postfix just run: postconf -e "default_destination_recipient_limit = 1" and it's configured... -Andy -- This message was scanned by ESVA and is believed to be clean. From adam at electricembers.net Fri Aug 1 22:51:13 2008 From: adam at electricembers.net (Adam Bernstein) Date: Fri Aug 1 22:51:28 2008 Subject: "Out of memory during request" error during OLE analysis Message-ID: <48938551.9090008@electricembers.net> I've got a particular email message causing a problem that looks like a SpamAssassin issue, except that it doesn't happen when we simply run SA directly on the message -- it only happens when MS is doing the scanning. We're running the latest MS 4.70-1 (and SA 3.2.5) on FreeBSD 6.2 with Perl 5.8.8, and we've got a message with an attachment that's causing MS to choke. The attachment is an MS Word doc with base64 encoding, about 150KB, and the handoff to SA works fine but then something goes wrong: Jul 28 13:31:29 smtp1 MailScanner[92705]: New Batch: Scanning 16 messages, 239966 bytes Jul 28 13:31:58 smtp1 MailScanner[92705]: Spam Checks: Found 8 spam messages Jul 28 13:31:58 smtp1 MailScanner[92705]: Spam Checks completed at 8417 bytes per second Jul 28 13:32:27 smtp1 MailScanner[92705]: Skipping OLE document unpacking due to OLE analysis failure If we run MS with Debug Spamassassin = yes, we get this output (see error message at the bottom): [80794] dbg: rules: running head tests; score so far=-2.6 [80794] dbg: locker: safe_lock: created /var/spamassassin/auto-whitelist.mutex [80794] dbg: locker: safe_lock: trying to get lock on /var/spamassassin/auto-whitelist with 30 timeout [80794] dbg: locker: safe_lock: link to /var/spamassassin/auto-whitelist.mutex: link ok [80794] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /var/spamassassin/auto-whitelist [80794] dbg: auto-whitelist: db-based vrasmussen@stny.rr.com|ip=74.65 scores 466/-1211.6 [80794] dbg: auto-whitelist: AWL active, pre-score: -2.6, autolearn score: -2.6, mean: -2.6, IP: 74.65.68.5 [80794] dbg: auto-whitelist: add_score: new count: 467, new totscore: -1214.2 [80794] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [80794] dbg: auto-whitelist: DB addr list: file locked, breaking lock [80794] dbg: locker: safe_unlock: unlocked /var/spamassassin/auto-whitelist.mutex [80794] dbg: auto-whitelist: post auto-whitelist score: -2.6 [80794] dbg: rules: running body tests; score so far=-2.6 [80794] dbg: rules: running uri tests; score so far=-2.6 [80794] dbg: rules: running rawbody tests; score so far=-2.6 [80794] dbg: rules: running full tests; score so far=-2.6 [80794] dbg: rules: running meta tests; score so far=-2.6 [80794] dbg: plugin: Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x9e04d00) implements 'autolearn_discriminator', priority 0 [80794] dbg: learn: auto-learn: currently using scoreset 3, recomputing score based on scoreset 1 [80794] dbg: learn: auto-learn: message score: -2.6, computed score for autolearn: 0 [80794] dbg: learn: auto-learn? ham=0.1, spam=10, body-points=0, head-points=0, learned-points=-2.599 [80794] dbg: learn: auto-learn? yes, ham (0 < 0.1) [80794] dbg: learn: initializing learner [80794] dbg: learn: learning ham [80794] dbg: eval: all '*From' addrs: vrasmussen@stny.rr.com [80794] dbg: eval: all '*To' addrs: peter@rachel.org people@poclad.org [80794] dbg: locker: safe_lock: created /var/spamassassin/bayes.mutex [80794] dbg: locker: safe_lock: trying to get lock on /var/spamassassin/bayes with 10 timeout [80794] dbg: locker: safe_lock: link to /var/spamassassin/bayes.mutex: link ok [80794] dbg: bayes: tie-ing to DB file R/W /var/spamassassin/bayes_toks [80794] dbg: bayes: tie-ing to DB file R/W /var/spamassassin/bayes_seen [80794] dbg: bayes: found bayes db version 3 [80794] dbg: bayes: 432a63af2616531619871d341702255a9677ef97@sa_generated already learnt correctly, not learning twice [80794] dbg: bayes: untie-ing [80794] dbg: bayes: files locked, now unlocking lock [80794] dbg: locker: safe_unlock: unlocked /var/spamassassin/bayes.mutex [80794] dbg: learn: initializing learner [80794] dbg: check: is spam? score=-2.6 required=5 [80794] dbg: check: tests=AWL,BAYES_00,SPF_PASS [80794] dbg: check: subtests=__CT,__CTYPE_HAS_BOUNDARY,__DOS_RCVD_SUN,__ENV_AND_HDR_FROM_MATCH,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__LAST_UNTRUSTED_RELAY_NO_AUTH,__MIME_ATTACHMENT,__MIME_BASE64,__MIME_VERSION,__MISSING_REF,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__PART_STOCK_CD_F,__RCVD_IN_DNSWL,__RCVD_IN_SORBS,__RCVD_IN_ZEN,__SANE_MSGID,__TOCC_EXISTS [80794] dbg: learn: auto-learn? ham=0.1, spam=10, body-points=0, head-points=0, learned-points=-2.599 [80794] dbg: learn: auto-learn? yes, ham (0 < 0.1) [80794] dbg: learn: initializing learner [80794] dbg: learn: learning ham [80794] dbg: eval: all '*From' addrs: vrasmussen@stny.rr.com [80794] dbg: eval: all '*To' addrs: peter@rachel.org people@poclad.org [80794] dbg: locker: safe_lock: created /var/spamassassin/bayes.mutex [80794] dbg: locker: safe_lock: trying to get lock on /var/spamassassin/bayes with 10 timeout [80794] dbg: locker: safe_lock: link to /var/spamassassin/bayes.mutex: link ok [80794] dbg: bayes: tie-ing to DB file R/W /var/spamassassin/bayes_toks [80794] dbg: bayes: tie-ing to DB file R/W /var/spamassassin/bayes_seen [80794] dbg: bayes: found bayes db version 3 [80794] dbg: bayes: 432a63af2616531619871d341702255a9677ef97@sa_generated already learnt correctly, not learning twice [80794] dbg: bayes: untie-ing [80794] dbg: bayes: files locked, now unlocking lock [80794] dbg: locker: safe_unlock: unlocked /var/spamassassin/bayes.mutex [80794] dbg: learn: initializing learner Out of memory during request for 268435464 bytes, total sbrk() is 313550848 bytes! Failed. So the problem seems to be happening during the learning phase in SA, except that we can run both spamassassin and sa-learn on this message from the command line, and scanning completes fine and gives the same scoring, and the learning happens fine and the command completes. It's only when MS is calling SA that we see the crash. I find various references to this error message on the net, mostly or always with BSD (not a Linux thing, or at least not commonly), and it seems to indicate that a memory allocation call is going a little crazy and continually grabbing bigger and bigger RAM until it hits the max for the process set by the operating system. It's possible that raising that max would help us, but I think it would just delay the moment at which the process grabs all it can and fails. So we need the call that allocates the memory to be fixed in some way. Here's one instance of a similar problem, though maybe not precisely identical: http://www.nntp.perl.org/group/perl.perl5.porters/2007/10/msg129981.html Sorry this report is so long and nebulous, but this is a tricky one. Any help out there? Thanks! adam electric embers worker-owner, sysadmin From rich at mail.wvnet.edu Sat Aug 2 00:08:25 2008 From: rich at mail.wvnet.edu (Richard Lynch) Date: Sat Aug 2 00:08:45 2008 Subject: Spamassassin is slow - any tips or good commercial alternative? In-Reply-To: References: <491b01c8d1a5$1fa51260$0300a8c0@CharlieCompaq> Message-ID: <48939769.5090709@mail.wvnet.edu> Julian Field wrote: > > > Rob Poe wrote: >>>>> The concern is that I am eventually looking to have over 10,000 >>>>> users, so will be receiving, and then sending, multiple emails per >>>>> second. >>>>> Even now, with only 1,500 users, people have started reporting "Too >>>>> >>>> many concurrent SMTP connections; Please try again later" >>>> >>> Thank you James - this will be very helpful I suspect. >>> We also are using Exim as the MTA, so any specific config advice for >>> Exim would also be greatly appreciated :) >>> BTW we are using one server (Pentium 4, 2.4GHz, 1GB RAM), currently >>> have 1500 active paid users, >>> and am expecting up to 10,000-15,000 active paid users in the >>> future (say, 1 or 2 years from now). >>> >> >> I'd expect that only ONE P4 2.4 1g isn't enough ... >> If it were my configuration and I had that many users, I'd probably >> go more into the Core2/Xeon/some other kind of multi-core or multi >> processor setup, and go with at least 4 gigs of ram, making sure you >> also focus on using FAST drives (10k SAS raid0+1) >> > Get an evaluation licence for BarricadeMX from Fort Systems > (www.fsl.com). This is a *very* good anti-spam system that costs less > than any of the other decent commercial alternatives. Even an old > server should be able to handle near 1 million SMTP connections per > day without any difficulty. Put MailScanner and SpamAssassin behind it > to clean up what it misses and you have a *superb* system for very > little money. > > They do 30 day eval licences for free so you can try it out. It's very > quick to deploy and test, and they will happily help you with that, as > will I. > > Give it a go, you won't be disappointed. > > Jules > I can give a strong "seconded" to this suggestion. Take a look in the archives at my post on 7/23/2007 for a testament of our experiences. That was version 1.0, they are up to version 2.1 now. It's a fine product with excellent support. My 2c, Richard Lynch WVNET -- From dave.list at pixelhammer.com Sat Aug 2 04:55:53 2008 From: dave.list at pixelhammer.com (DAve) Date: Sat Aug 2 04:56:17 2008 Subject: MTA split message In-Reply-To: <4893774B.2070403@observi.com.br> References: <4893774B.2070403@observi.com.br> Message-ID: <4893DAC9.1020504@pixelhammer.com> William A. Knob wrote: > Julian, > > I've read the documentation on the wiki. But, that's the only way ? > Running 2 instances of MTA ? > > > Regards, > > Ummm no? MailScanner runs two instances, a inbound mta and a outbound mta. But to split your messages into single recipients with Sendmail just requires queue groups which are not difficult to configure. DAve -- Don't tell me I'm driving the cart! From ram at netcore.co.in Sat Aug 2 11:33:03 2008 From: ram at netcore.co.in (ram) Date: Sat Aug 2 11:33:23 2008 Subject: Spam Lists (DNS blocklists) and trusted networks Message-ID: <1217673183.1899.86.camel@darkstar.netcore.co.in> If mail is being relayed to my MailScanner server from a MX server how do I check RBL's within MailScanner Can I specify MailScanner to look inside the headers for checking RBL's 1 Hop before the current relay server I know It is best to check RBL's at the MTA, but I want to use whitelists overriding RBL checks. That is why I moved the RBL checks to MailScanner from the MTA Thanks Ram From MailScanner at ecs.soton.ac.uk Sat Aug 2 14:02:04 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 2 14:02:26 2008 Subject: Spam Lists (DNS blocklists) and trusted networks In-Reply-To: References: Message-ID: <48945ACC.4090506@ecs.soton.ac.uk> ram wrote: > If mail is being relayed to my MailScanner server from a MX server > how do I check RBL's within MailScanner > Spam List = ..... in MailScanner.conf. Check in the MailScanner.conf file for the docs on this option, and in spam.lists.conf for a list of all the RBL's that MailScanner already knows about. You can always add more to it if it doesn't contain your favourites already. Also, SpamAssassin will check loads of RBLs for you too and point-score them which may well provide you with better results. > Can I specify MailScanner to look inside the headers for checking RBL's > 1 Hop before the current relay server > SpamAssassin can and will do that for you. I didn't see the point in implementing all of that support when SpamAssassin already does it very well anyway. > I know It is best to check RBL's at the MTA, but I want to use > whitelists overriding RBL checks. That is why I moved the RBL checks to > MailScanner from the MTA > Seems fair, that's what I do too :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Aug 2 14:04:01 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 2 14:04:20 2008 Subject: Spamassassin is slow - any tips or good commercial alternative? In-Reply-To: References: <491b01c8d1a5$1fa51260$0300a8c0@CharlieCompaq> Message-ID: <48945B41.1070002@ecs.soton.ac.uk> Richard Lynch wrote: > Julian Field wrote: >> >> >> Rob Poe wrote: >>>>>> The concern is that I am eventually looking to have over 10,000 >>>>>> users, so will be receiving, and then sending, multiple emails per >>>>>> second. >>>>>> Even now, with only 1,500 users, people have started reporting "Too >>>>>> >>>>> many concurrent SMTP connections; Please try again later" >>>>> >>>> Thank you James - this will be very helpful I suspect. >>>> We also are using Exim as the MTA, so any specific config advice >>>> for Exim would also be greatly appreciated :) >>>> BTW we are using one server (Pentium 4, 2.4GHz, 1GB RAM), currently >>>> have 1500 active paid users, >>>> and am expecting up to 10,000-15,000 active paid users in the >>>> future (say, 1 or 2 years from now). >>>> >>> >>> I'd expect that only ONE P4 2.4 1g isn't enough ... If it were my >>> configuration and I had that many users, I'd probably go more into >>> the Core2/Xeon/some other kind of multi-core or multi processor >>> setup, and go with at least 4 gigs of ram, making sure you also >>> focus on using FAST drives (10k SAS raid0+1) >>> >> Get an evaluation licence for BarricadeMX from Fort Systems >> (www.fsl.com). This is a *very* good anti-spam system that costs less >> than any of the other decent commercial alternatives. Even an old >> server should be able to handle near 1 million SMTP connections per >> day without any difficulty. Put MailScanner and SpamAssassin behind >> it to clean up what it misses and you have a *superb* system for very >> little money. >> >> They do 30 day eval licences for free so you can try it out. It's >> very quick to deploy and test, and they will happily help you with >> that, as will I. >> >> Give it a go, you won't be disappointed. >> >> Jules >> > I can give a strong "seconded" to this suggestion. Take a look in > the archives at my post on 7/23/2007 for a testament of our > experiences. That was version 1.0, they are up to version 2.1 now. > It's a fine product with excellent support. > > My 2c, And one more comment from my users. After I deployed BarricadeMX in addition to my MailScanner setup, my users just reported that "all of a sudden, what little spam there was just stopped, completely". I now reject about 96% of incoming mail, and I have some very idle MXs as BarricadeMX handles about 94% of the incoming mail without ever letting it in the front door. If you want more references from some of my users, just ask and I'll pick random people for comments. They like it! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at mail.wvnet.edu Sat Aug 2 15:15:19 2008 From: rich at mail.wvnet.edu (Richard Lynch) Date: Sat Aug 2 15:15:47 2008 Subject: Spamassassin is slow - any tips or good commercial alternative? In-Reply-To: References: <491b01c8d1a5$1fa51260$0300a8c0@CharlieCompaq> Message-ID: <48946BF7.9020700@mail.wvnet.edu> Julian Field wrote: > > > Richard Lynch wrote: >> Julian Field wrote: >>> >>> >>> Rob Poe wrote: >>>>>>> The concern is that I am eventually looking to have over 10,000 >>>>>>> users, so will be receiving, and then sending, multiple emails per >>>>>>> second. >>>>>>> Even now, with only 1,500 users, people have started reporting "Too >>>>>>> >>>>>> many concurrent SMTP connections; Please try again later" >>>>>> >>>>> Thank you James - this will be very helpful I suspect. >>>>> We also are using Exim as the MTA, so any specific config advice >>>>> for Exim would also be greatly appreciated :) >>>>> BTW we are using one server (Pentium 4, 2.4GHz, 1GB RAM), >>>>> currently have 1500 active paid users, >>>>> and am expecting up to 10,000-15,000 active paid users in the >>>>> future (say, 1 or 2 years from now). >>>>> >>>> >>>> I'd expect that only ONE P4 2.4 1g isn't enough ... If it were my >>>> configuration and I had that many users, I'd probably go more into >>>> the Core2/Xeon/some other kind of multi-core or multi processor >>>> setup, and go with at least 4 gigs of ram, making sure you also >>>> focus on using FAST drives (10k SAS raid0+1) >>>> >>> Get an evaluation licence for BarricadeMX from Fort Systems >>> (www.fsl.com). This is a *very* good anti-spam system that costs >>> less than any of the other decent commercial alternatives. Even an >>> old server should be able to handle near 1 million SMTP connections >>> per day without any difficulty. Put MailScanner and SpamAssassin >>> behind it to clean up what it misses and you have a *superb* system >>> for very little money. >>> >>> They do 30 day eval licences for free so you can try it out. It's >>> very quick to deploy and test, and they will happily help you with >>> that, as will I. >>> >>> Give it a go, you won't be disappointed. >>> >>> Jules >>> >> I can give a strong "seconded" to this suggestion. Take a look in >> the archives at my post on 7/23/2007 for a testament of our >> experiences. That was version 1.0, they are up to version 2.1 now. >> It's a fine product with excellent support. >> >> My 2c, > And one more comment from my users. After I deployed BarricadeMX in > addition to my MailScanner setup, my users just reported that "all of > a sudden, what little spam there was just stopped, completely". I now > reject about 96% of incoming mail, and I have some very idle MXs as > BarricadeMX handles about 94% of the incoming mail without ever > letting it in the front door. > > If you want more references from some of my users, just ask and I'll > pick random people for comments. They like it! > > Jules > I can't resist one "final" comment. Before I deployed BMX I was running on 5 overloaded MS/SA boxes. The mail queues were regularly behind by several 1,000 messages and I was looking at buying yet another box to spread the load out. We opted to go with BMX instead. The system load and backlog immediately went away. I'm now considering dropping back to 3 production boxes, a 4th for a test system, and actually dropping maintenance on the 5th. We're now rejecting +95% of all inbound mail as spam. 92-93% of that is stopped by BMX, the remainder is flagged by SA. I could easily double the amount of inbound messages and still be OK. BMX drops in on a MS-SA box extremely easily. Another great thing about using BMX as a front end is that bounces/notification occurs on the sending side since the message is never accepted in the first place. Quietly deleting detected spam with a SA only solution puts the burden on you to diagnose why a message was rejected. I also found that I could turn bayes in SA off completely. It was no longer detecting enough to justify using it. SA with bayes turned on is a huge load on the system. And best of all, I got my life back. The amount of effort I spent dealing with overloaded boxes, FPs, etc was astounding. I could hardly take time off etc because of having to deal with issues. I'm actually posting this from a weeks vacation. There hasn't been a single issue all week long. Everything just works! The reason I keep going on and on about this is because it's such a great, low cost solution for filtering. I'm not associated with the company in any way other than as a customer. I think it's a near perfect solution for those with a significant volume of e-mail and overloaded servers. A little more than 2c, Richard Lynch WVNET -- From jra at baylink.com Sat Aug 2 17:51:10 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Sat Aug 2 17:51:20 2008 Subject: Google gmail In-Reply-To: <000f01c8f29d$80548870$80fd9950$@org> References: <48870A64.2080403@farrows.org> <20080723121430.10301b77@scorpio> <4887715B.6010506@farrows.org> <20080730172449.GR24021@cgi.jachomes.com> <4890F47E.5080904@farrows.org> <000f01c8f29d$80548870$80fd9950$@org> Message-ID: <20080802165110.GB5475@cgi.jachomes.com> On Wed, Jul 30, 2008 at 07:39:22PM -0400, Chris Sweeney wrote: > Ok let???s not let this thread go again J Let???s face it, it is 2008 and most > of us now use email programs that use HTML or read from webmail which can > handle it just fine. That's a bit of an impolite attitude from a guy who doesn't have to pay for the pipes that handle the traffic: HTML mail is 5 to 20 times as large as text; *how many* subscribers are on this list? That I use mutt and lynx, which don't deal with HTML email well is pretty much entirely beside the point; I'll assume from this reply that you didn't actually bother to read the page I pointed to. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From jra at baylink.com Sat Aug 2 17:52:41 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Sat Aug 2 17:52:50 2008 Subject: per domain sigs In-Reply-To: References: <70572c510807290845p3326847fq90ac4c92e8000707@mail.gmail.com> <70572c510807300400i708bc448h4558c35f50de1d47@mail.gmail.com> <223f97700807301350t3af0d4een725a0de6ef4286b5@mail.gmail.com> Message-ID: <20080802165241.GC5475@cgi.jachomes.com> On Wed, Jul 30, 2008 at 03:36:28PM -0700, Scott Silva wrote: > "Give a man a fish, and he eats once. Teach a man to fish and he can feed > himself" (paraphrased, because it just doesn't sound exactly right). Start a man a fire and he'll be warm all night. Set a man on fire, and he'll stay warm for the rest of his life. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From raubvogel at gmail.com Sat Aug 2 19:12:46 2008 From: raubvogel at gmail.com (Mauricio Tavares) Date: Sat Aug 2 19:12:37 2008 Subject: Basic Postfix/MS question: avoid scanning mail for invalid recipients In-Reply-To: References: Message-ID: <4894A39E.6080007@gmail.com> Dave Jenkins wrote: > Hi, > > We have Postfix/MS/SA running on our main & backup mail servers. The > main server is both incoming MX and outgoing, auth required. We'd like > every mail to a valid recipient to be scanned, but don't want to waste > CPU scanning mail to invalid recipients. > > Main MX: am I right in thinking Postfix will remove mail to invalid > recipients before it gets to MS & so that setting MS to scan > everything will achieve what we want? > By default it will reject emails directed to non existent local or virtual users. I found that to take place quite quickly and using very low cpu time. You can also play with smtpd_recipient_restrictions (in main.cf) to reject improperly formatted emails, which should eliminate a lot of spam before mailscanner is even called into action. > Backup MX: I've written a script to turn /etc/postfix/virtusertable > from the main MX into a valid rules file to be rsync'd to the backup > MX's rules directory, is that a sensible approach? Does MS need to be > restarted when the rules files are updated? > From what I gathered, postfix first gets the mails, do whatever checking you tell it to do, and then makes the emails that passed those tests available to mailscanner, which then does its magic. So, virtualusertable (using virtual domains?) is internal to postfix. > Thanks and sorry for the basic nature of the question, > No worries. If you think yours was basic, you have not seen *mine* questions. ;) > Dave > > CentOS 5.2 > postfix-2.3.3-2 > mailscanner-4.69.8-1 > spamassassin-3.1.9-1.el5 From hvdkooij at vanderkooij.org Sun Aug 3 12:01:25 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 3 12:01:36 2008 Subject: Anjelina Jolie XXX Video Free. In-Reply-To: <223f97700807301357n5a3a57b1of9e17096b840f87f@mail.gmail.com> References: <20080723124607.8435.qmail@9nnkxb5hd7rowpe> <20080730172004.GQ24021@cgi.jachomes.com> <223f97700807301357n5a3a57b1of9e17096b840f87f@mail.gmail.com> Message-ID: <48959005.3050900@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: | 2008/7/30 Jay R. Ashworth : |> On Wed, Jul 23, 2008 at 02:09:50PM +0800, Edward Dekkers wrote: |>> Funny. Person responsible for this really truly is my hero. |>> |>> |>> I smell a troll. |> This spam leaked through this week on mythtv-users@mythtv.org as well. |> |> Cheers, |> -- jra | I'm not sure "leaked" is the correctterm here, since ... to my | knowlege... the ML isn't checked for spam. This is due to the fact | that any number of posts could (and do) contain snippets, or whole | messages) of spam... As examples... | And the discussion itself could trigger a few rules:-). | I've always been surprised at the very low amount of spam getting | "reflected" through the list...:-) I guess the fact that only subscribers can post means most of the real spam is shot down as non-list traffic. In my view any mailinglist not using a "subscribers only" policy will be shot to pieces. Something I have seen happen a few times in the past few years. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIlZADBvzDRVjxmYERAm4vAJwJZlSQUgNaZzRUAZpphN2cAcWCRwCfSeH5 Gm9Jod0hOmnGJZfJOU693Z4= =OwcT -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Aug 3 12:23:59 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 3 12:24:08 2008 Subject: TLD domain changes In-Reply-To: <9F8EB36F1FB74F2B8A954AF89BD456F0@SAHOMELT> References: <4B16C177313C70448BFF4C80789335B30861FD2812@ES1.impromed.com> <9F8EB36F1FB74F2B8A954AF89BD456F0@SAHOMELT> Message-ID: <4895954F.8020106@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: | | | > -----Original Message----- | > From: mailscanner-bounces@lists.mailscanner.info | > [mailto:mailscanner-bounces@lists.mailscanner.info] On | > Behalf Of Scott B. Anderson | > Sent: Thursday, July 31, 2008 9:41 AM | > To: MailScanner discussion | > Subject: OT: TLD domain changes | > | > I can't block any email based solely upon its source TLD, | > even if it is China and I have no Chinese clients because | > some users may receive legit email from business contacts | > there, and this goes for a lot of countries, so I think MTA | > based domain filtering is out of the question. I've had a | > list in SA to limit the damage this causes but I was | > wondering about the infinite TLD change coming in a year or | > so and how to handle it. Do I get a list of the current | > ones and block everything from the new ones? I'm sure this | > won't work in the long run, but listing all the bad guys is | > impossible as well, so I'm thinking about doing something | > like adding (Spam Score - .5) to all emails from the new | > TLDs. Would this be easiest for MailScanner, SA, the MTA or | > some other software (like a milter) to accomplish? | > | > | | I rsync the countries list from http://www.blackholes.us/ . I have a couple | scripts that pull all the Korea and China ASN cidrs and build iptables rules | to block them all together. I also have an exim->perl function that used | IP::Country to pull the ASN for several other countries that we do not do | business with and block them. I would imagine you could use either with | whatever mail server you are using. In three years or so that I have been | doing this we have only had one issue and that was because the owner was | selling an aircraft to a Japanese fellow who was using a Taiwanese yahoo | account. I second the concept of blocking based on AS numbers or specific subnets if the owner of the netblok is not fighting of spam/malware. I also found out a way to educate network operators to increase their awareness of spam/malware originating from their network. ~ 1. Document the complaint and send it to the owner of the netblock. ~ 2. If that fails to stop notorious senders go for the owner of the AS (unless that happens to be the same team). ~ 3. If step 2 fails then contact all peers for said AS and show them why they should review their peering deals with that AS and send a copy of that complaint to the owner of the AS. In at least 2 cases this resulted in shutting down infected machines that were firing of spam/malware like machine guns for months. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIlZVNBvzDRVjxmYERAou3AKC4B1o+uAnQzwIdIiPiL8uTiL5IiACfeVwD AOpqZimK8MNKywFPdBaCj10= =40MW -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Aug 3 12:40:07 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 3 12:40:18 2008 Subject: Spam Lists (DNS blocklists) and trusted networks In-Reply-To: <1217673183.1899.86.camel@darkstar.netcore.co.in> References: <1217673183.1899.86.camel@darkstar.netcore.co.in> Message-ID: <48959917.4010501@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: | If mail is being relayed to my MailScanner server from a MX server | how do I check RBL's within MailScanner | | Can I specify MailScanner to look inside the headers for checking RBL's | 1 Hop before the current relay server | | I know It is best to check RBL's at the MTA, but I want to use | whitelists overriding RBL checks. That is why I moved the RBL checks to | MailScanner from the MTA This reminds me a bit of a nice feature in the Barracuda units. They have a configuration option called "Trusted forwarders". It is intended to be filled with backup servers that are not under the control of the admin of the Barracuda. In effect messages being forwarded via the backup server(s) are being inspected a bit differently. More in the sense of "Suppose the message had been send directly to the Barracuda instead of the backup server. Would it have been accepted?" So if a message is receive from a backup server the Received: headers are inspected. If that message would have been blocked on the MTA level on the Barracuda. Then the IP adres from the sender will still result in a block on the Barracuda. I have not read the code on how it is done but I think quite a few people could use a similar option in their $MTA/MailScanner setup. I think I would prefer to handle this on the $MTA level but I am not sure that is at all possible. If someone can think of a way to add this to MailScanner as an option we could increase the amount of spam we can kill. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIlZkVBvzDRVjxmYERAks8AJ0UmgTawO0Q9QBZBYIuOqu+NTkFDgCdFzpa GQB3iGfSbK8DWnnoxq2tvVo= =WFV1 -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Aug 3 12:51:21 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Aug 3 12:51:34 2008 Subject: Spam Lists (DNS blocklists) and trusted networks In-Reply-To: <48959917.4010501@vanderkooij.org> References: <1217673183.1899.86.camel@darkstar.netcore.co.in> <48959917.4010501@vanderkooij.org> Message-ID: <48959BB9.9070809@alexb.ch> On 8/3/2008 1:40 PM, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ram wrote: > | If mail is being relayed to my MailScanner server from a MX server > | how do I check RBL's within MailScanner > | > | Can I specify MailScanner to look inside the headers for checking RBL's > | 1 Hop before the current relay server > | > | I know It is best to check RBL's at the MTA, but I want to use > | whitelists overriding RBL checks. That is why I moved the RBL checks to > | MailScanner from the MTA > > This reminds me a bit of a nice feature in the Barracuda units. > > They have a configuration option called "Trusted forwarders". You mean SA's internal_networks / trusted_networks? .-) Very well documented in the SA docs. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.txt "NETWORK TEST OPTIONS" Alex From hvdkooij at vanderkooij.org Sun Aug 3 13:52:07 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 3 13:52:18 2008 Subject: Spam Lists (DNS blocklists) and trusted networks In-Reply-To: <48959BB9.9070809@alexb.ch> References: <1217673183.1899.86.camel@darkstar.netcore.co.in> <48959917.4010501@vanderkooij.org> <48959BB9.9070809@alexb.ch> Message-ID: <4895A9F7.3070902@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: | On 8/3/2008 1:40 PM, Hugo van der Kooij wrote: |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> ram wrote: |> | If mail is being relayed to my MailScanner server from a MX server |> | how do I check RBL's within MailScanner |> | |> | Can I specify MailScanner to look inside the headers for checking RBL's |> | 1 Hop before the current relay server |> | |> | I know It is best to check RBL's at the MTA, but I want to use |> | whitelists overriding RBL checks. That is why I moved the RBL checks to |> | MailScanner from the MTA |> |> This reminds me a bit of a nice feature in the Barracuda units. |> |> They have a configuration option called "Trusted forwarders". | | You mean SA's internal_networks / trusted_networks? .-) | | | Very well documented in the SA docs. | | http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.txt | | "NETWORK TEST OPTIONS" Well. It goes beyond what I read on http://wiki.apache.org/spamassassin/TrustPath and http://wiki.apache.org/spamassassin/TrustedRelays It means that if my Barracuda blocks on a RBL hit. It will also block any message send through a trusted server if the IP address sending the message to a trusted host is on that RBL. I guess the framework is there in SA to distinguish the various MTA's. But then one needs to write up rules to check any untrusted address in the IP headers against any RBL that you care to use in your MTA and block any message based on that match. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIlanrBvzDRVjxmYERAiqwAJ9MnoC5sUahlKvr5JuwP7iRUr/GPACfTMXe BA/xxl4E+bV2c4/pGD698h0= =yVw5 -----END PGP SIGNATURE----- From gerard at seibercom.net Sun Aug 3 15:06:29 2008 From: gerard at seibercom.net (Gerard) Date: Sun Aug 3 15:06:46 2008 Subject: Spam Lists (DNS blocklists) and trusted networks In-Reply-To: <1217673183.1899.86.camel@darkstar.netcore.co.in> References: <1217673183.1899.86.camel@darkstar.netcore.co.in> Message-ID: <20080803100629.7dc130e5@scorpio> On Sat, 02 Aug 2008 16:03:03 +0530 ram wrote: >I know It is best to check RBL's at the MTA, but I want to use >whitelists overriding RBL checks. That is why I moved the RBL checks to >MailScanner from the MTA What MTA are you employing? You could set up a configuration like that using Postfix. Using your method, you would have to accept the mail with no legitimate way to reject (bounce) it which would waste system resources. If you are using Postfix, post on their forum for detailed information. http://www.postfix.org/lists.html -- Gerard gerard@seibercom.net You are absolute plate-glass. I see to the very back of your mind. Sherlock Holmes From glenn.steen at gmail.com Sun Aug 3 20:24:02 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Aug 3 20:24:12 2008 Subject: Anjelina Jolie XXX Video Free. In-Reply-To: <48959005.3050900@vanderkooij.org> References: <20080723124607.8435.qmail@9nnkxb5hd7rowpe> <20080730172004.GQ24021@cgi.jachomes.com> <223f97700807301357n5a3a57b1of9e17096b840f87f@mail.gmail.com> <48959005.3050900@vanderkooij.org> Message-ID: <223f97700808031224j4b38ee6ft9aa401fc6123011a@mail.gmail.com> 2008/8/3 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: > | 2008/7/30 Jay R. Ashworth : > |> On Wed, Jul 23, 2008 at 02:09:50PM +0800, Edward Dekkers wrote: > |>> Funny. Person responsible for this really truly is my hero. > |>> > |>> > |>> I smell a troll. > |> This spam leaked through this week on mythtv-users@mythtv.org as well. > |> > |> Cheers, > |> -- jra > | I'm not sure "leaked" is the correctterm here, since ... to my > | knowlege... the ML isn't checked for spam. This is due to the fact > | that any number of posts could (and do) contain snippets, or whole > | messages) of spam... As examples... > | And the discussion itself could trigger a few rules:-). > | I've always been surprised at the very low amount of spam getting > | "reflected" through the list...:-) > > I guess the fact that only subscribers can post means most of the real > spam is shot down as non-list traffic. > > In my view any mailinglist not using a "subscribers only" policy will be > shot to pieces. Something I have seen happen a few times in the past few > years. > > Hugo. > True. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kc5goi at gmail.com Sun Aug 3 20:41:26 2008 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Sun Aug 3 20:41:42 2008 Subject: Anjelina Jolie XXX Video Free. In-Reply-To: <223f97700808031224j4b38ee6ft9aa401fc6123011a@mail.gmail.com> References: <20080723124607.8435.qmail@9nnkxb5hd7rowpe> <20080730172004.GQ24021@cgi.jachomes.com> <223f97700807301357n5a3a57b1of9e17096b840f87f@mail.gmail.com> <48959005.3050900@vanderkooij.org> <223f97700808031224j4b38ee6ft9aa401fc6123011a@mail.gmail.com> Message-ID: <1217792486.9423.4.camel@systemadmin-laptop> On Sun, 2008-08-03 at 21:24 +0200, Glenn Steen wrote: > > I guess the fact that only subscribers can post means most of the real > > spam is shot down as non-list traffic. > > > > In my view any mailinglist not using a "subscribers only" policy will be > > shot to pieces. Something I have seen happen a few times in the past few > > years. > > > > Hugo. > > > True. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se I am very close to moving the email lists I run at work from a plain newaliases file to mailman just to stop such things. I believe strongly in subscribers only methodology. Guy From glenn.steen at gmail.com Sun Aug 3 20:44:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Aug 3 20:45:00 2008 Subject: MTA split message In-Reply-To: <48937998.8050900@gdcon.net> References: <4893774B.2070403@observi.com.br> <48937998.8050900@gdcon.net> Message-ID: <223f97700808031244m41a44ff8ka389c2dbd0110c81@mail.gmail.com> 2008/8/1 Andrew MacLachlan : > William A. Knob wrote: >> >> Julian, >> >> I've read the documentation on the wiki. But, that's the only way ? >> Running 2 instances of MTA ? >> >> >> Regards, >> >> > Not sure about other MTAs but for postfix just run: > > postconf -e "default_destination_recipient_limit = 1" > > and it's configured... > > -Andy > Unless something has changed very recently, that will not do it. The split will be done too late, after MailScanner, so will be no use for MailScanner at all. You need the "two instance thing" for it to work properly... I've not revisited this in a while, but last I looked... this is the easiest way to do it. Then again... I would say that, having written the wiki article:-):-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ram at netcore.co.in Mon Aug 4 06:55:00 2008 From: ram at netcore.co.in (ram) Date: Mon Aug 4 06:55:56 2008 Subject: Anjelina Jolie XXX Video Free. In-Reply-To: <48959005.3050900@vanderkooij.org> References: <20080723124607.8435.qmail@9nnkxb5hd7rowpe> <20080730172004.GQ24021@cgi.jachomes.com> <223f97700807301357n5a3a57b1of9e17096b840f87f@mail.gmail.com> <48959005.3050900@vanderkooij.org> Message-ID: <1217829300.3096.12.camel@darkstar.netcore.co.in> On Sun, 2008-08-03 at 13:01 +0200, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: > | 2008/7/30 Jay R. Ashworth : > |> On Wed, Jul 23, 2008 at 02:09:50PM +0800, Edward Dekkers wrote: > |>> Funny. Person responsible for this really truly is my hero. > |>> > |>> > |>> I smell a troll. > |> This spam leaked through this week on mythtv-users@mythtv.org as well. > |> > |> Cheers, > |> -- jra > | I'm not sure "leaked" is the correctterm here, since ... to my > | knowlege... the ML isn't checked for spam. This is due to the fact > | that any number of posts could (and do) contain snippets, or whole > | messages) of spam... As examples... > | And the discussion itself could trigger a few rules:-). > | I've always been surprised at the very low amount of spam getting > | "reflected" through the list...:-) > > I guess the fact that only subscribers can post means most of the real > spam is shot down as non-list traffic. > > In my view any mailinglist not using a "subscribers only" policy will be > shot to pieces. Something I have seen happen a few times in the past few > years. Sorry but how does a subscriber only policy still work. Cant a spammer trivially forge any random registered users id and send spam. I have been always wondering how list owners keep spam out when there is such a big danger From MailScanner at ecs.soton.ac.uk Mon Aug 4 09:19:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 4 09:19:34 2008 Subject: Anjelina Jolie XXX Video Free. In-Reply-To: References: <20080723124607.8435.qmail@9nnkxb5hd7rowpe> <20080730172004.GQ24021@cgi.jachomes.com> <223f97700807301357n5a3a57b1of9e17096b840f87f@mail.gmail.com> <48959005.3050900@vanderkooij.org> Message-ID: <4896BB7F.9060604@ecs.soton.ac.uk> ram wrote: > On Sun, 2008-08-03 at 13:01 +0200, Hugo van der Kooij wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: >> | 2008/7/30 Jay R. Ashworth : >> |> On Wed, Jul 23, 2008 at 02:09:50PM +0800, Edward Dekkers wrote: >> |>> Funny. Person responsible for this really truly is my hero. >> |>> >> |>> >> |>> I smell a troll. >> |> This spam leaked through this week on mythtv-users@mythtv.org as well. >> |> >> |> Cheers, >> |> -- jra >> | I'm not sure "leaked" is the correctterm here, since ... to my >> | knowlege... the ML isn't checked for spam. This is due to the fact >> | that any number of posts could (and do) contain snippets, or whole >> | messages) of spam... As examples... >> | And the discussion itself could trigger a few rules:-). >> | I've always been surprised at the very low amount of spam getting >> | "reflected" through the list...:-) >> >> I guess the fact that only subscribers can post means most of the real >> spam is shot down as non-list traffic. >> >> In my view any mailinglist not using a "subscribers only" policy will be >> shot to pieces. Something I have seen happen a few times in the past few >> years. >> > > Sorry but how does a subscriber only policy still work. > > Cant a spammer trivially forge any random registered users id and send > spam. I have been always wondering how list owners keep spam out when > there is such a big danger > Yes, they can. But it appears they don't (on the whole). Remember that, like most thieves, most spammers aren't actually very bright :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmatt at nerc.ac.uk Mon Aug 4 13:48:09 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Aug 4 13:48:26 2008 Subject: clamav rpms In-Reply-To: References: <4891BD28.8090905@nerc.ac.uk> Message-ID: <4896FA89.9060106@nerc.ac.uk> Scott Silva wrote: > I think Dags webpage doesn't track the repo very well since he joined > rpmforge. The rpmforge repo is current; that was the issue... thanks Scott. G > > clamav-0.93.3-1.rf.x86_64 > clamd-0.93.3-1.rf.x86_64 > clamav-db-0.93.3-1.rf.x86_64 > > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From MailScanner at ecs.soton.ac.uk Mon Aug 4 14:48:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 4 14:48:31 2008 Subject: dying children? In-Reply-To: References: <488EF29A.6C9D.008D.0@usm.maine.edu> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> <4893116A.6040902@ecs.soton.ac.uk> <489316BA.9090304@ecs.soton.ac.uk> Message-ID: <48970897.7080308@ecs.soton.ac.uk> The new beta including complete protection against bugs and crashes in HTML::Parser is just uploading now... You're looking for 4.71.5-1 or greater. Note there is a new languages.conf setting, so you will need to run upgrade_languages_conf after upgrading to this new release. If you don't then the report will always come out in English, which you may not want. :-( Please let me know how you get on with this. It appears to work for me with the message with all the nested tags that kills HTML::Parser. I would be particularly interested in your views on the performance impact this fix has, and therefore whether I need to add a feature to enable/disable it or anything else like that. Cheers, Jules. Drew Marshall wrote: > On 1 Aug 2008, at 14:59, Julian Field wrote: >> I've actually got a couple of things to go to this weekend, so may >> well not have much time for coding. >> >> It may be the start of next week.... > > That would be really, really great! > > Thanks! > > Drew > > -- > In line with our policy, this message has been scanned for viruses and > dangerous > content by Technology Tiger's Mail Launder system > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Aug 4 14:48:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 4 14:49:04 2008 Subject: New beta released Message-ID: <489708BC.2020207@ecs.soton.ac.uk> The new beta including complete protection against bugs and crashes in HTML::Parser is just uploading now... You're looking for 4.71.5-1 or greater. Note there is a new languages.conf setting, so you will need to run upgrade_languages_conf after upgrading to this new release. If you don't then the report will always come out in English, which you may not want. :-( Please let me know how you get on with this. It appears to work for me with the message with all the nested tags that kills HTML::Parser. I would be particularly interested in your views on the performance impact this fix has, and therefore whether I need to add a feature to enable/disable it or anything else like that. Cheers, Jules. -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at technologytiger.net Mon Aug 4 15:09:18 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Aug 4 15:09:49 2008 Subject: dying children? In-Reply-To: <48970897.7080308@ecs.soton.ac.uk> References: <488EF29A.6C9D.008D.0@usm.maine.edu> <488EF7D5.6C9D.008D.0@usm.maine.edu><488EF7D5.6C9D.008D.0@usm.maine.edu> <488F3472.1090904@fsl.com> <488F0490.6C9D.008D.0@usm.maine.edu><488F0490.6C9D.008D.0@usm.maine.edu> <488F3F37.8020607@fsl.com> <488F1BA0.6C9D.008D.0@usm.maine.edu><488F1BA0.6C9D.008D.0@usm.maine.edu> <488F867C.1000102@fsl.com> <489181DA.8060808@ecs.soton.ac.uk> <4892D2E1.1010109@ecs.soton.ac.uk> <4893116A.6040902@ecs.soton.ac.uk> <489316BA.9090304@ecs.soton.ac.uk> <48970897.7080308@ecs.soton.ac.uk> Message-ID: <1264282F-E380-40E8-81EE-F796BC83C9CB@technologytiger.net> On 4 Aug 2008, at 14:48, Julian Field wrote: > The new beta including complete protection against bugs and crashes > in HTML::Parser is just uploading now... You're looking for 4.71.5-1 > or greater. > > Note there is a new languages.conf setting, so you will need to run > upgrade_languages_conf > after upgrading to this new release. If you don't then the report > will always come out in English, which you may not want. :-( > > Please let me know how you get on with this. It appears to work for > me with the message with all the nested tags that kills > HTML::Parser. > > I would be particularly interested in your views on the performance > impact this fix has, and therefore whether I need to add a feature > to enable/disable it or anything else like that. Thanks Jules Give me a few hours and I'll install this. Just have a few bits to do first... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From ssilva at sgvwater.com Mon Aug 4 17:42:14 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 4 17:42:39 2008 Subject: per domain sigs In-Reply-To: <20080802165241.GC5475@cgi.jachomes.com> References: <70572c510807290845p3326847fq90ac4c92e8000707@mail.gmail.com> <70572c510807300400i708bc448h4558c35f50de1d47@mail.gmail.com> <223f97700807301350t3af0d4een725a0de6ef4286b5@mail.gmail.com> <20080802165241.GC5475@cgi.jachomes.com> Message-ID: on 8-2-2008 9:52 AM Jay R. Ashworth spake the following: > On Wed, Jul 30, 2008 at 03:36:28PM -0700, Scott Silva wrote: >> "Give a man a fish, and he eats once. Teach a man to fish and he can feed >> himself" (paraphrased, because it just doesn't sound exactly right). > > Start a man a fire and he'll be warm all night. > > Set a man on fire, and he'll stay warm for the rest of his life. > > Cheers, > -- jra But when he burns out, you will have to toss another one on. "If a man says something, and a woman doesn't hear him, is he still wrong?" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080804/f115038e/signature.bin From martinh at solidstatelogic.com Tue Aug 5 08:49:02 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 5 08:49:17 2008 Subject: dying children? In-Reply-To: <1264282F-E380-40E8-81EE-F796BC83C9CB@technologytiger.net> Message-ID: Been running all night here fine...no obvious slower processing.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Drew Marshall > Sent: 04 August 2008 15:09 > To: MailScanner discussion > Subject: Re: dying children? > > On 4 Aug 2008, at 14:48, Julian Field wrote: > > > The new beta including complete protection against bugs and > crashes in > > HTML::Parser is just uploading now... You're looking for > 4.71.5-1 or > > greater. > > > > Note there is a new languages.conf setting, so you will need to run > > upgrade_languages_conf > > after upgrading to this new release. If you don't then the > report will > > always come out in English, which you may not want. :-( > > > > Please let me know how you get on with this. It appears to > work for me > > with the message with all the nested tags that kills > > HTML::Parser. > > > > I would be particularly interested in your views on the performance > > impact this fix has, and therefore whether I need to add a > feature to > > enable/disable it or anything else like that. > > Thanks Jules > > Give me a few hours and I'll install this. Just have a few > bits to do first... > > Drew > > -- > In line with our policy, this message has been scanned for > viruses and dangerous content by Technology Tiger's Mail > Launder system Our email policy can be > found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with > registration number: 310997 Registered Office 55-57 West High > Street Inverurie AB51 3QQ > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From drew.marshall at technologytiger.net Tue Aug 5 10:29:58 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Aug 5 10:30:19 2008 Subject: dying children? In-Reply-To: References: Message-ID: On 5 Aug 2008, at 08:49, Martin.Hepworth wrote: > Been running all night here fine...no obvious slower processing.. > Agreed. Seems fine. The main load of the day is about now so I'll report back if there is any issues. >> On 4 Aug 2008, at 14:48, Julian Field wrote: >> >>> The new beta including complete protection against bugs and >> crashes in >>> HTML::Parser is just uploading now... You're looking for >> 4.71.5-1 or >>> greater. Will this protection also allow me to capture rogue messages that cause SA to time out for what ever reason? I would love to be able to diagnose what causes a timeout and fix the issue. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From martinh at solidstatelogic.com Tue Aug 5 10:44:28 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 5 10:44:42 2008 Subject: dying children? In-Reply-To: Message-ID: Drew Most the timeouts are usually down the DNS issues or bayes. I'd check you're bayes is OK and.. 1) you've got a local caching name-server on the machine in question, this can make a huge difference even if you've got sub-milisecond latency to the actual DNS host. 2) you're only running a select few RBL's and URI-RBL's within SA (give all others a zero score in spam.assassin.prefs.conf). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Drew Marshall > Sent: 05 August 2008 10:30 > To: MailScanner discussion > Subject: Re: dying children? > > On 5 Aug 2008, at 08:49, Martin.Hepworth wrote: > > > Been running all night here fine...no obvious slower processing.. > > > > Agreed. Seems fine. The main load of the day is about now so > I'll report back if there is any issues. > > >> On 4 Aug 2008, at 14:48, Julian Field wrote: > >> > >>> The new beta including complete protection against bugs and > >> crashes in > >>> HTML::Parser is just uploading now... You're looking for > >> 4.71.5-1 or > >>> greater. > > Will this protection also allow me to capture rogue messages > that cause SA to time out for what ever reason? I would love > to be able to diagnose what causes a timeout and fix the issue. > > Drew > > -- > In line with our policy, this message has been scanned for > viruses and dangerous content by Technology Tiger's Mail > Launder system Our email policy can be > found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with > registration number: 310997 Registered Office 55-57 West High > Street Inverurie AB51 3QQ > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Tue Aug 5 11:10:37 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 5 11:10:58 2008 Subject: dying children? In-Reply-To: References: Message-ID: <4898271D.4010108@ecs.soton.ac.uk> Drew Marshall wrote: > On 5 Aug 2008, at 08:49, Martin.Hepworth wrote: > >> Been running all night here fine...no obvious slower processing.. >> > > Agreed. Seems fine. The main load of the day is about now so I'll > report back if there is any issues. > >>> On 4 Aug 2008, at 14:48, Julian Field wrote: >>> >>>> The new beta including complete protection against bugs and >>> crashes in >>>> HTML::Parser is just uploading now... You're looking for >>> 4.71.5-1 or >>>> greater. > > Will this protection also allow me to capture rogue messages that > cause SA to time out for what ever reason? I would love to be able to > diagnose what causes a timeout and fix the issue. I haven't changed the SA code, but SA has always been wrapped in a timeout anyway. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at technologytiger.net Tue Aug 5 11:38:23 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Aug 5 11:40:29 2008 Subject: dying children? In-Reply-To: References: Message-ID: <9E0CD5CC-F2A9-402D-ADDF-C29761E30F54@technologytiger.net> On 5 Aug 2008, at 10:44, Martin.Hepworth wrote: > Drew > > Most the timeouts are usually down the DNS issues or bayes. I'd > check you're bayes is OK and.. > > 1) you've got a local caching name-server on the machine in > question, this can make a huge difference even if you've got sub- > milisecond latency to the actual DNS host. > 2) you're only running a select few RBL's and URI-RBL's within SA > (give all others a zero score in spam.assassin.prefs.conf). Bayes should be ok, it's on SQL with a copy held locally. DNS recursor is on the box and in use. The only thing I have still got in place is all the standard RBLs & URI-RBLs. However they don't seem to be the issue. When I manage to capture a suspect message and run it back through manually SA chokes at 'Running body tests' (Or at least that's the last line it prints before it times out) so I am keen to grab a selection of messages to see what, if any thing they have in common. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From rgreen at trayerproducts.com Wed Aug 6 14:52:19 2008 From: rgreen at trayerproducts.com (Rodney Green) Date: Wed Aug 6 14:51:57 2008 Subject: quiet here Message-ID: <4899AC93.10501@trayerproducts.com> Haven't seen any messages in a while. The list archive reflects the same. From Carl.Andrews at crackerbarrel.com Wed Aug 6 14:57:48 2008 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Wed Aug 6 14:58:03 2008 Subject: SANS Spamming Article You might be interested in. Message-ID: When spammers use your own e-mails Published: 2008-08-06, Last Updated: 2008-08-06 12:49:47 UTC by Bojan Zdrnja (Version: 1) 0 comment(s) Some time ago, one of our readers, Mike S, sent an e-mail with an interesting observation about how spammers used e-mails from one of his customers (this has been actually sitting in my own inbox for way too long). The e-mails contained all "standard" elements such as spoofed headers etc, but there was a very interesting thing with the body content. As with most e-mail spammers send, these e-mails were HTML as well. However, the interesting part was that the spammers took his clients' e-mails and modified the HTML a bit to include their own message. The spammers added the link they wanted to spam at the top and then opened a HTML tag. After the TITLE tag came the full original e-mail, but the tag was never actually closed. This resulted in Outlook displaying only the spammed link, but not showing the original e-mail content. The raw e-mail looked like this: --AlternativeBoundary.22222222.22222222 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit <html><center><FONT SIZE="5" COLOR="#10566D">Spammers message</font><br><br><A HREF="http://spammers link">http://spammers link</A> <title><body leftmargin=5 topmargin=5 marginwidth=0 marginheight=0> <table width=100% cellpadding=0 cellspacing=0 bgcolor=white align=center border=0> <tr><td style='{font-family: Verdana, sans-serif; color=#7a929f;font-weight:700;font-size: 11px;text-transform : capitalize;}'> .... ORIGINAL MAIL CONTENT ... </td></tr> </table><p> </p> </body> Of course, by using the original e-mail content (which was legitimate when the client sent it), the spammers are trying to evade Bayesian filters, and at least in Mike's example they even managed to get SpamAssassin decrease the final score of the e-mail. In any case, it's an arms race between spammers and content filter developers. Thanks Mike again for sending this interesting information (and sorry it took so long to analyze it). -- Bojan Source: http://isc.sans.org/diary.html?storyid=4834 <http://isc.sans.org/diary.html?storyid=4834> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080806/79f2a0db/attachment.html From ecasarero at gmail.com Wed Aug 6 15:14:50 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Aug 6 15:15:00 2008 Subject: quiet here In-Reply-To: <4899AC93.10501@trayerproducts.com> References: <4899AC93.10501@trayerproducts.com> Message-ID: <7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e@mail.gmail.com> 2008/8/6 Rodney Green <rgreen@trayerproducts.com> > Haven't seen any messages in a while. The list archive reflects the same. may be spammers take a holiday break? here in Argentina we are in winter holidays :P > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080806/4dc8a422/attachment.html From twiztar at gmail.com Wed Aug 6 15:16:57 2008 From: twiztar at gmail.com (Erik Weber) Date: Wed Aug 6 15:17:11 2008 Subject: quiet here In-Reply-To: <4899AC93.10501@trayerproducts.com> References: <4899AC93.10501@trayerproducts.com> Message-ID: <4899B259.9010204@gmail.com> Rodney Green wrote: > Haven't seen any messages in a while. The list archive reflects the same. It just works(tm) -- Erik From rgreen at trayerproducts.com Wed Aug 6 15:58:46 2008 From: rgreen at trayerproducts.com (Rodney Green) Date: Wed Aug 6 15:59:15 2008 Subject: quiet here In-Reply-To: <4899B259.9010204@gmail.com> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> Message-ID: <4899BC26.6030702@trayerproducts.com> Erik Weber wrote: > Rodney Green wrote: >> Haven't seen any messages in a while. The list archive reflects the same. > > It just works(tm) > Good to see the list is still alive. :-) From declan.grady at nuvotem.com Wed Aug 6 16:15:02 2008 From: declan.grady at nuvotem.com (Declan Grady) Date: Wed Aug 6 16:18:41 2008 Subject: quiet here In-Reply-To: <4899BC26.6030702@trayerproducts.com> Message-ID: <1DF321991CD3084EAD65737D82C6D07E32335D@sbs1.nuvotem.local> Erik Weber wrote: > Rodney Green wrote: >> Haven't seen any messages in a while. The list archive reflects the same. > > It just works(tm) > >Good to see the list is still alive. :-) Guess it is holiday time From MailScanner at ecs.soton.ac.uk Wed Aug 6 16:19:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 6 16:19:42 2008 Subject: quiet here In-Reply-To: <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> Message-ID: <4899C0F7.6070603@ecs.soton.ac.uk> Rodney Green wrote: > > > Erik Weber wrote: >> Rodney Green wrote: >>> Haven't seen any messages in a while. The list archive reflects the >>> same. >> >> It just works(tm) >> > > Good to see the list is still alive. :-) While things are quiet, are there any outstanding bugs or feature requests that I should be working on? I'm aiming at a stable release at the start of September if there's nothing else huge between now and then. The HTML::Parser protection seems to be working okay, and hasn't had a huge speed impact (it never ceases to amaze me quite how fast fork() is!). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Wed Aug 6 17:16:58 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Aug 6 17:17:07 2008 Subject: quiet here In-Reply-To: <7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e@mail.gmail.com> References: <4899AC93.10501@trayerproducts.com> <7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e@mail.gmail.com> Message-ID: <4899CE7A.6090201@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Casarero wrote: | | | 2008/8/6 Rodney Green <rgreen@trayerproducts.com | <mailto:rgreen@trayerproducts.com>> | | Haven't seen any messages in a while. The list archive reflects the | same. | | | may be spammers take a holiday break? here in Argentina we are in winter | holidays :P I'm inclinded to think that the amount of malware in email is in fact rapidly expanding over the last 24 to 36 hours. Perhaps everyone tries to fill the gap left by the arrest of a botnet owner here in the Netherlands. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFImc55BvzDRVjxmYERAr8wAJoCGdxAS7vMKaIjaAjO0ZihImzhVgCgoPX3 f566aQxSCmgu6pUfbnK0Eqk= =M43s -----END PGP SIGNATURE----- From andrew at gdcon.net Wed Aug 6 23:00:01 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Aug 6 23:00:21 2008 Subject: quiet here In-Reply-To: <4899CE7A.6090201@vanderkooij.org> References: <4899AC93.10501@trayerproducts.com> <7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e@mail.gmail.com> <4899CE7A.6090201@vanderkooij.org> Message-ID: <489A1EE1.8050003@gdcon.net> Hugo van der Kooij wrote: > I'm inclinded to think that the amount of malware in email is in fact > rapidly expanding over the last 24 to 36 hours. > > Perhaps everyone tries to fill the gap left by the arrest of a botnet > owner here in the Netherlands. > My logs are full of ssh brute-force attempts... -- This message was scanned by ESVA and is believed to be clean. From ges at wingfoot.org Thu Aug 7 02:46:25 2008 From: ges at wingfoot.org (Glenn Sieb) Date: Thu Aug 7 02:46:37 2008 Subject: Greetings... a current amavisd-new user, looking into MailScanner... Message-ID: <489A53F1.5040904@wingfoot.org> Greetings :) I run a FreeBSD 7.0 server, with postfix 2.5.1. I have been using amavisd-new for a number of years, with a SQL backend. Things have gotten kerflucked, and I'm getting tired of amavisd-new breaking every time they do an update. So, what I'd like to know is: 1) Does mailscanner support virtual domains? 2) Is there a way for users (virtual and non) to control quarantine settings and personal white/blacklists? 3) Any hints, or other advice from seasoned vets here? :) Thanks in advance! :) Best, --Glenn -- ...destination is merely a byproduct of the journey --Eric Hansen From hvdkooij at vanderkooij.org Thu Aug 7 06:12:43 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Aug 7 06:12:56 2008 Subject: Greetings... a current amavisd-new user, looking into MailScanner... In-Reply-To: <489A53F1.5040904@wingfoot.org> References: <489A53F1.5040904@wingfoot.org> Message-ID: <489A844B.8060302@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Sieb wrote: | 1) Does mailscanner support virtual domains? The use of virtual domains has no impact on MailScanner. It just might make you use more rule files instead of simple lines in the main config. | 2) Is there a way for users (virtual and non) to control quarantine | settings and personal white/blacklists? Not as such. But you might want to check out MailWatch as additional software. | 3) Any hints, or other advice from seasoned vets here? :) The usual. Read the manual and other docs. Build a test server first. Search the archives. Brush your hair and comb your teeth. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFImoRJBvzDRVjxmYERAhZRAKCq7EgKI6pOwYFL3FSQbFj3wOUa9ACgudSS oycqWqrNxD2kKi1gnSgwDks= =FZEh -----END PGP SIGNATURE----- From garyalex at gmail.com Thu Aug 7 08:02:01 2008 From: garyalex at gmail.com (Gary Alexander) Date: Thu Aug 7 08:02:11 2008 Subject: quiet here In-Reply-To: <4899C0F7.6070603@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> Message-ID: <5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> > While things are quiet, are there any outstanding bugs or feature requests > that I should be working on? > > I'm aiming at a stable release at the start of September if there's nothing > else huge between now and then. The HTML::Parser protection seems to be > working okay, and hasn't had a huge speed impact (it never ceases to amaze > me quite how fast fork() is!). > > Jules Hi There Speaking of feature requests ... I've noticed some users using 7zip format for sending mails ... and executables inside getting through ... any plans for adding support for this? The following linux app currently supports 7zip: http://p7zip.sourceforge.net/ Thanks Gary -- Courage is resistance to fear, mastery of fear - not absence of fear. - Mark Twain From andrew at gdcon.net Thu Aug 7 09:15:07 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Aug 7 09:15:46 2008 Subject: Greetings... a current amavisd-new user, looking into MailScanner... In-Reply-To: <489A844B.8060302@vanderkooij.org> References: <489A53F1.5040904@wingfoot.org> <489A844B.8060302@vanderkooij.org> Message-ID: <489AAF0B.7060408@gdcon.net> Hugo van der Kooij wrote: > > | 3) Any hints, or other advice from seasoned vets here? :) > > The usual. Read the manual and other docs. Build a test server first. > Search the archives. Brush your hair and comb your teeth. > And be nice to your Mum -- This message was scanned by ESVA and is believed to be clean. From spamlists at coders.co.uk Thu Aug 7 09:45:09 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Thu Aug 7 09:46:36 2008 Subject: Greetings... a current amavisd-new user, looking into MailScanner... In-Reply-To: <489AAF0B.7060408@gdcon.net> References: <489A53F1.5040904@wingfoot.org> <489A844B.8060302@vanderkooij.org> <489AAF0B.7060408@gdcon.net> Message-ID: <489AB615.9030500@coders.co.uk> Andrew MacLachlan wrote: > Hugo van der Kooij wrote: >> >> | 3) Any hints, or other advice from seasoned vets here? :) >> >> The usual. Read the manual and other docs. Build a test server first. >> Search the archives. Brush your hair and comb your teeth. >> > And be nice to your Mum > <joke>MailScanner causes swapping!</joke> From telecaadmin at gmail.com Thu Aug 7 10:49:28 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Thu Aug 7 10:49:44 2008 Subject: Greetings... a current amavisd-new user, looking into MailScanner... In-Reply-To: <489AB615.9030500@coders.co.uk> References: <489A53F1.5040904@wingfoot.org> <489A844B.8060302@vanderkooij.org> <489AAF0B.7060408@gdcon.net> <489AB615.9030500@coders.co.uk> Message-ID: <489AC528.2020108@gmail.com> On a more serious note, MailScanner was the first "system" I felt was ready using in a production environment. I looked into a lot of stuff and all seemed very pointless und very unclean. MS is perfect for me when being used with postfix. Print out the manual so you have all config options ready - you have it up in almost no time as long as your SMTP server config is stable underneath. Last advice: be careful with all perl updates! Cheers, Ronny From MailScanner at ecs.soton.ac.uk Thu Aug 7 14:14:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 7 14:15:01 2008 Subject: quiet here In-Reply-To: <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> Message-ID: <489AF542.3090608@ecs.soton.ac.uk> Gary Alexander wrote: >> While things are quiet, are there any outstanding bugs or feature requests >> that I should be working on? >> >> I'm aiming at a stable release at the start of September if there's nothing >> else huge between now and then. The HTML::Parser protection seems to be >> working okay, and hasn't had a huge speed impact (it never ceases to amaze >> me quite how fast fork() is!). >> >> Jules >> > > Hi There > > Speaking of feature requests ... I've noticed some users using 7zip > format for sending mails ... and executables inside getting through > ... any plans for adding support for this? > > The following linux app currently supports 7zip: http://p7zip.sourceforge.net/ > Adding that is quite a lot of work, so I would need a lot of votes that people want this feature. But I'm not saying "no" :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paulo-m-roncon at ptinovacao.pt Thu Aug 7 15:06:30 2008 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Thu Aug 7 15:06:42 2008 Subject: mailscanner in ISP In-Reply-To: <200808071101.m77B0QSC001902@safir.blacknight.ie> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> Message-ID: <FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> Hello all, I work in a ISP and we want to install mailscanner to stop OUTBOUND spam as its becoming a bottleneck... I dont have any network metrics, as the guy in charge in out. I'm thinking 1000000 plus messages/day. Questions: -Anyone has ideias of the kind of HW solution nedeed? -OUTBOUND filtering: Its gonna be *->*. Do you see any problems? -Which is the fastest configuration possible? -What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm aiming to speed and to block about 85% of spam. I'm not aiming at near 100% spam free... Thanks! Paulo Roncon CSO2 - Suporte operacional interno PT Inova??o - Grupo Portugal Telecom Rua Eng. Jos? Ferreira Pinto Basto 3810-106 Aveiro, Portugal Tel +351 234 403 341 Tlm +351 961 781 029 http://www.ptinovacao.pt -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: quinta-feira, 7 de Agosto de 2008 12:02 To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 32, Issue 6 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. quiet here (Rodney Green) 2. SANS Spamming Article You might be interested in. (Andrews Carl 455) 3. Re: quiet here (Eduardo Casarero) 4. Re: quiet here (Erik Weber) 5. Re: quiet here (Rodney Green) 6. RE: quiet here (Declan Grady) 7. Re: quiet here (Julian Field) 8. Re: quiet here (Hugo van der Kooij) 9. Re: quiet here (Andrew MacLachlan) 10. Greetings... a current amavisd-new user, looking into MailScanner... (Glenn Sieb) 11. Re: Greetings... a current amavisd-new user, looking into MailScanner... (Hugo van der Kooij) 12. Re: quiet here (Gary Alexander) 13. Re: Greetings... a current amavisd-new user, looking into MailScanner... (Andrew MacLachlan) 14. Re: Greetings... a current amavisd-new user, looking into MailScanner... (Matt Hampton) 15. Re: Greetings... a current amavisd-new user, looking into MailScanner... (Ronny T. Lampert) ---------------------------------------------------------------------- Message: 1 Date: Wed, 06 Aug 2008 09:52:19 -0400 From: Rodney Green <rgreen@trayerproducts.com> Subject: quiet here To: mailscanner@lists.mailscanner.info Message-ID: <4899AC93.10501@trayerproducts.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Haven't seen any messages in a while. The list archive reflects the same. ------------------------------ Message: 2 Date: Wed, 6 Aug 2008 08:57:48 -0500 From: "Andrews Carl 455" <Carl.Andrews@crackerbarrel.com> Subject: SANS Spamming Article You might be interested in. To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Message-ID: <D695CB42A59ABB428898D9FCDDE59132039A0A2A@exchange03.CBOCS.com> Content-Type: text/plain; charset="us-ascii" When spammers use your own e-mails <http://isc.sans.org/diary.html?storyid=4834> Published: 2008-08-06, Last Updated: 2008-08-06 12:49:47 UTC by Bojan Zdrnja (Version: 1) 0 comment(s) <http://isc.sans.org/diary.html?storyid=4834#comment> Some time ago, one of our readers, Mike S, sent an e-mail with an interesting observation about how spammers used e-mails from one of his customers (this has been actually sitting in my own inbox for way too long). The e-mails contained all "standard" elements such as spoofed headers etc, but there was a very interesting thing with the body content. As with most e-mail spammers send, these e-mails were HTML as well. However, the interesting part was that the spammers took his clients' e-mails and modified the HTML a bit to include their own message. The spammers added the link they wanted to spam at the top and then opened a <TITLE> HTML tag. After the TITLE tag came the full original e-mail, but the tag was never actually closed. This resulted in Outlook displaying only the spammed link, but not showing the original e-mail content. The raw e-mail looked like this: --AlternativeBoundary.22222222.22222222 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit <html><center><FONT SIZE="5" COLOR="#10566D">Spammers message</font><br><br><A HREF="http://spammers link">http://spammers link</A> <title><body leftmargin=5 topmargin=5 marginwidth=0 marginheight=0> <table width=100% cellpadding=0 cellspacing=0 bgcolor=white align=center border=0> <tr><td style='{font-family: Verdana, sans-serif; color=#7a929f;font-weight:700;font-size: 11px;text-transform : capitalize;}'> .... ORIGINAL MAIL CONTENT ... </td></tr> </table><p> </p> </body> Of course, by using the original e-mail content (which was legitimate when the client sent it), the spammers are trying to evade Bayesian filters, and at least in Mike's example they even managed to get SpamAssassin decrease the final score of the e-mail. In any case, it's an arms race between spammers and content filter developers. Thanks Mike again for sending this interesting information (and sorry it took so long to analyze it). -- Bojan Source: http://isc.sans.org/diary.html?storyid=4834 <http://isc.sans.org/diary.html?storyid=4834> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080806/79f2a0db/attachment-0001.html ------------------------------ Message: 3 Date: Wed, 6 Aug 2008 11:14:50 -0300 From: "Eduardo Casarero" <ecasarero@gmail.com> Subject: Re: quiet here To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Message-ID: <7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" 2008/8/6 Rodney Green <rgreen@trayerproducts.com> > Haven't seen any messages in a while. The list archive reflects the same. may be spammers take a holiday break? here in Argentina we are in winter holidays :P > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080806/4dc8a422/attachment-0001.html ------------------------------ Message: 4 Date: Wed, 06 Aug 2008 16:16:57 +0200 From: Erik Weber <twiztar@gmail.com> Subject: Re: quiet here To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <4899B259.9010204@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Rodney Green wrote: > Haven't seen any messages in a while. The list archive reflects the same. It just works(tm) -- Erik ------------------------------ Message: 5 Date: Wed, 06 Aug 2008 10:58:46 -0400 From: Rodney Green <rgreen@trayerproducts.com> Subject: Re: quiet here To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <4899BC26.6030702@trayerproducts.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Erik Weber wrote: > Rodney Green wrote: >> Haven't seen any messages in a while. The list archive reflects the same. > > It just works(tm) > Good to see the list is still alive. :-) ------------------------------ Message: 6 Date: Wed, 6 Aug 2008 16:15:02 +0100 From: "Declan Grady" <declan.grady@nuvotem.com> Subject: RE: quiet here To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Message-ID: <1DF321991CD3084EAD65737D82C6D07E32335D@sbs1.nuvotem.local> Content-Type: text/plain; charset="us-ascii" Erik Weber wrote: > Rodney Green wrote: >> Haven't seen any messages in a while. The list archive reflects the same. > > It just works(tm) > >Good to see the list is still alive. :-) Guess it is holiday time ------------------------------ Message: 7 Date: Wed, 06 Aug 2008 16:19:19 +0100 From: Julian Field <MailScanner@ecs.soton.ac.uk> Subject: Re: quiet here To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <4899C0F7.6070603@ecs.soton.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Rodney Green wrote: > > > Erik Weber wrote: >> Rodney Green wrote: >>> Haven't seen any messages in a while. The list archive reflects the >>> same. >> >> It just works(tm) >> > > Good to see the list is still alive. :-) While things are quiet, are there any outstanding bugs or feature requests that I should be working on? I'm aiming at a stable release at the start of September if there's nothing else huge between now and then. The HTML::Parser protection seems to be working okay, and hasn't had a huge speed impact (it never ceases to amaze me quite how fast fork() is!). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 8 Date: Wed, 06 Aug 2008 18:16:58 +0200 From: Hugo van der Kooij <hvdkooij@vanderkooij.org> Subject: Re: quiet here To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <4899CE7A.6090201@vanderkooij.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Casarero wrote: | | | 2008/8/6 Rodney Green <rgreen@trayerproducts.com | <mailto:rgreen@trayerproducts.com>> | | Haven't seen any messages in a while. The list archive reflects the | same. | | | may be spammers take a holiday break? here in Argentina we are in winter | holidays :P I'm inclinded to think that the amount of malware in email is in fact rapidly expanding over the last 24 to 36 hours. Perhaps everyone tries to fill the gap left by the arrest of a botnet owner here in the Netherlands. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFImc55BvzDRVjxmYERAr8wAJoCGdxAS7vMKaIjaAjO0ZihImzhVgCgoPX3 f566aQxSCmgu6pUfbnK0Eqk= =M43s -----END PGP SIGNATURE----- ------------------------------ Message: 9 Date: Wed, 06 Aug 2008 23:00:01 +0100 From: Andrew MacLachlan <andrew@gdcon.net> Subject: Re: quiet here To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <489A1EE1.8050003@gdcon.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hugo van der Kooij wrote: > I'm inclinded to think that the amount of malware in email is in fact > rapidly expanding over the last 24 to 36 hours. > > Perhaps everyone tries to fill the gap left by the arrest of a botnet > owner here in the Netherlands. > My logs are full of ssh brute-force attempts... -- This message was scanned by ESVA and is believed to be clean. ------------------------------ Message: 10 Date: Wed, 06 Aug 2008 21:46:25 -0400 From: Glenn Sieb <ges@wingfoot.org> Subject: Greetings... a current amavisd-new user, looking into MailScanner... To: mailscanner@lists.mailscanner.info Message-ID: <489A53F1.5040904@wingfoot.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Greetings :) I run a FreeBSD 7.0 server, with postfix 2.5.1. I have been using amavisd-new for a number of years, with a SQL backend. Things have gotten kerflucked, and I'm getting tired of amavisd-new breaking every time they do an update. So, what I'd like to know is: 1) Does mailscanner support virtual domains? 2) Is there a way for users (virtual and non) to control quarantine settings and personal white/blacklists? 3) Any hints, or other advice from seasoned vets here? :) Thanks in advance! :) Best, --Glenn -- ...destination is merely a byproduct of the journey --Eric Hansen ------------------------------ Message: 11 Date: Thu, 07 Aug 2008 07:12:43 +0200 From: Hugo van der Kooij <hvdkooij@vanderkooij.org> Subject: Re: Greetings... a current amavisd-new user, looking into MailScanner... To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <489A844B.8060302@vanderkooij.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Sieb wrote: | 1) Does mailscanner support virtual domains? The use of virtual domains has no impact on MailScanner. It just might make you use more rule files instead of simple lines in the main config. | 2) Is there a way for users (virtual and non) to control quarantine | settings and personal white/blacklists? Not as such. But you might want to check out MailWatch as additional software. | 3) Any hints, or other advice from seasoned vets here? :) The usual. Read the manual and other docs. Build a test server first. Search the archives. Brush your hair and comb your teeth. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFImoRJBvzDRVjxmYERAhZRAKCq7EgKI6pOwYFL3FSQbFj3wOUa9ACgudSS oycqWqrNxD2kKi1gnSgwDks= =FZEh -----END PGP SIGNATURE----- ------------------------------ Message: 12 Date: Thu, 7 Aug 2008 09:02:01 +0200 From: "Gary Alexander" <garyalex@gmail.com> Subject: Re: quiet here To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Message-ID: <5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 > While things are quiet, are there any outstanding bugs or feature requests > that I should be working on? > > I'm aiming at a stable release at the start of September if there's nothing > else huge between now and then. The HTML::Parser protection seems to be > working okay, and hasn't had a huge speed impact (it never ceases to amaze > me quite how fast fork() is!). > > Jules Hi There Speaking of feature requests ... I've noticed some users using 7zip format for sending mails ... and executables inside getting through ... any plans for adding support for this? The following linux app currently supports 7zip: http://p7zip.sourceforge.net/ Thanks Gary -- Courage is resistance to fear, mastery of fear - not absence of fear. - Mark Twain ------------------------------ Message: 13 Date: Thu, 07 Aug 2008 09:15:07 +0100 From: Andrew MacLachlan <andrew@gdcon.net> Subject: Re: Greetings... a current amavisd-new user, looking into MailScanner... To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <489AAF0B.7060408@gdcon.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hugo van der Kooij wrote: > > | 3) Any hints, or other advice from seasoned vets here? :) > > The usual. Read the manual and other docs. Build a test server first. > Search the archives. Brush your hair and comb your teeth. > And be nice to your Mum -- This message was scanned by ESVA and is believed to be clean. ------------------------------ Message: 14 Date: Thu, 07 Aug 2008 09:45:09 +0100 From: Matt Hampton <spamlists@coders.co.uk> Subject: Re: Greetings... a current amavisd-new user, looking into MailScanner... To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <489AB615.9030500@coders.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Andrew MacLachlan wrote: > Hugo van der Kooij wrote: >> >> | 3) Any hints, or other advice from seasoned vets here? :) >> >> The usual. Read the manual and other docs. Build a test server first. >> Search the archives. Brush your hair and comb your teeth. >> > And be nice to your Mum > <joke>MailScanner causes swapping!</joke> ------------------------------ Message: 15 Date: Thu, 07 Aug 2008 11:49:28 +0200 From: "Ronny T. Lampert" <telecaadmin@gmail.com> Subject: Re: Greetings... a current amavisd-new user, looking into MailScanner... To: MailScanner discussion <mailscanner@lists.mailscanner.info> Message-ID: <489AC528.2020108@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On a more serious note, MailScanner was the first "system" I felt was ready using in a production environment. I looked into a lot of stuff and all seemed very pointless und very unclean. MS is perfect for me when being used with postfix. Print out the manual so you have all config options ready - you have it up in almost no time as long as your SMTP server config is stable underneath. Last advice: be careful with all perl updates! Cheers, Ronny ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 32, Issue 6 ****************************************** From rich at mail.wvnet.edu Thu Aug 7 15:23:26 2008 From: rich at mail.wvnet.edu (Richard Lynch) Date: Thu Aug 7 15:23:38 2008 Subject: quiet here In-Reply-To: <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> Message-ID: <489B055E.2020400@mail.wvnet.edu> Julian Field wrote: > > > Gary Alexander wrote: >>> While things are quiet, are there any outstanding bugs or feature >>> requests >>> that I should be working on? >>> >>> I'm aiming at a stable release at the start of September if there's >>> nothing >>> else huge between now and then. The HTML::Parser protection seems to be >>> working okay, and hasn't had a huge speed impact (it never ceases to >>> amaze >>> me quite how fast fork() is!). >>> >>> Jules >>> >> >> Hi There >> >> Speaking of feature requests ... I've noticed some users using 7zip >> format for sending mails ... and executables inside getting through >> ... any plans for adding support for this? >> >> The following linux app currently supports 7zip: >> http://p7zip.sourceforge.net/ >> > Adding that is quite a lot of work, so I would need a lot of votes > that people want this feature. But I'm not saying "no" :-) > > Jules > Up until now I had never even heard of 7zip. I just tested F-Prot and ClamAV against an archive with a virus in it. Neither detected the virus inside. So, isn't it just a matter of time before viruses start spreading in this format? If so I think you're going to be compelled to support the scanning of this format. 2c, ~rich -- From MailScanner at ecs.soton.ac.uk Thu Aug 7 15:33:05 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 7 15:33:24 2008 Subject: mailscanner in ISP In-Reply-To: <EMEW-k76FBHc5cb968dfbde57724284d6f92e690894-FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <EMEW-k76FBHc5cb968dfbde57724284d6f92e690894-FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> Message-ID: <489B07A1.3050502@ecs.soton.ac.uk> Paulo Roncon wrote: > Hello all, > > I work in a ISP and we want to install mailscanner to stop OUTBOUND spam as its becoming a bottleneck... > I dont have any network metrics, as the guy in charge in out. I'm thinking 1000000 plus messages/day. > > Questions: > -Anyone has ideias of the kind of HW solution nedeed? > -OUTBOUND filtering: Its gonna be *->*. Do you see any problems? > -Which is the fastest configuration possible? > -What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm aiming to speed and to block about 85% of spam. I'm not aiming at near 100% spam free... > I would start with some blacklists at your MTA, such as spamhaus-ZEN. You would be better off putting this into your MTA so you don't accept connections from botnet hosts in the first place. ClamAV with the sanesecurity.co.uk additional signatures will be fast too. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Aug 7 15:34:03 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 7 15:34:30 2008 Subject: quiet here In-Reply-To: <EMEW-k76FYda86cea5eee60f46c6f585c44b3d99f97-489B055E.2020400@mail.wvnet.edu> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> <EMEW-k76FYda86cea5eee60f46c6f585c44b3d99f97-489B055E.2020400@mail.wvnet.edu> Message-ID: <489B07DB.6040207@ecs.soton.ac.uk> Richard Lynch wrote: > Julian Field wrote: >> >> >> Gary Alexander wrote: >>>> While things are quiet, are there any outstanding bugs or feature >>>> requests >>>> that I should be working on? >>>> >>>> I'm aiming at a stable release at the start of September if there's >>>> nothing >>>> else huge between now and then. The HTML::Parser protection seems >>>> to be >>>> working okay, and hasn't had a huge speed impact (it never ceases >>>> to amaze >>>> me quite how fast fork() is!). >>>> >>>> Jules >>>> >>> >>> Hi There >>> >>> Speaking of feature requests ... I've noticed some users using 7zip >>> format for sending mails ... and executables inside getting through >>> ... any plans for adding support for this? >>> >>> The following linux app currently supports 7zip: >>> http://p7zip.sourceforge.net/ >>> >> Adding that is quite a lot of work, so I would need a lot of votes >> that people want this feature. But I'm not saying "no" :-) >> >> Jules >> > Up until now I had never even heard of 7zip. I just tested F-Prot and > ClamAV against an archive with a virus in it. Neither detected the > virus inside. So, isn't it just a matter of time before viruses start > spreading in this format? If so I think you're going to be compelled > to support the scanning of this format. But if no-one has the software for reading this format already, they aren't any harm. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at mail.wvnet.edu Thu Aug 7 16:00:59 2008 From: rich at mail.wvnet.edu (Richard Lynch) Date: Thu Aug 7 16:01:17 2008 Subject: quiet here In-Reply-To: <EMEW-k76AfCd970b5fc5360b6ad15e687788908035b-489B07DB.6040207@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> <EMEW-k76FYda86cea5eee60f46c6f585c44b3d99f97-489B055E.2020400@mail.wvnet.edu> <EMEW-k76AfCd970b5fc5360b6ad15e687788908035b-489B07DB.6040207@ecs.soton.ac.uk> Message-ID: <489B0E2B.5020503@mail.wvnet.edu> Julian Field wrote: > > > Richard Lynch wrote: >> Julian Field wrote: >>> >>> >>> Gary Alexander wrote: >>>>> While things are quiet, are there any outstanding bugs or feature >>>>> requests >>>>> that I should be working on? >>>>> >>>>> I'm aiming at a stable release at the start of September if >>>>> there's nothing >>>>> else huge between now and then. The HTML::Parser protection seems >>>>> to be >>>>> working okay, and hasn't had a huge speed impact (it never ceases >>>>> to amaze >>>>> me quite how fast fork() is!). >>>>> >>>>> Jules >>>>> >>>> >>>> Hi There >>>> >>>> Speaking of feature requests ... I've noticed some users using 7zip >>>> format for sending mails ... and executables inside getting through >>>> ... any plans for adding support for this? >>>> >>>> The following linux app currently supports 7zip: >>>> http://p7zip.sourceforge.net/ >>>> >>> Adding that is quite a lot of work, so I would need a lot of votes >>> that people want this feature. But I'm not saying "no" :-) >>> >>> Jules >>> >> Up until now I had never even heard of 7zip. I just tested F-Prot >> and ClamAV against an archive with a virus in it. Neither detected >> the virus inside. So, isn't it just a matter of time before viruses >> start spreading in this format? If so I think you're going to be >> compelled to support the scanning of this format. > But if no-one has the software for reading this format already, they > aren't any harm. > > Jules > Agreed but how long before people start using this format in large numbers. I don't know. It's not a problem yet so there's no hurray but sometime down the road... who knows. I certainly wouldn't put a high priority on it. ~rich -- From dominik.schramm at businessmart.de Thu Aug 7 16:28:27 2008 From: dominik.schramm at businessmart.de (Schramm, Dominik) Date: Thu Aug 7 16:28:41 2008 Subject: Bug fix for Exim queue handling: where to send it? Message-ID: <11C7B302EF6C334C9A7DDD638E09B661298DBA@103mx.businessmart.de> Hi, there is a bug in the MailScanner Exim queue file code: Starting with Exim version 4.64, ACL variables can have (almost) arbitrary alphanumeric names -- e.g. acl_m_blahblah, in which case the queue file will contain these lines: -aclm _blahblah 5 hello If such variables are in use in a message, it will not be handled by MailScanner. See here: http://docs.exim.org/current/spec_html/ch40.html#SECTaclvariables I have a patch proposal. Where can I send it? Does this mailing list support attachments? Regards, Dominik From dnsadmin at 1bigthink.com Thu Aug 7 16:53:13 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Thu Aug 7 16:53:38 2008 Subject: quiet here In-Reply-To: <489B0E2B.5020503@mail.wvnet.edu> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> <EMEW-k76FYda86cea5eee60f46c6f585c44b3d99f97-489B055E.2020400@mail.wvnet.edu> <EMEW-k76AfCd970b5fc5360b6ad15e687788908035b-489B07DB.6040207@ecs.soton.ac.uk> <489B0E2B.5020503@mail.wvnet.edu> Message-ID: <200808071553.m77FrMOU007518@mxt.1bigthink.com> At 11:00 AM 8/7/2008, you wrote: >Julian Field wrote: >> >> >>Richard Lynch wrote: >>>Julian Field wrote: >>>> >>>> >>>>Gary Alexander wrote: >>>>>>While things are quiet, are there any outstanding bugs or >>>>>>feature requests >>>>>>that I should be working on? >>>>>> >>>>>>I'm aiming at a stable release at the start of September if >>>>>>there's nothing >>>>>>else huge between now and then. The HTML::Parser protection seems to be >>>>>>working okay, and hasn't had a huge speed impact (it never >>>>>>ceases to amaze >>>>>>me quite how fast fork() is!). >>>>>> >>>>>>Jules >>>>>> >>>>> >>>>>Hi There >>>>> >>>>>Speaking of feature requests ... I've noticed some users using 7zip >>>>>format for sending mails ... and executables inside getting through >>>>>... any plans for adding support for this? >>>>> >>>>>The following linux app currently supports 7zip: >>>>>http://p7zip.sourceforge.net/ >>>>> >>>>Adding that is quite a lot of work, so I would need a lot of >>>>votes that people want this feature. But I'm not saying "no" :-) >>>> >>>>Jules >>>Up until now I had never even heard of 7zip. I just tested F-Prot >>>and ClamAV against an archive with a virus in it. Neither >>>detected the virus inside. So, isn't it just a matter of time >>>before viruses start spreading in this format? If so I think >>>you're going to be compelled to support the scanning of this format. >>But if no-one has the software for reading this format already, >>they aren't any harm. >> >>Jules >Agreed but how long before people start using this format in large >numbers. I don't know. It's not a problem yet so there's no hurray >but sometime down the road... who knows. I certainly wouldn't put a >high priority on it. > >~rich Agreed, as well. No priority, but it should be planned for inclusion down the road. I suspect the popularity has increased and will increase as a result of WinZip including an expiration in its shareware. More sophisticated Windows users know the night and day difference in performance of Winzip versus the built-in Windows support for .zip files and will not use the built-in support. I have seen a lot of torrent traffic using 7zip lately, as well as some SourceForge Windows applications. Cheers, Glenn -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jjamieson at futurefoundations.com Thu Aug 7 17:00:20 2008 From: jjamieson at futurefoundations.com (Joseph Jamieson) Date: Thu Aug 7 17:00:44 2008 Subject: Postfix Integration - Run another filter first Message-ID: <EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> Greetings, I'm pretty new to MailScanner, but I do have a working system and it works. I am having trouble tracking down a few bits of information, though - and this is mostly a Postfix question but I figured someone here might know. MailScanner uses the Postfix header-checks "HOLD" feature to scan the messages. Postfix drops the message into the hold folder, and every few moments MailScanner will check the folder, scan all the messages, and then drop it into a folder for postfix to grab and continue sending the message on its way. At what time in the process does Postfix do this? It appears that postfix will do this before pretty much anything else. So, if I have a filter set up in the master.cf (for instance, dspam) MailScanner always gets a hold of the message first. What if I wanted to use dspam to tag a message probability, and add some scores to SpamAssassin (which is run by MailScanner?) That way, MailScanner remains the only system that's doing any tagging, quarantining, etc. DSPAM is just an example. I can think of several other nice little things I'd like to be able to do, too. So, I guess the question is: Is there any way to run a filter via Postfix *before* MailScanner gets its turn? Or do I have it all wrong here? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080807/e646d277/attachment.html From sbanderson at impromed.com Thu Aug 7 17:38:17 2008 From: sbanderson at impromed.com (Scott B. Anderson) Date: Thu Aug 7 17:39:35 2008 Subject: quiet here In-Reply-To: <489B0E2B.5020503@mail.wvnet.edu> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> <EMEW-k76FYda86cea5eee60f46c6f585c44b3d99f97-489B055E.2020400@mail.wvnet.edu> <EMEW-k76AfCd970b5fc5360b6ad15e687788908035b-489B07DB.6040207@ecs.soton.ac.uk> <489B0E2B.5020503@mail.wvnet.edu> Message-ID: <4B16C177313C70448BFF4C80789335B308620A6C9C@ES1.impromed.com> > Julian Field wrote: > > > > > > Richard Lynch wrote: > >> Julian Field wrote: > >>> Gary Alexander wrote: > >>>>> While things are quiet, are there any outstanding bugs or feature > >>>>> requests > >>>>> that I should be working on? > >>>>> > >>>>> I'm aiming at a stable release at the start of September if > >>>>> there's nothing > >>>>> else huge between now and then. The HTML::Parser protection seems > >>>>> to be > >>>>> working okay, and hasn't had a huge speed impact (it never ceases > >>>>> to amaze > >>>>> me quite how fast fork() is!). > >>>>> > >>>>> Jules > >>>>> > >>>> > >>>> Hi There > >>>> > >>>> Speaking of feature requests ... I've noticed some users using > 7zip > >>>> format for sending mails ... and executables inside getting > through > >>>> ... any plans for adding support for this? > >>>> > >>>> The following linux app currently supports 7zip: > >>>> http://p7zip.sourceforge.net/ > >>>> > >>> Adding that is quite a lot of work, so I would need a lot of votes > >>> that people want this feature. But I'm not saying "no" :-) > >>> > >>> Jules > >>> > >> Up until now I had never even heard of 7zip. I just tested F-Prot > >> and ClamAV against an archive with a virus in it. Neither detected > >> the virus inside. So, isn't it just a matter of time before viruses > >> start spreading in this format? If so I think you're going to be > >> compelled to support the scanning of this format. > > But if no-one has the software for reading this format already, they > > aren't any harm. > > > > Jules > > > Agreed but how long before people start using this format in large > numbers. I don't know. It's not a problem yet so there's no hurray > but > sometime down the road... who knows. I certainly wouldn't put a high > priority on it. > > ~rich > Since 7zip is free, works in windows and has native 64 and 32 bit binaries available for windows, I've been installing it as a default app on nearly every computer I'd normally have to purchase a license for Winzip for two years. Scott From mailscanner at lists.com.ar Thu Aug 7 18:39:23 2008 From: mailscanner at lists.com.ar (Leonardo Helman) Date: Thu Aug 7 18:39:58 2008 Subject: mailscanner in ISP In-Reply-To: <489B07A1.3050502@ecs.soton.ac.uk> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <EMEW-k76FBHc5cb968dfbde57724284d6f92e690894-FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> <489B07A1.3050502@ecs.soton.ac.uk> Message-ID: <1218130763.32156.19.camel@morticia.pert.com.ar> The blacklists are (usually) not very effective for the outbound spam (IMHO). They are your own clients, they are paying for that, that is, if you don't have an open relay, and they can't send mails directly outside your outbound mta. or something like that, the output IP will be the output of your own MTA, and all your clients will have a typical dynamic ip address (that will eventually change between them), so if you blacklist by an external dynamic ip blacklist, you will be blacklisting (eventually) the wrong customers. Here the problem, I thing, is a legal problem, what are the conditions that the client paid for, and with that what you can do to stop them (some isp are unwilling to ratelimit or things like that). My first choice would be to set a rate for the outgoing mail, so the clients shouldn't spam enough. That's not always feasible, think big customers without IP/MTA, they will send all their "internal communications" by your MTA. So I think my order would be ratelimit, spamtraps, and a good trained (rules and/or bayes) spamassassin, lots of scripts to automatically add internal ip's to own blacklists On Thu, 2008-08-07 at 15:33 +0100, Julian Field wrote: > > Paulo Roncon wrote: > > Hello all, > > > > I work in a ISP and we want to install mailscanner to stop OUTBOUND spam as its becoming a bottleneck... > > I dont have any network metrics, as the guy in charge in out. I'm thinking 1000000 plus messages/day. > > > > Questions: > > -Anyone has ideias of the kind of HW solution nedeed? > > -OUTBOUND filtering: Its gonna be *->*. Do you see any problems? > > -Which is the fastest configuration possible? > > -What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm aiming to speed and to block about 85% of spam. I'm not aiming at near 100% spam free... > > > I would start with some blacklists at your MTA, such as spamhaus-ZEN. > You would be better off putting this into your MTA so you don't accept > connections from botnet hosts in the first place. > ClamAV with the sanesecurity.co.uk additional signatures will be fast too. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From ssilva at sgvwater.com Thu Aug 7 19:37:44 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 7 19:38:08 2008 Subject: quiet here In-Reply-To: <489B055E.2020400@mail.wvnet.edu> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> <489B055E.2020400@mail.wvnet.edu> Message-ID: <g7ffdq$ehn$1@ger.gmane.org> >> > Up until now I had never even heard of 7zip. I just tested F-Prot and > ClamAV against an archive with a virus in it. Neither detected the > virus inside. So, isn't it just a matter of time before viruses start > spreading in this format? If so I think you're going to be compelled > to support the scanning of this format. > > 2c, > ~rich > What you would have to be careful about was an self-extracting 7zip executable. At least for those who HAVE to allow executables in mail. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080807/487d3646/signature.bin From gerard at seibercom.net Thu Aug 7 20:24:32 2008 From: gerard at seibercom.net (Gerard) Date: Thu Aug 7 20:24:49 2008 Subject: mailscanner in ISP In-Reply-To: <1218130763.32156.19.camel@morticia.pert.com.ar> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <EMEW-k76FBHc5cb968dfbde57724284d6f92e690894-FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> <489B07A1.3050502@ecs.soton.ac.uk> <1218130763.32156.19.camel@morticia.pert.com.ar> Message-ID: <20080807152432.7acaaf1d@scorpio> On Thu, 07 Aug 2008 14:39:23 -0300 Leonardo Helman <mailscanner@lists.com.ar> wrote: >On Thu, 2008-08-07 at 15:33 +0100, Julian Field wrote: >> >> Paulo Roncon wrote: >> > Hello all, >> > >> > I work in a ISP and we want to install mailscanner to stop >> > OUTBOUND spam as its becoming a bottleneck... I dont have any >> > network metrics, as the guy in charge in out. I'm thinking 1000000 >> > plus messages/day. >> > >> > Questions: >> > -Anyone has ideias of the kind of HW solution nedeed? >> > -OUTBOUND filtering: Its gonna be *->*. Do you see any problems? >> > -Which is the fastest configuration possible? >> > -What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm >> > aiming to speed and to block about 85% of spam. I'm not aiming at >> > near 100% spam free... >> I would start with some blacklists at your MTA, such as >> spamhaus-ZEN. You would be better off putting this into your MTA so >> you don't accept connections from botnet hosts in the first place. >> ClamAV with the sanesecurity.co.uk additional signatures will be >> fast too. > >The blacklists are (usually) not very effective >for the outbound spam (IMHO). > >They are your own clients, they are paying for that, >that is, if you don't have an open relay, and they can't >send mails directly outside your outbound mta. >or something like that, the output IP will be the output >of your own MTA, and all your clients will have a typical >dynamic ip address (that will eventually change between them), >so if you blacklist by an external dynamic ip blacklist, you will >be blacklisting (eventually) the wrong customers. > >Here the problem, I thing, is a legal problem, what are >the conditions that the client paid for, and with that >what you can do to stop them (some isp are unwilling to >ratelimit or things like that). > >My first choice would be to set a rate for the outgoing >mail, so the clients shouldn't spam enough. > >That's not always feasible, think big customers without >IP/MTA, they will send all their "internal communications" >by your MTA. > >So I think my order would be ratelimit, spamtraps, and a good trained >(rules and/or bayes) spamassassin, lots of scripts to automatically add >internal ip's to own blacklists I would be very careful regarding the limiting your subscribers email transmissions. If you have a know SPAMMer, simply terminate his contract. However, if you should by accident trap a legitimate message by a legitimate subscriber, you might very well be liable. Comcast, an ISP in case you have not heard of them, has had numerous legal problems with just what your propose. They just lost another case the limiting of bandwidth to individual customers. They were scanning and refusing to transmit messages that they arbitrarily considered SPAM. I was involved in one such case against them. They have since did an about face on the issue. Even blocking incoming mail can be a legal liability. You might want to consult a legal authority before embarking on you venture. -- Gerard gerard@seibercom.net I'm prepared for all emergencies but totally unprepared for everyday life. From MailScanner at ecs.soton.ac.uk Thu Aug 7 21:11:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 7 21:11:58 2008 Subject: Bug fix for Exim queue handling: where to send it? In-Reply-To: <EMEW-k76GbI85faef615b12ea44524e0bda99a3ce2c-11C7B302EF6C334C9A7DDD638E09B661298DBA@103mx.businessmart.de> References: <EMEW-k76GbI85faef615b12ea44524e0bda99a3ce2c-11C7B302EF6C334C9A7DDD638E09B661298DBA@103mx.businessmart.de> Message-ID: <489B56F4.9080003@ecs.soton.ac.uk> Please send it to me at mailscanner@ecs.soton.ac.uk, together with an explanation of exactly what your patch fixes and how. I tend to reimplement patches myself, unless they are very short and obviously correct (and in my coding style :-) Many thanks! Jules. Schramm, Dominik wrote: > Hi, > > there is a bug in the MailScanner Exim queue file code: > Starting with Exim version 4.64, ACL variables can have (almost) > arbitrary alphanumeric names -- e.g. acl_m_blahblah, in which > case the queue file will contain these lines: > > -aclm _blahblah 5 > hello > > If such variables are in use in a message, it will not be handled > by MailScanner. > > See here: > http://docs.exim.org/current/spec_html/ch40.html#SECTaclvariables > > I have a patch proposal. Where can I send it? Does this mailing > list support attachments? > > Regards, > Dominik > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Aug 7 21:14:24 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 7 21:14:42 2008 Subject: Postfix Integration - Run another filter first In-Reply-To: <EMEW-k76H5B0047eef3fc0f4dec46944874a8ac344d-EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> References: <EMEW-k76H5B0047eef3fc0f4dec46944874a8ac344d-EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> Message-ID: <489B57A0.5010404@ecs.soton.ac.uk> Joseph Jamieson wrote: > > Greetings, > > I?m pretty new to MailScanner, but I do have a working system and it > works. > > I am having trouble tracking down a few bits of information, though ? > and this is mostly a Postfix question but I figured someone here might > know. > > MailScanner uses the Postfix header-checks ?HOLD? feature to scan the > messages. Postfix drops the message into the hold folder, and every > few moments MailScanner will check the folder, scan all the messages, > and then drop it into a folder for postfix to grab and continue > sending the message on its way. > > At what time in the process does Postfix do this? It appears that > postfix will do this before pretty much anything else. So, if I have a > filter set up in the master.cf (for instance, dspam) MailScanner > always gets a hold of the message first. What if I wanted to use dspam > to tag a message probability, and add some scores to SpamAssassin > (which is run by MailScanner?) That way, MailScanner remains the only > system that?s doing any tagging, quarantining, etc. > > DSPAM is just an example. I can think of several other nice little > things I?d like to be able to do, too. > > So, I guess the question is: Is there any way to run a filter via > Postfix **before** MailScanner gets its turn? Or do I have it all > wrong here? > You could implement DSPAM (or others) as a generic virus scanner or a custom spam scanner within MailScanner. How about that approach instead? It will take you a bit of digging in the MailScanner code to implement, but the hooks are there, and I probably even wrote you some sample code in CustomConfig.pm or /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Thu Aug 7 21:15:39 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Aug 7 21:15:51 2008 Subject: mailscanner in ISP In-Reply-To: <FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> Message-ID: <489B57EB.9090008@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paulo Roncon wrote: | Hello all, | | I work in a ISP and we want to install mailscanner to stop OUTBOUND spam as its becoming a bottleneck... | I dont have any network metrics, as the guy in charge in out. I'm thinking 1000000 plus messages/day. Pardon me for noting that you used a full digest just to send a new message. Don't you think you might want to do something about that sort spam first? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIm1fpBvzDRVjxmYERAhPVAJ9APUUe+cS6Dq1lbciObNjdZo7t1ACguCqa DCQ/EV73kX9g73dGdGpCdu4= =dRmr -----END PGP SIGNATURE----- From steinkel at pa.net Thu Aug 7 21:21:40 2008 From: steinkel at pa.net (Leland J. Steinke) Date: Thu Aug 7 21:21:53 2008 Subject: Postfix Integration - Run another filter first In-Reply-To: <EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> References: <EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> Message-ID: <489B5954.30405@pa.net> My recollection is that the cleanup(8) daemon is what places messages in the hold queue. MailScanner picks them up there and drops them into incoming when it's done. http://www.postfix.org/OVERVIEW.html indicates optional "light-weight content inspection" in the BUILTIN_FILTER_README. If all else failed, maybe you could set up header_checks to use the FILTER action on Received: headers to a daemon that inserts some other header which you could then use as a trigger for the HOLD action after the message is re-injected. I make no promises that this would work at all, but it would be cool if it did. ;-) Leland Joseph Jamieson wrote: > Greetings, > > > > I?m pretty new to MailScanner, but I do have a working system and it works. > > > > I am having trouble tracking down a few bits of information, though ? > and this is mostly a Postfix question but I figured someone here might know. > > > > MailScanner uses the Postfix header-checks ?HOLD? feature to scan the > messages. Postfix drops the message into the hold folder, and every > few moments MailScanner will check the folder, scan all the messages, > and then drop it into a folder for postfix to grab and continue sending > the message on its way. > > > > At what time in the process does Postfix do this? It appears that > postfix will do this before pretty much anything else. So, if I have a > filter set up in the master.cf (for instance, dspam) MailScanner always > gets a hold of the message first. What if I wanted to use dspam to > tag a message probability, and add some scores to SpamAssassin (which is > run by MailScanner?) That way, MailScanner remains the only system > that?s doing any tagging, quarantining, etc. > > > > DSPAM is just an example. I can think of several other nice little > things I?d like to be able to do, too. > > > > So, I guess the question is: Is there any way to run a filter via > Postfix **before** MailScanner gets its turn? Or do I have it all > wrong here? > > > > Thanks in advance. > From jjamieson at futurefoundations.com Thu Aug 7 21:33:49 2008 From: jjamieson at futurefoundations.com (Joseph Jamieson) Date: Thu Aug 7 21:34:05 2008 Subject: Postfix Integration - Run another filter first In-Reply-To: <489B57A0.5010404@ecs.soton.ac.uk> References: <EMEW-k76H5B0047eef3fc0f4dec46944874a8ac344d-EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> <489B57A0.5010404@ecs.soton.ac.uk> Message-ID: <EB9A9B89C2E9CE4EA214E314557A649E0A7064@neptune.directory.futurefoundations.com> That would work (maybe) although I suck at perl if there's any advanced coding required. As long as the code isn't too complicated I *think* I could get by. I'm not a programmer by trade but I can write some php and bash scripts. If this were to work ideally, I'd be able to use a custom scanner within MailScanner which will add some header tags which could then be picked up by SpamAssassin - meaning, it will integrate better into the system as I can add it as a score line item. I like the idea of integrating many different techniques into a single scoring system. It helps reduce false positives and reduce spam. I hate letting a single technique block messages altogether - such as RBL blocks or dynamic IP ranges. Much rather have those things add a few points to the total score. Am I right about the postfix/filter order though? Does postfix send messages to the HOLD before running the other items listed in master.cf? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, August 07, 2008 4:14 PM To: MailScanner discussion Subject: Re: Postfix Integration - Run another filter first Joseph Jamieson wrote: > > Greetings, > > I'm pretty new to MailScanner, but I do have a working system and it > works. > > I am having trouble tracking down a few bits of information, though - > and this is mostly a Postfix question but I figured someone here might > know. > > MailScanner uses the Postfix header-checks "HOLD" feature to scan the > messages. Postfix drops the message into the hold folder, and every > few moments MailScanner will check the folder, scan all the messages, > and then drop it into a folder for postfix to grab and continue > sending the message on its way. > > At what time in the process does Postfix do this? It appears that > postfix will do this before pretty much anything else. So, if I have a > filter set up in the master.cf (for instance, dspam) MailScanner > always gets a hold of the message first. What if I wanted to use dspam > to tag a message probability, and add some scores to SpamAssassin > (which is run by MailScanner?) That way, MailScanner remains the only > system that's doing any tagging, quarantining, etc. > > DSPAM is just an example. I can think of several other nice little > things I'd like to be able to do, too. > > So, I guess the question is: Is there any way to run a filter via > Postfix **before** MailScanner gets its turn? Or do I have it all > wrong here? > You could implement DSPAM (or others) as a generic virus scanner or a custom spam scanner within MailScanner. How about that approach instead? It will take you a bit of digging in the MailScanner code to implement, but the hooks are there, and I probably even wrote you some sample code in CustomConfig.pm or /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jjamieson at futurefoundations.com Thu Aug 7 21:43:49 2008 From: jjamieson at futurefoundations.com (Joseph Jamieson) Date: Thu Aug 7 21:44:06 2008 Subject: Postfix Integration - Run another filter first In-Reply-To: <489B5954.30405@pa.net> References: <EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> <489B5954.30405@pa.net> Message-ID: <EB9A9B89C2E9CE4EA214E314557A649E0A7065@neptune.directory.futurefoundations.com> That's a good possibility - I will read more on how messages are inspected and handled by postfix. I could probably have a different process inspect the hold queue, process it first, then drop it into another folder which MailScanner monitors. Ahh, this all reminds me too much of CC:Mail and MSMail! Q and MBG ftw. I mean, I guess I could set up two separate postfix daemons - one to run the first set of filters, and then pass the off to postfix #2 which would run MailScanner, but I'd really like to avoid this scenario. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Leland J. Steinke Sent: Thursday, August 07, 2008 4:22 PM To: MailScanner discussion Subject: Re: Postfix Integration - Run another filter first My recollection is that the cleanup(8) daemon is what places messages in the hold queue. MailScanner picks them up there and drops them into incoming when it's done. http://www.postfix.org/OVERVIEW.html indicates optional "light-weight content inspection" in the BUILTIN_FILTER_README. If all else failed, maybe you could set up header_checks to use the FILTER action on Received: headers to a daemon that inserts some other header which you could then use as a trigger for the HOLD action after the message is re-injected. I make no promises that this would work at all, but it would be cool if it did. ;-) Leland Joseph Jamieson wrote: > Greetings, > > > > I'm pretty new to MailScanner, but I do have a working system and it works. > > > > I am having trouble tracking down a few bits of information, though - > and this is mostly a Postfix question but I figured someone here might know. > > > > MailScanner uses the Postfix header-checks "HOLD" feature to scan the > messages. Postfix drops the message into the hold folder, and every > few moments MailScanner will check the folder, scan all the messages, > and then drop it into a folder for postfix to grab and continue sending > the message on its way. > > > > At what time in the process does Postfix do this? It appears that > postfix will do this before pretty much anything else. So, if I have a > filter set up in the master.cf (for instance, dspam) MailScanner always > gets a hold of the message first. What if I wanted to use dspam to > tag a message probability, and add some scores to SpamAssassin (which is > run by MailScanner?) That way, MailScanner remains the only system > that's doing any tagging, quarantining, etc. > > > > DSPAM is just an example. I can think of several other nice little > things I'd like to be able to do, too. > > > > So, I guess the question is: Is there any way to run a filter via > Postfix **before** MailScanner gets its turn? Or do I have it all > wrong here? > > > > Thanks in advance. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Aug 7 21:56:38 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 7 21:57:01 2008 Subject: Postfix Integration - Run another filter first In-Reply-To: <EMEW-k76LoR029eab83a6276348a1a2d1d2d5f8b710-EB9A9B89C2E9CE4EA214E314557A649E0A7065@neptune.directory.futurefoundations.com> References: <EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> <489B5954.30405@pa.net> <EMEW-k76LoR029eab83a6276348a1a2d1d2d5f8b710-EB9A9B89C2E9CE4EA214E314557A649E0A7065@neptune.directory.futurefoundations.com> Message-ID: <489B6186.9030400@ecs.soton.ac.uk> Joseph Jamieson wrote: > That's a good possibility - I will read more on how messages are > inspected and handled by postfix. > > I could probably have a different process inspect the hold queue, > process it first, then drop it into another folder which MailScanner > monitors. Watch out for file locking! Pulling complete messsages out of the HOLD queue is not trivial! You have been warned (it took me a long time to finally get it right). And then make sure you use a similar locking scheme when you write your processed messages out to the folder that MailScanner is going to get them from, or MailScanner will end up processing partially-written messages. The whole locking problem in Postfix is a minefield. It's why the Postfix authors hate me so much :-) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Leland > J. Steinke > Sent: Thursday, August 07, 2008 4:22 PM > To: MailScanner discussion > Subject: Re: Postfix Integration - Run another filter first > > My recollection is that the cleanup(8) daemon is what places messages in > > the hold queue. MailScanner picks them up there and drops them into > incoming when it's done. http://www.postfix.org/OVERVIEW.html indicates > > optional "light-weight content inspection" in the BUILTIN_FILTER_README. > > If all else failed, maybe you could set up header_checks to use the > FILTER action on Received: headers to a daemon that inserts some other > header which you could then use as a trigger for the HOLD action after > the message is re-injected. I make no promises that this would work at > all, but it would be cool if it did. ;-) > > > Leland > Joseph Jamieson wrote: > >> Greetings, >> >> >> >> I'm pretty new to MailScanner, but I do have a working system and it >> > works. > >> >> >> I am having trouble tracking down a few bits of information, though - >> and this is mostly a Postfix question but I figured someone here might >> > know. > >> >> >> MailScanner uses the Postfix header-checks "HOLD" feature to scan the >> messages. Postfix drops the message into the hold folder, and every >> few moments MailScanner will check the folder, scan all the messages, >> and then drop it into a folder for postfix to grab and continue >> > sending > >> the message on its way. >> >> >> >> At what time in the process does Postfix do this? It appears that >> postfix will do this before pretty much anything else. So, if I have >> > a > >> filter set up in the master.cf (for instance, dspam) MailScanner >> > always > >> gets a hold of the message first. What if I wanted to use dspam to >> tag a message probability, and add some scores to SpamAssassin (which >> > is > >> run by MailScanner?) That way, MailScanner remains the only system >> > > >> that's doing any tagging, quarantining, etc. >> >> >> >> DSPAM is just an example. I can think of several other nice little >> things I'd like to be able to do, too. >> >> >> >> So, I guess the question is: Is there any way to run a filter via >> Postfix **before** MailScanner gets its turn? Or do I have it all >> wrong here? >> >> >> >> Thanks in advance. >> >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Aug 7 22:23:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 7 22:23:40 2008 Subject: Postfix Integration - Run another filter first In-Reply-To: <489B6186.9030400@ecs.soton.ac.uk> References: <EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> <489B5954.30405@pa.net> <EMEW-k76LoR029eab83a6276348a1a2d1d2d5f8b710-EB9A9B89C2E9CE4EA214E314557A649E0A7065@neptune.directory.futurefoundations.com> <489B6186.9030400@ecs.soton.ac.uk> Message-ID: <g7fp40$htt$1@ger.gmane.org> on 8-7-2008 1:56 PM Julian Field spake the following: > > > Joseph Jamieson wrote: >> That's a good possibility - I will read more on how messages are >> inspected and handled by postfix. >> >> I could probably have a different process inspect the hold queue, >> process it first, then drop it into another folder which MailScanner >> monitors. > Watch out for file locking! Pulling complete messsages out of the HOLD > queue is not trivial! You have been warned (it took me a long time to > finally get it right). And then make sure you use a similar locking > scheme when you write your processed messages out to the folder that > MailScanner is going to get them from, or MailScanner will end up > processing partially-written messages. > > The whole locking problem in Postfix is a minefield. It's why the > Postfix authors hate me so much :-) > I think they hate you because you don't use their sanctioned method of interacting with postfix through a socket. You managed to do something they probably had trouble doing, so they sabotage you every chance they get. Programmer envy! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080807/c165bb0e/signature.bin From andrew at gdcon.net Fri Aug 8 00:21:13 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Aug 8 00:21:32 2008 Subject: quiet here In-Reply-To: <4899C0F7.6070603@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> Message-ID: <489B8369.70001@gdcon.net> Julian Field wrote: > The HTML::Parser protection seems to be working okay, and hasn't had a > huge speed impact (it never ceases to amaze me quite how fast fork() > is!). > > Jules > <lamejoke> It's as fast as fork()... </lamejoke> -- This message was scanned by ESVA and is believed to be clean. From R.Sterenborg at netsourcing.nl Fri Aug 8 07:17:20 2008 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Fri Aug 8 07:17:30 2008 Subject: quiet here In-Reply-To: <489B07DB.6040207@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk><EMEW-k76FYda86cea5eee60f46c6f585c44b3d99f97-489B055E.2020400@mail.wvnet.edu> <489B07DB.6040207@ecs.soton.ac.uk> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2405D953C2@WISENT.dcyb.net> >> Up until now I had never even heard of 7zip. I just tested F-Prot >> and ClamAV against an archive with a virus in it. Neither detected >> the virus inside. So, isn't it just a matter of time before viruses >> start spreading in this format? If so I think you're going to be >> compelled to support the scanning of this format. > But if no-one has the software for reading this format already, they > aren't any harm. Several Windows (and quite often we try to protect the users of this OS ;-)) compression programs can read the 7-Zip format, see http://en.wikipedia.org/wiki/Comparison_of_file_archivers#Operating_syst em_support and http://en.wikipedia.org/wiki/Comparison_of_file_archivers#Archive_format _support. 7-Zip has been around for some time now (2000 or 2001). Perhaps it's going to be used more often now but I haven't seen much of it so far. (That doesn't mean I'm against MS supporting this format.) Grts, Rob From gmatt at nerc.ac.uk Fri Aug 8 10:26:14 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Aug 8 10:26:57 2008 Subject: mailscanner in ISP In-Reply-To: <489B07A1.3050502@ecs.soton.ac.uk> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <EMEW-k76FBHc5cb968dfbde57724284d6f92e690894-FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> <489B07A1.3050502@ecs.soton.ac.uk> Message-ID: <489C1136.5000901@nerc.ac.uk> Julian Field wrote: > I would start with some blacklists at your MTA, such as spamhaus-ZEN. > You would be better off putting this into your MTA so you don't accept > connections from botnet hosts in the first place. > ClamAV with the sanesecurity.co.uk additional signatures will be fast too. zen might be a bit mismatched for an ISP - you might end up matching all your users via the PBL policy list! G > > Jules > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From ram at netcore.co.in Fri Aug 8 10:52:34 2008 From: ram at netcore.co.in (ram) Date: Fri Aug 8 10:52:52 2008 Subject: mailscanner in ISP In-Reply-To: <FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> Message-ID: <1218189154.1886.79.camel@darkstar.netcore.co.in> On Thu, 2008-08-07 at 15:06 +0100, Paulo Roncon wrote: > Hello all, > > I work in a ISP and we want to install mailscanner to stop OUTBOUND spam as its becoming a bottleneck... > I dont have any network metrics, as the guy in charge in out. I'm thinking 1000000 plus messages/day. > > Questions: > -Anyone has ideias of the kind of HW solution nedeed? > -OUTBOUND filtering: Its gonna be *->*. Do you see any problems? > -Which is the fastest configuration possible? > -What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm aiming to speed and to block about 85% of spam. I'm not aiming at near 100% spam free... > > > Thanks! Outbound spam protection could be a lot simpler than inbound. You need not catch *all* the spam here. Just a couple and you know whose neck to catch * Have a clear policy on UCE defined to all your customers * Make sure all your users have strong passwords while authenticating * Make your mail headers very clear to indicate whose account is the origin * Have Ratelimits configured on your MTA * Install MS + barebones SA and quarantine spams ( The default SA will do ) * Employ an Admin to monitor quarantine and terminate spammer accounts immediately. Dont throw away the spams you may need it when the user calls you to complain From glenn.steen at gmail.com Fri Aug 8 13:29:52 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 8 13:30:02 2008 Subject: Postfix Integration - Run another filter first In-Reply-To: <EB9A9B89C2E9CE4EA214E314557A649E0A7064@neptune.directory.futurefoundations.com> References: <EMEW-k76H5B0047eef3fc0f4dec46944874a8ac344d-EB9A9B89C2E9CE4EA214E314557A649E0A7063@neptune.directory.futurefoundations.com> <489B57A0.5010404@ecs.soton.ac.uk> <EB9A9B89C2E9CE4EA214E314557A649E0A7064@neptune.directory.futurefoundations.com> Message-ID: <223f97700808080529h63398213tedf3bd8fe344cd28@mail.gmail.com> 2008/8/7 Joseph Jamieson <jjamieson@futurefoundations.com>: > That would work (maybe) although I suck at perl if there's any advanced > coding required. As long as the code isn't too complicated I *think* I > could get by. I'm not a programmer by trade but I can write some php > and bash scripts. > > If this were to work ideally, I'd be able to use a custom scanner within > MailScanner which will add some header tags which could then be picked > up by SpamAssassin - meaning, it will integrate better into the system > as I can add it as a score line item. I like the idea of integrating > many different techniques into a single scoring system. It helps > reduce false positives and reduce spam. I hate letting a single > technique block messages altogether - such as RBL blocks or dynamic IP > ranges. Much rather have those things add a few points to the total > score. > > Am I right about the postfix/filter order though? Does postfix send > messages to the HOLD before running the other items listed in master.cf? Don't think so. As Leland points out, cleanup is responsible for the header/body checks, so anything up until that will be prior to MailScanner, while anything after that will also take place after MailScanner (things handled by the diverse delivery methods... Like recipient spliting (look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient to see how to solve things like that)). Since filters are handled by the smtpd process (BEFORE, AFTER and milter ...), you should be good. Might be talking out of my rear end, but I don't thinks so:-). Cheers -- Glenn > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Thursday, August 07, 2008 4:14 PM > To: MailScanner discussion > Subject: Re: Postfix Integration - Run another filter first > > > > Joseph Jamieson wrote: >> >> Greetings, >> >> I'm pretty new to MailScanner, but I do have a working system and it >> works. >> >> I am having trouble tracking down a few bits of information, though - >> and this is mostly a Postfix question but I figured someone here might > >> know. >> >> MailScanner uses the Postfix header-checks "HOLD" feature to scan the >> messages. Postfix drops the message into the hold folder, and every >> few moments MailScanner will check the folder, scan all the messages, >> and then drop it into a folder for postfix to grab and continue >> sending the message on its way. >> >> At what time in the process does Postfix do this? It appears that >> postfix will do this before pretty much anything else. So, if I have a > >> filter set up in the master.cf (for instance, dspam) MailScanner >> always gets a hold of the message first. What if I wanted to use dspam > >> to tag a message probability, and add some scores to SpamAssassin >> (which is run by MailScanner?) That way, MailScanner remains the only >> system that's doing any tagging, quarantining, etc. >> >> DSPAM is just an example. I can think of several other nice little >> things I'd like to be able to do, too. >> >> So, I guess the question is: Is there any way to run a filter via >> Postfix **before** MailScanner gets its turn? Or do I have it all >> wrong here? >> > You could implement DSPAM (or others) as a generic virus scanner or a > custom spam scanner within MailScanner. How about that approach instead? > > It will take you a bit of digging in the MailScanner code to implement, > but the hooks are there, and I probably even wrote you some sample code > in CustomConfig.pm or > /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From sandrews at andrewscompanies.com Fri Aug 8 16:41:32 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Aug 8 16:41:43 2008 Subject: slightly off topic, listserv Message-ID: <1964AAFBC212F742958F9275BF63DBB0906D13@winchester.andrewscompanies.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1440 bytes Desc: image001.gif Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080808/56bc6bda/attachment.gif From ssilva at sgvwater.com Fri Aug 8 17:23:54 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 8 17:25:12 2008 Subject: mailscanner in ISP In-Reply-To: <1218189154.1886.79.camel@darkstar.netcore.co.in> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <FE488BAD8B4EBB4BBEC64B3EEA4497E6582663FA@INOAVREX11.ptin.corpPT.com> <1218189154.1886.79.camel@darkstar.netcore.co.in> Message-ID: <g7hruq$6hv$1@ger.gmane.org> on 8-8-2008 2:52 AM ram spake the following: > On Thu, 2008-08-07 at 15:06 +0100, Paulo Roncon wrote: >> Hello all, >> >> I work in a ISP and we want to install mailscanner to stop OUTBOUND spam as its becoming a bottleneck... >> I dont have any network metrics, as the guy in charge in out. I'm thinking 1000000 plus messages/day. >> >> Questions: >> -Anyone has ideias of the kind of HW solution nedeed? >> -OUTBOUND filtering: Its gonna be *->*. Do you see any problems? >> -Which is the fastest configuration possible? >> -What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm aiming to speed and to block about 85% of spam. I'm not aiming at near 100% spam free... >> >> >> Thanks! > > Outbound spam protection could be a lot simpler than inbound. > > You need not catch *all* the spam here. Just a couple and you know whose > neck to catch > > > * Have a clear policy on UCE defined to all your customers > * Make sure all your users have strong passwords while authenticating > * Make your mail headers very clear to indicate whose account is the > origin > * Have Ratelimits configured on your MTA > * Install MS + barebones SA and quarantine spams ( The default SA will > do ) > * Employ an Admin to monitor quarantine and terminate spammer accounts > immediately. Dont throw away the spams you may need it when the user > calls you to complain > > > > Also make sure you have an abuse@ account and monitor it. Respond to all complaints and follow up. And again, have a bulletproof AUP and block spammers quickly while you investigate. If they are firewalled, or their accounts are on hold they will immediately know something is wrong. The real spammers will probably just move on, while the innocent will usually complain loudly. Maybe also monitor your address space for any inclusions into blacklists. I'm sure you could script this fairly easily. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080808/f54b3b3f/signature.bin From ssilva at sgvwater.com Fri Aug 8 17:26:33 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 8 17:30:14 2008 Subject: slightly off topic, listserv In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0906D13@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0906D13@winchester.andrewscompanies.com> Message-ID: <g7hs3p$6c9$1@ger.gmane.org> on 8-8-2008 8:41 AM Steven Andrews spake the following: > I?ve got a MS box sitting in front of an exchange server; I?m very happy > with that scenario. I?ve got a client that wants to run a listserv type > service there as well. I?ve searched for anything that integrates with > Exchange and only found one product from GFI that does it, but it?s part > of a larger antivirus/antispam solution and you can?t properly turn off > all the other bits. > > > > Any thoughts on running a listserv right on the MS box? > > > > *Steven R. Andrews*, President > Andrews Companies Incorporated > /Small Business Information Technology Consultants/ > sandrews@andrewscompanies.com > Phone: 317.536.1807 > > View Steven Andrews's profile on LinkedIn > <http://www.linkedin.com/in/stevenandrews> > > "If your only tool is a hammer, every problem looks like a nail." > Many people run MailScanner right on their mail box. It shouldn't be a problem, and it could scan the outgoing list traffic for spam and catch it before it floods your userbase. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080808/9c81477c/signature.bin From jaearick at colby.edu Fri Aug 8 17:31:01 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 8 17:31:18 2008 Subject: slightly off topic, listserv In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0906D13@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0906D13@winchester.andrewscompanies.com> Message-ID: <alpine.LRH.1.10.0808081230200.32395@rh-colby0.colby.edu> On Fri, 8 Aug 2008, Steven Andrews wrote: > Date: Fri, 8 Aug 2008 11:41:32 -0400 > From: Steven Andrews <sandrews@andrewscompanies.com> > Reply-To: MailScanner discussion <mailscanner@lists.mailscanner.info> > To: MailScanner discussion <mailscanner@lists.mailscanner.info> > Subject: slightly off topic, listserv > > I've got a MS box sitting in front of an exchange server; I'm very happy > with that scenario. I've got a client that wants to run a listserv type > service there as well. I've searched for anything that integrates with > Exchange and only found one product from GFI that does it, but it's part > of a larger antivirus/antispam solution and you can't properly turn off > all the other bits. > > > > Any thoughts on running a listserv right on the MS box? Sure, I run MailMan right on my MS box (with sendmail). No problems. Jeff Earickson Colby College From drew.marshall at technologytiger.net Fri Aug 8 18:11:42 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Aug 8 18:11:54 2008 Subject: slightly off topic, listserv In-Reply-To: <alpine.LRH.1.10.0808081230200.32395@rh-colby0.colby.edu> References: <1964AAFBC212F742958F9275BF63DBB0906D13@winchester.andrewscompanies.com> <alpine.LRH.1.10.0808081230200.32395@rh-colby0.colby.edu> Message-ID: <ECC43794-1C1E-4A3F-91BD-2FE3E4DB4FB8@technologytiger.net> On 8 Aug 2008, at 17:31, Jeff A. Earickson wrote: > On Fri, 8 Aug 2008, Steven Andrews wrote: > >> Date: Fri, 8 Aug 2008 11:41:32 -0400 >> From: Steven Andrews <sandrews@andrewscompanies.com> >> Reply-To: MailScanner discussion <mailscanner@lists.mailscanner.info> >> To: MailScanner discussion <mailscanner@lists.mailscanner.info> >> Subject: slightly off topic, listserv >> I've got a MS box sitting in front of an exchange server; I'm very >> happy >> with that scenario. I've got a client that wants to run a listserv >> type >> service there as well. I've searched for anything that integrates >> with >> Exchange and only found one product from GFI that does it, but it's >> part >> of a larger antivirus/antispam solution and you can't properly turn >> off >> all the other bits. >> >> >> >> Any thoughts on running a listserv right on the MS box? > > Sure, I run MailMan right on my MS box (with sendmail). No problems. Make sure you turn water marking on so you don't have to re-scan mail once it's been exploded by the list server (See Check Watermarks To Skip Spam Checks in MailScanner.conf). Saves a bucket load of overhead. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system <www.mail-launder.com> Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From jaearick at colby.edu Fri Aug 8 18:23:15 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 8 18:23:29 2008 Subject: slightly off topic, listserv In-Reply-To: <ECC43794-1C1E-4A3F-91BD-2FE3E4DB4FB8@technologytiger.net> References: <1964AAFBC212F742958F9275BF63DBB0906D13@winchester.andrewscompanies.com> <alpine.LRH.1.10.0808081230200.32395@rh-colby0.colby.edu> <ECC43794-1C1E-4A3F-91BD-2FE3E4DB4FB8@technologytiger.net> Message-ID: <alpine.LRH.1.10.0808081321320.32395@rh-colby0.colby.edu> On Fri, 8 Aug 2008, Drew Marshall wrote: > On 8 Aug 2008, at 17:31, Jeff A. Earickson wrote: >> On Fri, 8 Aug 2008, Steven Andrews wrote: >> >>> Date: Fri, 8 Aug 2008 11:41:32 -0400 >>> From: Steven Andrews <sandrews@andrewscompanies.com> >>> Reply-To: MailScanner discussion <mailscanner@lists.mailscanner.info> >>> To: MailScanner discussion <mailscanner@lists.mailscanner.info> >>> Subject: slightly off topic, listserv >>> Any thoughts on running a listserv right on the MS box? >> >> Sure, I run MailMan right on my MS box (with sendmail). No problems. > > Make sure you turn water marking on so you don't have to re-scan mail once > it's been exploded by the list server (See Check Watermarks To Skip Spam > Checks in MailScanner.conf). Saves a bucket load of overhead. > > Drew Yes, I have watermarking turned on. Thanks for the advice though, it never hurts to check one's setup against the advice of others. Jeff Earickson Colby College From paul.hutchings at mira.co.uk Sun Aug 10 10:34:03 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Aug 10 10:34:22 2008 Subject: list messages bouncing due to no reverse dns! Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0C90@mail03.mira.co.uk> I?m sure we?re not the only site that rejects mail by default from hosts with no reverse DNS (please note I mean *no* reverse DNS not a mismatch between forward and reverse). It seems 83.98.192.7 which is delivering mailscanner list mail has none ? thought someone might need to know as I wondered why the list had gone awful quiet the last few days ? Cheers! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From mgaudreault at reference.qc.ca Sun Aug 10 10:34:57 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Sun Aug 10 10:41:18 2008 Subject: automated response Message-ID: <10808100534.AA29981@reference.qc.ca> Bonjour, Veuillez noter que je serai en vacance du 11 au 22 aout. Je serai de retour le 25 aout. Pour tout urgence vous pouvez contacter Alain Doyon (adoyon@reference.qc.ca) pour le service technique ou Yves Vallieres (yvallieres@reference.qc.ca) pour les ventes. Sinon, je vous r?ponderai ? mon retour de vacance. Merci From MailScanner at ecs.soton.ac.uk Sun Aug 10 11:35:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 10 11:35:49 2008 Subject: list messages bouncing due to no reverse dns! In-Reply-To: <EMEW-k79Ajufadbb2805c499288597c3f53a0844803-FF689DC51C3C1640BE668A0E31182AD004DB0C90@mail03.mira.co.uk> References: <EMEW-k79Ajufadbb2805c499288597c3f53a0844803-FF689DC51C3C1640BE668A0E31182AD004DB0C90@mail03.mira.co.uk> Message-ID: <489EC46D.5090407@ecs.soton.ac.uk> The netblock of IP addresses got hijacked by someone bad, and the nameserver entries were changed without permission from the owners. As soon as they can get ownership back, they will correct the nameserver records and everything will return to normal. In the mean time, sorry, but there's nothing much I can do about this except suspend normal processing of list-bounce error messages, which I have done. The only other option would be to move the entire list to somewhere else, which is a big job just because of a temporary outage at a time of year when everything would be pretty quiet anyway. Hope that's okay with all of you. Cheers, Jules. Paul Hutchings wrote: > I?m sure we?re not the only site that rejects mail by default from hosts with no reverse DNS (please note I mean *no* reverse DNS not a mismatch between forward and reverse). > > It seems 83.98.192.7 which is delivering mailscanner list mail has none ? thought someone might need to know as I wondered why the list had gone awful quiet the last few days ? > > Cheers! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jcputter at centreweb.co.za Mon Aug 11 00:10:31 2008 From: jcputter at centreweb.co.za (JC) Date: Mon Aug 11 00:10:58 2008 Subject: Mailscanner Mailwatch Message-ID: <002401c8fb3e$4988def0$0201a8c0@athome> Hi I have install and configured my first mailscanner box with mailwatch, As i understand mailwatch can send my users a daily report? i have created a user and enabled daily reports for that user but has not received my report, in my MailScanner.conf i config mailscanner to store notify when i detects spam, is this correct for what i am trying to do? is the a way for setup mailscanner that it only scans incoming emails and not outgoing email for spam? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080811/3e836675/attachment.html From Jeff.Mills at versacold.com.au Mon Aug 11 00:36:56 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Mon Aug 11 00:37:08 2008 Subject: Mailscanner Mailwatch In-Reply-To: <002401c8fb3e$4988def0$0201a8c0@athome> Message-ID: <A80817E3C206A84788EBD17BB171F0F90207A867@EXCHANGE.AU.POCOLD.POCL> ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of JC Sent: Monday, 11 August 2008 9:11 AM To: mailscanner@lists.mailscanner.info Subject: Mailscanner Mailwatch Hi I have install and configured my first mailscanner box with mailwatch, As i understand mailwatch can send my users a daily report? i have created a user and enabled daily reports for that user but has not received my report, in my MailScanner.conf i config mailscanner to store notify when i detects spam, is this correct for what i am trying to do? is the a way for setup mailscanner that it only scans incoming emails and not outgoing email for spam? You need to daily cron job the quarantine report. From junior.listas at gmail.com Mon Aug 11 01:03:55 2008 From: junior.listas at gmail.com (junior.listas) Date: Mon Aug 11 01:04:32 2008 Subject: Mailer Daemon Spam Messages Message-ID: <489F81EB.1090905@gmail.com> Hi All, I'm new to mailscanner, I just have installed 2 box, its a great peace of code, almost all things works fine for me , but I have a big problem; just one user still receiving lots of messages from postmaster@ and mailer-daemon@ that the header X-original-To goes to him but they doesnt send this mails. I has used a blacklist ( definitely backlist ) like: FromOrTO: postmaster@ yes FromOrTO: mailer-daemon@ yes ... but the emails still delivered to the user. How can i block this emails?? ps. Is blakclist and whitelist case sensitive? From kc5goi at gmail.com Mon Aug 11 02:36:38 2008 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Mon Aug 11 02:36:58 2008 Subject: Mailer Daemon Spam Messages In-Reply-To: <489F81EB.1090905@gmail.com> References: <489F81EB.1090905@gmail.com> Message-ID: <489F97A6.80609@kc5goi.net> junior.listas wrote: > Hi All, > I'm new to mailscanner, I just have installed 2 box, its a great peace > of code, almost all things works fine for me , but I have a big > problem; just one user still receiving lots of messages from > postmaster@ and mailer-daemon@ that the header X-original-To goes to > him but they doesnt send this mails. I has used a blacklist ( > definitely backlist ) like: > > FromOrTO: postmaster@ yes > FromOrTO: mailer-daemon@ yes > > ... but the emails still delivered to the user. > How can i block this emails?? > > ps. Is blakclist and whitelist case sensitive? > You need to add the * after the @ in the addresses. Guy From junior.listas at gmail.com Mon Aug 11 05:09:09 2008 From: junior.listas at gmail.com (junior.listas) Date: Mon Aug 11 05:09:23 2008 Subject: Mailer Daemon Spam Messages In-Reply-To: <489F97A6.80609@kc5goi.net> References: <489F81EB.1090905@gmail.com> <489F97A6.80609@kc5goi.net> Message-ID: <489FBB65.8070107@gmail.com> Guy, thank you for your attention.. but i dont think so, i tried this with and without *... JC Guy Story KC5GOI escreveu: > junior.listas wrote: >> Hi All, >> I'm new to mailscanner, I just have installed 2 box, its a great >> peace of code, almost all things works fine for me , but I have a big >> problem; just one user still receiving lots of messages from >> postmaster@ and mailer-daemon@ that the header X-original-To goes to >> him but they doesnt send this mails. I has used a blacklist ( >> definitely backlist ) like: >> >> FromOrTO: postmaster@ yes >> FromOrTO: mailer-daemon@ yes >> >> ... but the emails still delivered to the user. >> How can i block this emails?? >> >> ps. Is blakclist and whitelist case sensitive? >> > You need to add the * after the @ in the addresses. > > Guy From hvdkooij at vanderkooij.org Mon Aug 11 05:45:43 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Aug 11 05:45:54 2008 Subject: Mailer Daemon Spam Messages In-Reply-To: <489F81EB.1090905@gmail.com> References: <489F81EB.1090905@gmail.com> Message-ID: <489FC3F7.9000001@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 junior.listas wrote: | Hi All, | I'm new to mailscanner, I just have installed 2 box, its a great peace | of code, almost all things works fine for me , but I have a big problem; | just one user still receiving lots of messages from postmaster@ and | mailer-daemon@ that the header X-original-To goes to him but they | doesnt send this mails. I has used a blacklist ( definitely backlist ) | like: | | FromOrTO: postmaster@ yes | FromOrTO: mailer-daemon@ yes That will not work on proper bounce messages. Because proper bounce messages use an empty sender. Note that this feature works on the SMTP envelope addresses and not the addresses you happen to see on the From: line in the message itself. I suggest you study the watermark feature of MailScanner and use that instead. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIn8P2BvzDRVjxmYERAvrTAKCFbboj3DqNJ6H43twJAJ+uYH953wCgn5/Q 0efxMVlpbkQ2PBdCQMzkcV8= =u9KD -----END PGP SIGNATURE----- From jcputter at centreweb.co.za Mon Aug 11 08:37:02 2008 From: jcputter at centreweb.co.za (JC Putter) Date: Mon Aug 11 08:38:15 2008 Subject: Mailscanner Mailwatch In-Reply-To: <A80817E3C206A84788EBD17BB171F0F90207A867@EXCHANGE.AU.POCOLD.POCL> References: <A80817E3C206A84788EBD17BB171F0F90207A867@EXCHANGE.AU.POCOLD.POCL> Message-ID: <489FEC1E.80300@centreweb.co.za> Jeff Mills wrote: > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of JC > Sent: Monday, 11 August 2008 9:11 AM > To: mailscanner@lists.mailscanner.info > Subject: Mailscanner Mailwatch > > > Hi Thank you but were is that script located? sorry i am new to linux and mailscanner > Hi > > I have install and configured my first mailscanner box with > mailwatch, > > As i understand mailwatch can send my users a daily report? i > have created a user and enabled daily reports for that user but has not > received my report, > > in my MailScanner.conf i config mailscanner to store notify when > i detects spam, is this correct for what i am trying to do? is the a way > for setup mailscanner that it only > scans incoming emails and not outgoing email for spam? > > > You need to daily cron job the quarantine report. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andrew at gdcon.net Mon Aug 11 10:09:05 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Mon Aug 11 10:05:56 2008 Subject: Mailscanner Mailwatch In-Reply-To: <489FEC1E.80300@centreweb.co.za> References: <A80817E3C206A84788EBD17BB171F0F90207A867@EXCHANGE.AU.POCOLD.POCL> <489FEC1E.80300@centreweb.co.za> Message-ID: <171b8405dcfdea33d0e72eeb73cbd387.squirrel@wm.gdcon.net> On Mon, August 11, 2008 8:37 am, JC Putter wrote: > Jeff Mills wrote: > > Hi Thank you but were is that script located? sorry i am new to linux > and mailscanner This is actually a Mailwatch question, which is a different (but related) product, which has it's own list. See the Mailwatch site (http://mailwatch.sourceforge.net/doku.php) for list info and product documentation. -HTH, Andrew -- This message was scanned by ESVA and is believed to be clean. From miguelanxo at telefonica.net Mon Aug 11 16:33:04 2008 From: miguelanxo at telefonica.net (Miguelanxo Otero Salgueiro) Date: Mon Aug 11 16:33:23 2008 Subject: Watermark+Exim don't work together Message-ID: <48A05BB0.8070703@telefonica.net> Hello List! In order to get rid of bounce-back SPAM, I've tried to configure MailScanner to use watermarks, but It just doesn't work. I've just started to do the debugging and asked in the freenode #MailScanner channel and someone suggested I post my findings here, so here I go... Setup: MailScanner 4.70.7-1 + Exim 4.50 + ClamAV As the first symptom is outbound email having no watermark header, I will try to fix that first. I just greped for "watermark" and found some code in lib/MailScanner/Message.pm that deals with watermarking. Line 340... $global::MS->{mta}->AppendHeader($this, $mshmacheader, "$expiry\@$hash"); ...adds in fact the watermark header to a header set, but as I print that set of headers just after every call to that sub, I can see it gets removed somewhat after the antivirus (ClamAV) is called (I can see the debug messages of ClamAV intermixed). I tried to find AppendHeader and looks like, as I'm using exim, it should be the one defined in lib/MailScanner/Exim.pm In that file, line 699 I found this $message->{metadata}{headers} = []; just after something about MIME::Tools and the lack of proper heading processing. I just can say the Watermark header is wiped in that line, and not reconstructed after. Would be glad if someone just takes a pick on this. Best regards, Miguelanxo. From MailScanner at ecs.soton.ac.uk Mon Aug 11 16:56:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 11 16:57:17 2008 Subject: Watermark+Exim don't work together In-Reply-To: <EMEW-k7AGi2c86ac09b3a94576c0b2be166cd021fc7-48A05BB0.8070703@telefonica.net> References: <EMEW-k7AGi2c86ac09b3a94576c0b2be166cd021fc7-48A05BB0.8070703@telefonica.net> Message-ID: <48A06140.5010604@ecs.soton.ac.uk> I'll take a look at this soon, for you. Miguelanxo Otero Salgueiro wrote: > Hello List! > > In order to get rid of bounce-back SPAM, I've tried to configure > MailScanner to use watermarks, but > It just doesn't work. I've just started to do the debugging and asked > in the freenode #MailScanner channel > and someone suggested I post my findings here, so here I go... > > Setup: MailScanner 4.70.7-1 + Exim 4.50 + ClamAV > > As the first symptom is outbound email having no watermark header, > I will try to fix that first. > I just greped for "watermark" and found some code in > lib/MailScanner/Message.pm that deals with watermarking. > Line 340... > > $global::MS->{mta}->AppendHeader($this, $mshmacheader, > "$expiry\@$hash"); > > ...adds in fact the watermark header to a header set, but as I print > that set of headers just after > every call to that sub, I can see it gets removed somewhat after the > antivirus (ClamAV) is called > (I can see the debug messages of ClamAV intermixed). > > I tried to find AppendHeader and looks like, as I'm using exim, it > should be the one defined in > lib/MailScanner/Exim.pm > In that file, line 699 I found this > > $message->{metadata}{headers} = []; > > just after something about MIME::Tools and the lack of proper heading > processing. > I just can say the Watermark header is wiped in that line, and not > reconstructed after. > > Would be glad if someone just takes a pick on this. > > Best regards, > Miguelanxo. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From x72m35 at gmail.com Tue Aug 12 04:28:21 2008 From: x72m35 at gmail.com (Lasantha Marian) Date: Tue Aug 12 04:28:37 2008 Subject: Watermark+Exim don't work together In-Reply-To: <48A05BB0.8070703@telefonica.net> References: <48A05BB0.8070703@telefonica.net> Message-ID: <48A10355.1070900@gmail.com> Skipped content of type multipart/alternative-------------- next part -------------- 272a273,274 > $this->{addmshmac} = 0; > $this->{mshmac} = ""; 334c336,337 < $global::MS->{mta}->AppendHeader($this, $mshmacheader, "$expiry\@$hash"); --- > $this->{addmshmac} = 1; > $this->{mshmac} = "$expiry\@$hash"; 1875a1879,1887 > > # Add watermark header if chosen to do so. > if ($this->{addmshmac}) { > my $mshmacheader = MailScanner::Config::Value('mshmacheader', $this); > my $mshmac = $this->{mshmac}; > > $global::MS->{mta}->ReplaceHeader($this, $mshmacheader, $mshmac); > } > 4843a4856,4864 > > # Add watermark header if chosen to do so. > if ($this->{addmshmac}) { > my $mshmacheader = MailScanner::Config::Value('mshmacheader', $this); > my $mshmac = $this->{mshmac}; > > $global::MS->{mta}->ReplaceHeader($this, $mshmacheader, $mshmac); > } > 5259a5281,5289 > > # Add watermark header if chosen to do so. > if ($this->{addmshmac}) { > my $mshmacheader = MailScanner::Config::Value('mshmacheader', $this); > my $mshmac = $this->{mshmac}; > > $global::MS->{mta}->ReplaceHeader($this, $mshmacheader, $mshmac); > } > From MailScanner at ecs.soton.ac.uk Tue Aug 12 09:05:38 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 12 09:05:59 2008 Subject: Watermark+Exim don't work together In-Reply-To: <EMEW-k7B4dca1c740a1b3983e8618fe9276cb251c9c-48A10355.1070900@gmail.com> References: <48A05BB0.8070703@telefonica.net> <EMEW-k7B4dca1c740a1b3983e8618fe9276cb251c9c-48A10355.1070900@gmail.com> Message-ID: <48A14452.2020501@ecs.soton.ac.uk> A new beta containing this patch will be out by the time you read this. 4.71.6. Many thanks! Jules. Lasantha Marian wrote: > *From:* Miguelanxo Otero Salgueiro <miguelanxo@telefonica.net>* > * >> Hello List! >> >> In order to get rid of bounce-back SPAM, I've tried to configure >> MailScanner to use watermarks, but >> It just doesn't work. I've just started to do the debugging and asked >> in the freenode #MailScanner channel >> and someone suggested I post my findings here, so here I go... >> >> Setup: MailScanner 4.70.7-1 + Exim 4.50 + ClamAV >> >> As the first symptom is outbound email having no watermark header, >> I will try to fix that first. >> I just greped for "watermark" and found some code in >> lib/MailScanner/Message.pm that deals with watermarking. >> Line 340... > Miguelanxo, > > I had same sort of problem about three months back with my two > MailScanner/Exim setups. Of course several MailScanner/Postfix setups > worked OK. > > Attached patch against Message.pm-4.69.9 resolved the problem for me. > > Julian, I was trying to get your attention on, but later learned that > you were hospitalized for checkups. Appreciate your comments, please. > > Lasantha. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Aug 12 09:33:52 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 12 09:34:05 2008 Subject: Watermark+Exim don't work together In-Reply-To: <48A14452.2020501@ecs.soton.ac.uk> Message-ID: <6d31ea1fa1ea6241ba27332e515d4b53@solidstatelogic.com> Jules I now confirm we have watermarks with MailScanner and exim -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 12 August 2008 09:06 > To: MailScanner discussion > Subject: Re: Watermark+Exim don't work together > > A new beta containing this patch will be out by the time you > read this. > 4.71.6. > > Many thanks! > Jules. > > Lasantha Marian wrote: > > *From:* Miguelanxo Otero Salgueiro <miguelanxo@telefonica.net>* > > * > >> Hello List! > >> > >> In order to get rid of bounce-back SPAM, I've tried to > configure > >> MailScanner to use watermarks, but It just doesn't work. I've just > >> started to do the debugging and asked in the freenode #MailScanner > >> channel and someone suggested I post my findings here, so here I > >> go... > >> > >> Setup: MailScanner 4.70.7-1 + Exim 4.50 + ClamAV > >> > >> As the first symptom is outbound email having no > watermark header, > >> I will try to fix that first. > >> I just greped for "watermark" and found some code in > >> lib/MailScanner/Message.pm that deals with watermarking. > >> Line 340... > > Miguelanxo, > > > > I had same sort of problem about three months back with my two > > MailScanner/Exim setups. Of course several > MailScanner/Postfix setups > > worked OK. > > > > Attached patch against Message.pm-4.69.9 resolved the > problem for me. > > > > Julian, I was trying to get your attention on, but later > learned that > > you were hospitalized for checkups. Appreciate your > comments, please. > > > > Lasantha. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Tue Aug 12 09:44:05 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 12 09:44:27 2008 Subject: Watermark+Exim don't work together In-Reply-To: <EMEW-k7B9cu8d6ac30f49f1cdf524489f94b5655b0c-6d31ea1fa1ea6241ba27332e515d4b53@solidstatelogic.com> References: <EMEW-k7B9cu8d6ac30f49f1cdf524489f94b5655b0c-6d31ea1fa1ea6241ba27332e515d4b53@solidstatelogic.com> Message-ID: <48A14D55.2020708@ecs.soton.ac.uk> Yay! :-) Martin.Hepworth wrote: > Jules > > I now confirm we have watermarks with MailScanner and exim > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 12 August 2008 09:06 >> To: MailScanner discussion >> Subject: Re: Watermark+Exim don't work together >> >> A new beta containing this patch will be out by the time you >> read this. >> 4.71.6. >> >> Many thanks! >> Jules. >> >> Lasantha Marian wrote: >> >>> *From:* Miguelanxo Otero Salgueiro <miguelanxo@telefonica.net>* >>> * >>> >>>> Hello List! >>>> >>>> In order to get rid of bounce-back SPAM, I've tried to >>>> >> configure >> >>>> MailScanner to use watermarks, but It just doesn't work. I've just >>>> started to do the debugging and asked in the freenode #MailScanner >>>> channel and someone suggested I post my findings here, so here I >>>> go... >>>> >>>> Setup: MailScanner 4.70.7-1 + Exim 4.50 + ClamAV >>>> >>>> As the first symptom is outbound email having no >>>> >> watermark header, >> >>>> I will try to fix that first. >>>> I just greped for "watermark" and found some code in >>>> lib/MailScanner/Message.pm that deals with watermarking. >>>> Line 340... >>>> >>> Miguelanxo, >>> >>> I had same sort of problem about three months back with my two >>> MailScanner/Exim setups. Of course several >>> >> MailScanner/Postfix setups >> >>> worked OK. >>> >>> Attached patch against Message.pm-4.69.9 resolved the >>> >> problem for me. >> >>> Julian, I was trying to get your attention on, but later >>> >> learned that >> >>> you were hospitalized for checkups. Appreciate your >>> >> comments, please. >> >>> Lasantha. >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From miguelanxo at telefonica.net Tue Aug 12 13:13:27 2008 From: miguelanxo at telefonica.net (Miguelanxo Otero Salgueiro) Date: Tue Aug 12 13:13:56 2008 Subject: Watermark+Exim don't work together In-Reply-To: <48A10355.1070900@gmail.com> References: <48A05BB0.8070703@telefonica.net> <48A10355.1070900@gmail.com> Message-ID: <48A17E67.7030609@telefonica.net> > Miguelanxo, > > I had same sort of problem about three months back with my two > MailScanner/Exim setups. Of course several MailScanner/Postfix setups > worked OK. > > Attached patch against Message.pm-4.69.9 resolved the problem for me. > > Julian, I was trying to get your attention on, but later learned that > you were hospitalized for checkups. Appreciate your comments, please. > > Lasantha. I just copied a clean Messages.pm from version 4.69.9, applied your patch and copied it into my MailScanner-4.70.7-1 installation and now I have watermark headers, so the patch did work for me. I'm currently adapting the patch to version 4.70.7-1, and I'm testing the rest of the watermark functionality by now. From mailadmin at midland-ics.ie Tue Aug 12 13:18:42 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Aug 12 13:19:09 2008 Subject: fraud warnings Message-ID: <00aa01c8fc75$8fffd360$afff7a20$@ie> Hi all, When I receive a mail message from a client, I get the MailScanner has detected a possible fraud attempt from www.domain.com, claiming to be www.domain.com. The client is a brand distributor and distributes 3 different brands, as well as its own, so in their email their signature as the 3 different website addresses but one, is coming through MailScanner as Fraud. How do I deal with this situation in MailScanner : I would like to allow this email domain to use this domain in their email signatures! I hope I am clear.. Regards Kevin This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080812/ed8e111e/attachment.html From alex at rtpty.com Tue Aug 12 13:34:22 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Aug 12 13:34:39 2008 Subject: fraud warnings In-Reply-To: <00aa01c8fc75$8fffd360$afff7a20$@ie> References: <00aa01c8fc75$8fffd360$afff7a20$@ie> Message-ID: <8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> Use a ruleset to exclude them from phishing checks. And perhaps help them fix their html - that would be a nice gesture. On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: > Hi all, > > When I receive a mail message from a client, I get the MailScanner > has detected a possible fraud attempt from www.domain.com, claiming > to be www.domain.com. > > The client is a brand distributor and distributes 3 different > brands, as well as its own, so in their email their signature as the > 3 different website addresses but one, is coming through MailScanner > as Fraud. > > How do I deal with this situation in MailScanner : I would like to > allow this email domain to use this domain in their email signatures! > > I hope I am clear.. > Regards > > Kevin > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our > systems free from viruses, you should check this e-mail and any > attachments to it for viruses as we cannot accept any liability for > viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailadmin at midland-ics.ie Tue Aug 12 14:16:00 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Aug 12 14:16:22 2008 Subject: fraud warnings In-Reply-To: <8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> References: <00aa01c8fc75$8fffd360$afff7a20$@ie> <8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> Message-ID: <00d101c8fc7d$91624ff0$b426efd0$@ie> Alex Is this ruleset ok, ? From: *@emaildomain no From: default yes Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: 12 August 2008 13:34 To: MailScanner discussion Subject: Re: fraud warnings Use a ruleset to exclude them from phishing checks. And perhaps help them fix their html - that would be a nice gesture. On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: > Hi all, > > When I receive a mail message from a client, I get the MailScanner > has detected a possible fraud attempt from www.domain.com, claiming > to be www.domain.com. > > The client is a brand distributor and distributes 3 different > brands, as well as its own, so in their email their signature as the > 3 different website addresses but one, is coming through MailScanner > as Fraud. > > How do I deal with this situation in MailScanner : I would like to > allow this email domain to use this domain in their email signatures! > > I hope I am clear.. > Regards > > Kevin > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our > systems free from viruses, you should check this e-mail and any > attachments to it for viruses as we cannot accept any liability for > viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From MailScanner at ecs.soton.ac.uk Tue Aug 12 14:25:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 12 14:25:33 2008 Subject: Watermark+Exim don't work together In-Reply-To: <EMEW-k7BDNnd5abb9ae38cd6e051c78fef9413237bd-48A17E67.7030609@telefonica.net> References: <48A05BB0.8070703@telefonica.net> <48A10355.1070900@gmail.com> <EMEW-k7BDNnd5abb9ae38cd6e051c78fef9413237bd-48A17E67.7030609@telefonica.net> Message-ID: <48A18F36.8080902@ecs.soton.ac.uk> Miguelanxo Otero Salgueiro wrote: > >> Miguelanxo, >> >> I had same sort of problem about three months back with my two >> MailScanner/Exim setups. Of course several MailScanner/Postfix setups >> worked OK. >> >> Attached patch against Message.pm-4.69.9 resolved the problem for me. >> >> Julian, I was trying to get your attention on, but later learned that >> you were hospitalized for checkups. Appreciate your comments, please. >> >> Lasantha One thing. When making patches you should use "diff -Naur" to compare the directories of files, and not context diffs or normal diffs as they don't include enough information to be able to reliably patch slightly different versions of the files automatically. Just a note for future reference :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Aug 12 14:26:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 12 14:26:52 2008 Subject: fraud warnings In-Reply-To: <EMEW-k7BDeJ715cf7afb27122c760ba6741ccb54893-8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> References: <00aa01c8fc75$8fffd360$afff7a20$@ie> <EMEW-k7BDeJ715cf7afb27122c760ba6741ccb54893-8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> Message-ID: <48A18F88.5090001@ecs.soton.ac.uk> You can add them to /etc/MailScanner/phishing.safe.sites.conf. The daily update will carefully keep any additions you have made to the file. You don't need to use a ruleset for this at all. But I would like to see the exact HTML they are using to see what they are up to and why the phishing net is being triggered. Alex Neuman van der Hans wrote: > Use a ruleset to exclude them from phishing checks. And perhaps help > them fix their html - that would be a nice gesture. > > On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: > >> Hi all, >> >> When I receive a mail message from a client, I get the MailScanner >> has detected a possible fraud attempt from www.domain.com, claiming >> to be www.domain.com. >> >> The client is a brand distributor and distributes 3 different brands, >> as well as its own, so in their email their signature as the 3 >> different website addresses but one, is coming through MailScanner as >> Fraud. >> >> How do I deal with this situation in MailScanner : I would like to >> allow this email domain to use this domain in their email signatures! >> >> I hope I am clear.. >> Regards >> >> Kevin >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our >> systems free from viruses, you should check this e-mail and any >> attachments to it for viruses as we cannot accept any liability for >> viruses inadvertently transmitted by use. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Aug 12 14:28:08 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 12 14:28:19 2008 Subject: fraud warnings In-Reply-To: <00d101c8fc7d$91624ff0$b426efd0$@ie> Message-ID: <ef45e70b7ea20747beb5451fbb112134@solidstatelogic.com> Or add the domain to phishing.safe.sites.conf which is better. And then email to phishing@mailscanner.info with the domain so we can all share your info. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Mail Admin > Sent: 12 August 2008 14:16 > To: MailScanner discussion > Subject: RE: fraud warnings > > Alex > > Is this ruleset ok, ? > > From: *@emaildomain no > From: default yes > > Thanks > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Neuman van der Hans > Sent: 12 August 2008 13:34 > To: MailScanner discussion > Subject: Re: fraud warnings > > Use a ruleset to exclude them from phishing checks. And > perhaps help them fix their html - that would be a nice gesture. > > On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: > > > Hi all, > > > > When I receive a mail message from a client, I get the > MailScanner has > > detected a possible fraud attempt from www.domain.com, > claiming to be > > www.domain.com. > > > > The client is a brand distributor and distributes 3 > different brands, > > as well as its own, so in their email their signature as the > > 3 different website addresses but one, is coming through > MailScanner > > as Fraud. > > > > How do I deal with this situation in MailScanner : I would like to > > allow this email domain to use this domain in their email > signatures! > > > > I hope I am clear.. > > Regards > > > > Kevin > > This e-mail is intended solely for the addressee(s) and is strictly > > confidential. The unauthorised use, disclosure or copying > of this e- > > mail, or any information it contains is prohibited. If you have > > received this e-mail in error, please notify us immediately > and then > > permanently delete it. Although we make every effort to keep our > > systems free from viruses, you should check this e-mail and any > > attachments to it for viruses as we cannot accept any liability for > > viruses inadvertently transmitted by use. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > This e-mail is intended solely for the addressee(s) and is > strictly confidential. The unauthorised use, disclosure or > copying of this e-mail, or any information it contains is > prohibited. If you have received this e-mail in error, please > notify us immediately and then permanently delete it. > Although Midland Internet & Computer Solutions make every > effort to keep our systems free from viruses you should check > this e-mail and any attachments to it for viruses as we > cannot accept any liability for viruses inadvertently > transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From mailadmin at midland-ics.ie Tue Aug 12 16:08:47 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Aug 12 16:09:13 2008 Subject: fraud warnings In-Reply-To: <48A18F88.5090001@ecs.soton.ac.uk> References: <00aa01c8fc75$8fffd360$afff7a20$@ie> <EMEW-k7BDeJ715cf7afb27122c760ba6741ccb54893-8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> <48A18F88.5090001@ecs.soton.ac.uk> Message-ID: <00fa01c8fc8d$524570d0$f6d05270$@ie> Basically the user person has an outlook signature that basically is written as follows Regards Firstname Lastname http://www.domain1.com http://www.domain2.com http://www.domain3.com this one is failing... Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 12 August 2008 14:27 To: MailScanner discussion Subject: Re: fraud warnings You can add them to /etc/MailScanner/phishing.safe.sites.conf. The daily update will carefully keep any additions you have made to the file. You don't need to use a ruleset for this at all. But I would like to see the exact HTML they are using to see what they are up to and why the phishing net is being triggered. Alex Neuman van der Hans wrote: > Use a ruleset to exclude them from phishing checks. And perhaps help > them fix their html - that would be a nice gesture. > > On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: > >> Hi all, >> >> When I receive a mail message from a client, I get the MailScanner >> has detected a possible fraud attempt from www.domain.com, claiming >> to be www.domain.com. >> >> The client is a brand distributor and distributes 3 different brands, >> as well as its own, so in their email their signature as the 3 >> different website addresses but one, is coming through MailScanner as >> Fraud. >> >> How do I deal with this situation in MailScanner : I would like to >> allow this email domain to use this domain in their email signatures! >> >> I hope I am clear.. >> Regards >> >> Kevin >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our >> systems free from viruses, you should check this e-mail and any >> attachments to it for viruses as we cannot accept any liability for >> viruses inadvertently transmitted by use. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From alex at rtpty.com Tue Aug 12 16:18:03 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Aug 12 16:18:51 2008 Subject: fraud warnings In-Reply-To: <00fa01c8fc8d$524570d0$f6d05270$@ie> References: <00aa01c8fc75$8fffd360$afff7a20$@ie> <EMEW-k7BDeJ715cf7afb27122c760ba6741ccb54893-8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> <48A18F88.5090001@ecs.soton.ac.uk> <00fa01c8fc8d$524570d0$f6d05270$@ie> Message-ID: <2A211CD7-AABD-4692-9586-9178B8C0635D@rtpty.com> Right. What's the error in the html? On Aug 12, 2008, at 10:08 AM, Mail Admin wrote: > Basically the user person has an outlook signature that basically is > written > as follows > > Regards Firstname Lastname > > http://www.domain1.com > http://www.domain2.com > http://www.domain3.com this one is failing... > > > Thanks > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Julian > Field > Sent: 12 August 2008 14:27 > To: MailScanner discussion > Subject: Re: fraud warnings > > You can add them to /etc/MailScanner/phishing.safe.sites.conf. The > daily > update will carefully keep any additions you have made to the file. > > You don't need to use a ruleset for this at all. > > But I would like to see the exact HTML they are using to see what they > are up to and why the phishing net is being triggered. > > Alex Neuman van der Hans wrote: >> Use a ruleset to exclude them from phishing checks. And perhaps help >> them fix their html - that would be a nice gesture. >> >> On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: >> >>> Hi all, >>> >>> When I receive a mail message from a client, I get the MailScanner >>> has detected a possible fraud attempt from www.domain.com, claiming >>> to be www.domain.com. >>> >>> The client is a brand distributor and distributes 3 different >>> brands, >>> as well as its own, so in their email their signature as the 3 >>> different website addresses but one, is coming through MailScanner >>> as >>> Fraud. >>> >>> How do I deal with this situation in MailScanner : I would like to >>> allow this email domain to use this domain in their email >>> signatures! >>> >>> I hope I am clear.. >>> Regards >>> >>> Kevin >>> This e-mail is intended solely for the addressee(s) and is strictly >>> confidential. The unauthorised use, disclosure or copying of this >>> e-mail, or any information it contains is prohibited. If you have >>> received this e-mail in error, please notify us immediately and then >>> permanently delete it. Although we make every effort to keep our >>> systems free from viruses, you should check this e-mail and any >>> attachments to it for viruses as we cannot accept any liability for >>> viruses inadvertently transmitted by use. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer > Solutions make every effort to keep our systems free from viruses > you should check this e-mail and any attachments to it for viruses > as we cannot accept any liability for viruses inadvertently > transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailadmin at midland-ics.ie Tue Aug 12 17:15:17 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Aug 12 17:15:44 2008 Subject: fraud warnings In-Reply-To: <2A211CD7-AABD-4692-9586-9178B8C0635D@rtpty.com> References: <00aa01c8fc75$8fffd360$afff7a20$@ie> <EMEW-k7BDeJ715cf7afb27122c760ba6741ccb54893-8941F6A8-B1A5-4840-8ADB-704737A27CD1@rtpty.com> <48A18F88.5090001@ecs.soton.ac.uk> <00fa01c8fc8d$524570d0$f6d05270$@ie> <2A211CD7-AABD-4692-9586-9178B8C0635D@rtpty.com> Message-ID: <000b01c8fc96$9dd8e370$d98aaa50$@ie> hMailScanner has detected a possible fraud attempt from "www.thorlo.com" claiming to be ttp://www.thorlo.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: 12 August 2008 16:18 To: MailScanner discussion Subject: Re: fraud warnings Right. What's the error in the html? On Aug 12, 2008, at 10:08 AM, Mail Admin wrote: > Basically the user person has an outlook signature that basically is > written > as follows > > Regards Firstname Lastname > > http://www.domain1.com > http://www.domain2.com > http://www.domain3.com this one is failing... > > > Thanks > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Julian > Field > Sent: 12 August 2008 14:27 > To: MailScanner discussion > Subject: Re: fraud warnings > > You can add them to /etc/MailScanner/phishing.safe.sites.conf. The > daily > update will carefully keep any additions you have made to the file. > > You don't need to use a ruleset for this at all. > > But I would like to see the exact HTML they are using to see what they > are up to and why the phishing net is being triggered. > > Alex Neuman van der Hans wrote: >> Use a ruleset to exclude them from phishing checks. And perhaps help >> them fix their html - that would be a nice gesture. >> >> On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: >> >>> Hi all, >>> >>> When I receive a mail message from a client, I get the MailScanner >>> has detected a possible fraud attempt from www.domain.com, claiming >>> to be www.domain.com. >>> >>> The client is a brand distributor and distributes 3 different >>> brands, >>> as well as its own, so in their email their signature as the 3 >>> different website addresses but one, is coming through MailScanner >>> as >>> Fraud. >>> >>> How do I deal with this situation in MailScanner : I would like to >>> allow this email domain to use this domain in their email >>> signatures! >>> >>> I hope I am clear.. >>> Regards >>> >>> Kevin >>> This e-mail is intended solely for the addressee(s) and is strictly >>> confidential. The unauthorised use, disclosure or copying of this >>> e-mail, or any information it contains is prohibited. If you have >>> received this e-mail in error, please notify us immediately and then >>> permanently delete it. Although we make every effort to keep our >>> systems free from viruses, you should check this e-mail and any >>> attachments to it for viruses as we cannot accept any liability for >>> viruses inadvertently transmitted by use. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer > Solutions make every effort to keep our systems free from viruses > you should check this e-mail and any attachments to it for viruses > as we cannot accept any liability for viruses inadvertently > transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From martinh at solidstatelogic.com Tue Aug 12 17:46:53 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 12 17:47:06 2008 Subject: fraud warnings In-Reply-To: <000b01c8fc96$9dd8e370$d98aaa50$@ie> Message-ID: <fa0a1da75b10ec4bb40e857f18bdc61a@solidstatelogic.com> User needs to sort his/her signature then - looks like the url is missing the h from http! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Mail Admin > Sent: 12 August 2008 17:15 > To: MailScanner discussion > Subject: RE: fraud warnings > > hMailScanner has detected a possible fraud attempt from > "www.thorlo.com" > claiming to be ttp://www.thorlo.com > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Neuman van der Hans > Sent: 12 August 2008 16:18 > To: MailScanner discussion > Subject: Re: fraud warnings > > Right. What's the error in the html? > > On Aug 12, 2008, at 10:08 AM, Mail Admin wrote: > > > Basically the user person has an outlook signature that > basically is > > written as follows > > > > Regards Firstname Lastname > > > > http://www.domain1.com > > http://www.domain2.com > > http://www.domain3.com this one is failing... > > > > > > Thanks > > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Julian Field > > Sent: 12 August 2008 14:27 > > To: MailScanner discussion > > Subject: Re: fraud warnings > > > > You can add them to /etc/MailScanner/phishing.safe.sites.conf. The > > daily update will carefully keep any additions you have made to the > > file. > > > > You don't need to use a ruleset for this at all. > > > > But I would like to see the exact HTML they are using to > see what they > > are up to and why the phishing net is being triggered. > > > > Alex Neuman van der Hans wrote: > >> Use a ruleset to exclude them from phishing checks. And > perhaps help > >> them fix their html - that would be a nice gesture. > >> > >> On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: > >> > >>> Hi all, > >>> > >>> When I receive a mail message from a client, I get the > MailScanner > >>> has detected a possible fraud attempt from > www.domain.com, claiming > >>> to be www.domain.com. > >>> > >>> The client is a brand distributor and distributes 3 different > >>> brands, as well as its own, so in their email their > signature as the > >>> 3 different website addresses but one, is coming through > MailScanner > >>> as Fraud. > >>> > >>> How do I deal with this situation in MailScanner : I > would like to > >>> allow this email domain to use this domain in their email > >>> signatures! > >>> > >>> I hope I am clear.. > >>> Regards > >>> > >>> Kevin > >>> This e-mail is intended solely for the addressee(s) and > is strictly > >>> confidential. The unauthorised use, disclosure or copying of this > >>> e-mail, or any information it contains is prohibited. If you have > >>> received this e-mail in error, please notify us > immediately and then > >>> permanently delete it. Although we make every effort to keep our > >>> systems free from viruses, you should check this e-mail and any > >>> attachments to it for viruses as we cannot accept any > liability for > >>> viruses inadvertently transmitted by use. > >>> > >>> -- > >>> MailScanner mailing list > >>> mailscanner@lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> Before posting, read http://wiki.mailscanner.info/posting > >>> > >>> Support MailScanner development - buy the book off the website! > >> > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from > your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > > > > This e-mail is intended solely for the addressee(s) and is > strictly > > confidential. The unauthorised use, disclosure or copying > of this e- > > mail, or any information it contains is prohibited. If you have > > received this e-mail in error, please notify us immediately > and then > > permanently delete it. Although Midland Internet & Computer > > Solutions make every effort to keep our systems free from viruses > > you should check this e-mail and any attachments to it for viruses > > as we cannot accept any liability for viruses inadvertently > > transmitted by use. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > This e-mail is intended solely for the addressee(s) and is > strictly confidential. The unauthorised use, disclosure or > copying of this e-mail, or any information it contains is > prohibited. If you have received this e-mail in error, please > notify us immediately and then permanently delete it. > Although Midland Internet & Computer Solutions make every > effort to keep our systems free from viruses you should check > this e-mail and any attachments to it for viruses as we > cannot accept any liability for viruses inadvertently > transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From paulo-m-roncon at ptinovacao.pt Tue Aug 12 18:32:50 2008 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Tue Aug 12 18:33:00 2008 Subject: Filter outbound SMTP from ISP In-Reply-To: <200808121101.m7CB0V2c004396@safir.blacknight.ie> References: <200808121101.m7CB0V2c004396@safir.blacknight.ie> Message-ID: <FE488BAD8B4EBB4BBEC64B3EEA4497E658266413@INOAVREX11.ptin.corpPT.com> Helo all, I'm wondering if there's a way to filter ALL Outbound SMTP in a ISP before it goes to their destination MTA? I have a working mailscanner server that filters from:ALL to my domain. This is simple to achieve. What i'm aiming at is: Filter all SMTP traffic from my ISP networks between its origins and its destination. Is there a way to say to my MTA to accept all SMTP traffic that goes to him, filter the mails, and send them on their way? Can this be done? Ideias? Thanks, Paulo Roncon CSO2 - Suporte operacional interno PT Inova??o - Grupo Portugal Telecom Rua Eng. Jos? Ferreira Pinto Basto 3810-106 Aveiro, Portugal Tel +351 234 403 341 Tlm +351 961 781 029 http://www.ptinovacao.pt -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: ter?a-feira, 12 de Agosto de 2008 12:02 To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 32, Issue 12 From hvdkooij at vanderkooij.org Tue Aug 12 18:43:58 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Aug 12 18:44:07 2008 Subject: Filter outbound SMTP from ISP In-Reply-To: <FE488BAD8B4EBB4BBEC64B3EEA4497E658266413@INOAVREX11.ptin.corpPT.com> References: <200808121101.m7CB0V2c004396@safir.blacknight.ie> <FE488BAD8B4EBB4BBEC64B3EEA4497E658266413@INOAVREX11.ptin.corpPT.com> Message-ID: <48A1CBDE.6010105@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paulo Roncon wrote: | I'm wondering if there's a way to filter ALL Outbound SMTP in a ISP before it goes to their destination MTA? | | I have a working mailscanner server that filters from:ALL to my domain. This is simple to achieve. | What i'm aiming at is: Filter all SMTP traffic from my ISP networks between its origins and its destination. | | Is there a way to say to my MTA to accept all SMTP traffic that goes to him, filter the mails, and send them on their way? Would you mind telling us what the problem is? MailScanner doesn not mind if email is inbound or outbound. It is the admin which might apply different rules on inbound and outbound traffic. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIocvcBvzDRVjxmYERAkpEAKCgNSg5cDVPUn5hUbhE9XsePKydHwCbBylG sipJGFnuJd/AAhp2JeFiVJU= =SjmK -----END PGP SIGNATURE----- From steve.freegard at fsl.com Tue Aug 12 19:46:43 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Aug 12 19:48:23 2008 Subject: Filter outbound SMTP from ISP In-Reply-To: <FE488BAD8B4EBB4BBEC64B3EEA4497E658266413@INOAVREX11.ptin.corpPT.com> References: <200808121101.m7CB0V2c004396@safir.blacknight.ie> <FE488BAD8B4EBB4BBEC64B3EEA4497E658266413@INOAVREX11.ptin.corpPT.com> Message-ID: <48A1DA93.3030808@fsl.com> Paulo Roncon wrote: > Helo all, > > I'm wondering if there's a way to filter ALL Outbound SMTP in a ISP before it goes to their destination MTA? > > I have a working mailscanner server that filters from:ALL to my domain. This is simple to achieve. > What i'm aiming at is: Filter all SMTP traffic from my ISP networks between its origins and its destination. > > Is there a way to say to my MTA to accept all SMTP traffic that goes to him, filter the mails, and send them on their way? > > Can this be done? Not really sure that I follow what you are trying to achieve. You seem to be indicating that you want some sort of transparent proxy that scans messages for all your users regardless of whether or not they use your outbound MTAs?? > Ideias? Well if my previous statement was correct; then the only way you could achieve that would be to redirect all port 25 traffic on your routers to a cluster of scanning MTAs that allow your entire IP space to relay. That way any outbound connections on port 25 regardless of their destination would hit your outbound MTA pool for scanning prior to queueing to the next hop. I wouldn't have thought this was the best idea though; you'd be better off implementing a block on port 25 outbound to anywhere except your own smart hosts and put something in place allow individual users to lift the block for their own static IP addresses as many other ISPs have done. That way you don't have to scan torrents of junk from botted machines and try and decide what to do with it - they simply go to /dev/null. Regards, Steve. From roland at inbox4u.de Tue Aug 12 21:49:13 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Tue Aug 12 21:50:22 2008 Subject: AW: New beta released In-Reply-To: <489708BC.2020207@ecs.soton.ac.uk> References: <489708BC.2020207@ecs.soton.ac.uk> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108B509D03A@TS-DC2.ts-webarts.local> Jules, no performance impact so far on my machine, dealing with ~ 35k messages. One thing I realized and did not find the reason so far: Sign Clean Messages option does not work for HTML-Messages anymore :-( Only Text-messages are signed. So probably something has happened. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Julian Field > Gesendet: Montag, 4. August 2008 15:49 > An: MailScanner discussion; MailScanner-Beta mailing list > Betreff: New beta released > > The new beta including complete protection against bugs and crashes in > HTML::Parser is just uploading now... You're looking for 4.71.5-1 or > greater. > > Note there is a new languages.conf setting, so you will need to run > upgrade_languages_conf > after upgrading to this new release. If you don't then the report will > always come out in English, which you may not want. :-( > > Please let me know how you get on with this. It appears to work for me > with the message with all the nested <FONT> tags that kills > HTML::Parser. > > I would be particularly interested in your views on the performance > impact this fix has, and therefore whether I need to add a feature to > enable/disable it or anything else like that. > > Cheers, > Jules. > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Tue Aug 12 22:19:41 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Aug 12 22:19:55 2008 Subject: spamd support module Message-ID: <48A1FE6D.7080605@fsl.com> Hi all, Please find attached a replacement GenericSpamScanner.pm script that will connect to a local or remote spamd instance instead of using the local SpamAssassin libraries. To install - you will need Mail::SpamAssassin installed locally, then copy GenericSpamScanner.pm to your CustomFunctions directory, edit the three variables at the top at the top of the file to fit your configuration and add the specified configuration option to local.cf on the host that is running spamd and restart spamd for the changes to take effect. Then sure spamd is configured correctly and that you are able to connect to it from the MailScanner host. Set 'Use Generic Spam Scanner = Yes' and 'Use SpamAssassin = No' in MailScanner.conf and restart MailScanner. In the logs it will show spamd being called and the score that is returned. Advantages of this approach: - Lower memory usage - Spamd can be run on a remote system to offload processing - Speed? Actually appears to be faster than the native code on my test machine. Disadvantages: - No SpamAssassin cache Also with a small amount of extra code it would be possible to have per-user/per-domain bayes database and rules scores although I haven't implemented this yet. Regards, Steve. -------------- next part -------------- A non-text attachment was scrubbed... Name: GenericSpamScanner.pm Type: application/x-perl Size: 1558 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080812/029dc835/GenericSpamScanner.bin From ka at pacific.net Tue Aug 12 22:53:53 2008 From: ka at pacific.net (Ken A) Date: Tue Aug 12 22:54:08 2008 Subject: spamd support module In-Reply-To: <48A1FE6D.7080605@fsl.com> References: <48A1FE6D.7080605@fsl.com> Message-ID: <48A20671.7080209@pacific.net> Steve Freegard wrote: > Hi all, > > Please find attached a replacement GenericSpamScanner.pm script that > will connect to a local or remote spamd instance instead of using the > local SpamAssassin libraries. > > To install - you will need Mail::SpamAssassin installed locally, then > copy GenericSpamScanner.pm to your CustomFunctions directory, edit the > three variables at the top at the top of the file to fit your > configuration and add the specified configuration option to local.cf on > the host that is running spamd and restart spamd for the changes to take > effect. > > Then sure spamd is configured correctly and that you are able to connect > to it from the MailScanner host. Set 'Use Generic Spam Scanner = Yes' > and 'Use SpamAssassin = No' in MailScanner.conf and restart MailScanner. > > In the logs it will show spamd being called and the score that is returned. > > Advantages of this approach: > > - Lower memory usage > - Spamd can be run on a remote system to offload processing > - Speed? Actually appears to be faster than the native code on my test > machine. > > Disadvantages: > > - No SpamAssassin cache > > Also with a small amount of extra code it would be possible to have > per-user/per-domain bayes database and rules scores although I haven't > implemented this yet. > > Regards, > Steve. > Wow. Nice work Steve! spamd already allows ~/.spamassassin configs, and mysql backend for per user rules. How would you implement per user rules scores differently, or why? Thanks, Ken -- Ken Anderson Pacific.Net From steve.freegard at fsl.com Wed Aug 13 00:23:48 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Aug 13 00:23:59 2008 Subject: spamd support module In-Reply-To: <48A20671.7080209@pacific.net> References: <48A1FE6D.7080605@fsl.com> <48A20671.7080209@pacific.net> Message-ID: <48A21B84.2080909@fsl.com> Ken A wrote: > Wow. Nice work Steve! spamd already allows ~/.spamassassin configs, and > mysql backend for per user rules. How would you implement per user rules > scores differently, or why? Well - the current code wouldn't work with the ~/.spamassassin configs currently as it always sends spamd whatever user is configured as $spamd_user in the .pm file. For this to work properly in MailScanner it needs something like the following pseudocode: if (number of recipients > 1) then if (number of recipient domains > 1) then spamd user = $spamd_user else spamd user = domain.com end if else spamd user = user@domain.com end if This way - the code would send spamd a 'User:' header of the recipient e-mail address (if a single recipient) or the e-mail domain e.g. fsl.com if there are multiple recipients but all in a single domain otherwise it will send a default user if there are multiple recipients in mixed domains. For this to work you'd need to configure spamd to use virtual config directories. Training also becomes a bit tricky as the same process has to be run to work out which user to send to sa-learn. I would probably suggest that per-user configs aren't really a good idea unless you really, really need them for a specific purpose. It's probably best to only go down to the per-domain level by default. The other way to do it would be to have some sort of 'rules' file to work out which user should be sent to spamd depending on the recipient of recipient domain etc. Cheers, Steve. From x72m35 at gmail.com Wed Aug 13 04:09:02 2008 From: x72m35 at gmail.com (Lasantha Marian) Date: Wed Aug 13 04:09:18 2008 Subject: Watermark+Exim don't work together In-Reply-To: <48A14452.2020501@ecs.soton.ac.uk> References: <48A05BB0.8070703@telefonica.net> <EMEW-k7B4dca1c740a1b3983e8618fe9276cb251c9c-48A10355.1070900@gmail.com> <48A14452.2020501@ecs.soton.ac.uk> Message-ID: <48A2504E.2040809@gmail.com> *From:* Julian Field <MailScanner@ecs.soton.ac.uk>* * > A new beta containing this patch will be out by the time you read this. > 4.71.6. > > Many thanks! > Jules. > Julian, Yes, I checked the new beta has got the patch. Since my current configurations work, I will test this, once the stable is released. Thanks for incorporating my patch. Lasantha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/b4665300/attachment.html From x72m35 at gmail.com Wed Aug 13 04:14:42 2008 From: x72m35 at gmail.com (Lasantha Marian) Date: Wed Aug 13 04:14:58 2008 Subject: Watermark+Exim don't work together In-Reply-To: <48A18F36.8080902@ecs.soton.ac.uk> References: <48A05BB0.8070703@telefonica.net> <48A10355.1070900@gmail.com> <EMEW-k7BDNnd5abb9ae38cd6e051c78fef9413237bd-48A17E67.7030609@telefonica.net> <48A18F36.8080902@ecs.soton.ac.uk> Message-ID: <48A251A2.8050603@gmail.com> *From:* Julian Field <MailScanner@ecs.soton.ac.uk> > One thing. When making patches you should use "diff -Naur" to compare > the directories of files, and not context diffs or normal diffs as > they don't include enough information to be able to reliably patch > slightly different versions of the files automatically. > > Just a note for future reference :-) > > Jules > Julian, Your advice is well noted, I will do accordingly the next time when I submit a patch. :-) Cheers, Lasantha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/ff29565f/attachment.html From martinh at solidstatelogic.com Wed Aug 13 09:21:22 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Aug 13 09:21:34 2008 Subject: spamd support module In-Reply-To: <48A1FE6D.7080605@fsl.com> Message-ID: <02bbd0d2b76a104e93567347abdcf750@solidstatelogic.com> <snip> > Advantages of this approach: > > - Lower memory usage > - Spamd can be run on a remote system to offload processing > - Speed? Actually appears to be faster than the native code > on my test machine. > > Disadvantages: > > - No SpamAssassin cache > Another daemon to look after... > Also with a small amount of extra code it would be possible > to have per-user/per-domain bayes database and rules scores > although I haven't implemented this yet. > > Regards, > Steve. > -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Wed Aug 13 10:06:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 13 10:06:46 2008 Subject: AW: New beta released In-Reply-To: <EMEW-k7BLwya4c6d24e0d0c843434977b43b0857687-D0C18CC5B0171C419B96B1D3ADFD783108B509D03A@TS-DC2.ts-webarts.local> References: <489708BC.2020207@ecs.soton.ac.uk> <EMEW-k7BLwya4c6d24e0d0c843434977b43b0857687-D0C18CC5B0171C419B96B1D3ADFD783108B509D03A@TS-DC2.ts-webarts.local> Message-ID: <48A2A411.9060105@ecs.soton.ac.uk> Ehle, Roland wrote: > Jules, > > no performance impact so far on my machine, dealing with ~ 35k messages. One thing I realized and did not find the reason so far: Sign Clean Messages option does not work for HTML-Messages anymore :-( Only Text-messages are signed. So probably something has happened. > Have you noticed there are quite a few new config options to do with signing HTML messages. You well might be falling foul of one of them. Please can you double check with the new options for me? >> -----Urspr?ngliche Nachricht----- >> Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] Im Auftrag von Julian Field >> Gesendet: Montag, 4. August 2008 15:49 >> An: MailScanner discussion; MailScanner-Beta mailing list >> Betreff: New beta released >> >> The new beta including complete protection against bugs and crashes in >> HTML::Parser is just uploading now... You're looking for 4.71.5-1 or >> greater. >> >> Note there is a new languages.conf setting, so you will need to run >> upgrade_languages_conf >> after upgrading to this new release. If you don't then the report will >> always come out in English, which you may not want. :-( >> >> Please let me know how you get on with this. It appears to work for me >> with the message with all the nested <FONT> tags that kills >> HTML::Parser. >> >> I would be particularly interested in your views on the performance >> impact this fix has, and therefore whether I need to add a feature to >> enable/disable it or anything else like that. >> >> Cheers, >> Jules. >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailadmin at midland-ics.ie Wed Aug 13 10:31:05 2008 From: mailadmin at midland-ics.ie (Mail Administrator) Date: Wed Aug 13 10:14:27 2008 Subject: fraud warnings In-Reply-To: <fa0a1da75b10ec4bb40e857f18bdc61a@solidstatelogic.com> References: <fa0a1da75b10ec4bb40e857f18bdc61a@solidstatelogic.com> Message-ID: <49763.89.204.196.145.1218619865.squirrel@webmail.midland-ics.ie> Thanks for all your help people. All sorted - it was a bad signature after all. Cheers. This list is magic. > > User needs to sort his/her signature then - looks like the url is missing > the h from http! > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Mail Admin >> Sent: 12 August 2008 17:15 >> To: MailScanner discussion >> Subject: RE: fraud warnings >> >> hMailScanner has detected a possible fraud attempt from >> "www.thorlo.com" >> claiming to be ttp://www.thorlo.com >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Alex Neuman van der Hans >> Sent: 12 August 2008 16:18 >> To: MailScanner discussion >> Subject: Re: fraud warnings >> >> Right. What's the error in the html? >> >> On Aug 12, 2008, at 10:08 AM, Mail Admin wrote: >> >> > Basically the user person has an outlook signature that >> basically is >> > written as follows >> > >> > Regards Firstname Lastname >> > >> > http://www.domain1.com >> > http://www.domain2.com >> > http://www.domain3.com this one is failing... >> > >> > >> > Thanks >> > >> > >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info >> > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> > Julian Field >> > Sent: 12 August 2008 14:27 >> > To: MailScanner discussion >> > Subject: Re: fraud warnings >> > >> > You can add them to /etc/MailScanner/phishing.safe.sites.conf. The >> > daily update will carefully keep any additions you have made to the >> > file. >> > >> > You don't need to use a ruleset for this at all. >> > >> > But I would like to see the exact HTML they are using to >> see what they >> > are up to and why the phishing net is being triggered. >> > >> > Alex Neuman van der Hans wrote: >> >> Use a ruleset to exclude them from phishing checks. And >> perhaps help >> >> them fix their html - that would be a nice gesture. >> >> >> >> On Aug 12, 2008, at 7:18 AM, Mail Admin wrote: >> >> >> >>> Hi all, >> >>> >> >>> When I receive a mail message from a client, I get the >> MailScanner >> >>> has detected a possible fraud attempt from >> www.domain.com, claiming >> >>> to be www.domain.com. >> >>> >> >>> The client is a brand distributor and distributes 3 different >> >>> brands, as well as its own, so in their email their >> signature as the >> >>> 3 different website addresses but one, is coming through >> MailScanner >> >>> as Fraud. >> >>> >> >>> How do I deal with this situation in MailScanner : I >> would like to >> >>> allow this email domain to use this domain in their email >> >>> signatures! >> >>> >> >>> I hope I am clear.. >> >>> Regards >> >>> >> >>> Kevin >> >>> This e-mail is intended solely for the addressee(s) and >> is strictly >> >>> confidential. The unauthorised use, disclosure or copying of this >> >>> e-mail, or any information it contains is prohibited. If you have >> >>> received this e-mail in error, please notify us >> immediately and then >> >>> permanently delete it. Although we make every effort to keep our >> >>> systems free from viruses, you should check this e-mail and any >> >>> attachments to it for viruses as we cannot accept any >> liability for >> >>> viruses inadvertently transmitted by use. >> >>> >> >>> -- >> >>> MailScanner mailing list >> >>> mailscanner@lists.mailscanner.info >> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>> >> >>> Before posting, read http://wiki.mailscanner.info/posting >> >>> >> >>> Support MailScanner development - buy the book off the website! >> >> >> > >> > Jules >> > >> > -- >> > Julian Field MEng CITP CEng >> > www.MailScanner.info >> > Buy the MailScanner book at www.MailScanner.info/store >> > >> > Need help customising MailScanner? >> > Contact me! >> > Need help fixing or optimising your systems? >> > Contact me! >> > Need help getting you started solving new requirements from >> your boss? >> > Contact me! >> > >> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > >> > >> > -- >> > This message has been scanned for viruses and dangerous content by >> > MailScanner, and is believed to be clean. >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> > -- >> > This message has been scanned for viruses and dangerous content by >> > MailScanner, and is believed to be clean. >> > >> > >> > This e-mail is intended solely for the addressee(s) and is >> strictly >> > confidential. The unauthorised use, disclosure or copying >> of this e- >> > mail, or any information it contains is prohibited. If you have >> > received this e-mail in error, please notify us immediately >> and then >> > permanently delete it. Although Midland Internet & Computer >> > Solutions make every effort to keep our systems free from viruses >> > you should check this e-mail and any attachments to it for viruses >> > as we cannot accept any liability for viruses inadvertently >> > transmitted by use. >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> This e-mail is intended solely for the addressee(s) and is >> strictly confidential. The unauthorised use, disclosure or >> copying of this e-mail, or any information it contains is >> prohibited. If you have received this e-mail in error, please >> notify us immediately and then permanently delete it. >> Although Midland Internet & Computer Solutions make every >> effort to keep our systems free from viruses you should check >> this e-mail and any attachments to it for viruses as we >> cannot accept any liability for viruses inadvertently >> transmitted by use. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From martinh at solidstatelogic.com Wed Aug 13 11:02:21 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Aug 13 11:02:37 2008 Subject: New beta released In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108B509D03A@TS-DC2.ts-webarts.local> Message-ID: <555570cfa4de6b4a888f280bceae39a1@solidstatelogic.com> Roland if you get a <silly disclaimer.h> at the bottom here then it's wokring using latest beta (4.71.6) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ehle, Roland > Sent: 12 August 2008 21:49 > To: MailScanner discussion > Subject: AW: New beta released > > Jules, > > no performance impact so far on my machine, dealing with ~ > 35k messages. One thing I realized and did not find the > reason so far: Sign Clean Messages option does not work for > HTML-Messages anymore :-( Only Text-messages are signed. So > probably something has happened. > > Regards, > Roland > > > -----Urspr?ngliche Nachricht----- > > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] Im Auftrag von Julian Field > > Gesendet: Montag, 4. August 2008 15:49 > > An: MailScanner discussion; MailScanner-Beta mailing list > > Betreff: New beta released > > > > The new beta including complete protection against bugs and > crashes in > > HTML::Parser is just uploading now... You're looking for > 4.71.5-1 or > > greater. > > > > Note there is a new languages.conf setting, so you will need to run > > upgrade_languages_conf > > after upgrading to this new release. If you don't then the > report will > > always come out in English, which you may not want. :-( > > > > Please let me know how you get on with this. It appears to > work for me > > with the message with all the nested <FONT> tags that kills > > HTML::Parser. > > > > I would be particularly interested in your views on the performance > > impact this fix has, and therefore whether I need to add a > feature to > > enable/disable it or anything else like that. > > > > Cheers, > > Jules. > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/a8c1df79/attachment.html From sandrews at andrewscompanies.com Wed Aug 13 13:11:58 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Aug 13 13:12:11 2008 Subject: MS as a relay Message-ID: <1964AAFBC212F742958F9275BF63DBB0906D90@winchester.andrewscompanies.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1440 bytes Desc: image001.gif Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/489e1526/attachment.gif From J.Ede at birchenallhowden.co.uk Wed Aug 13 13:39:58 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Aug 13 13:41:22 2008 Subject: MS as a relay In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0906D90@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0906D90@winchester.andrewscompanies.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7928EB62DF@server02.bhl.local> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 1440 bytes Desc: image001.gif Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/b0af25d0/image001.gif From jgoggan at gmail.com Wed Aug 13 18:02:00 2008 From: jgoggan at gmail.com (John Goggan) Date: Wed Aug 13 19:10:22 2008 Subject: Sendmail: Number of queue runners? Message-ID: <loom.20080813T165529-885@post.gmane.org> I have been using MailScanner with a sendmail configuration for years now. Today, I noticed that I had about 30 messages in my /var/spool/mqueue directory that had not been delivered -- some of which were over a month old. After some research, it appears that almost all of them were to server that do greylisting -- so all of these were the deferred messages. Basically, I don't see anything that would be watching mqueue for these messages and attempting to redeliver them. Should I have another queue runner for mqueue? We've always run like this: One sendmail for incoming email that goes to mqueue.in: sendmail -bd -L sm-mta -OPrivacyOptions=noetrn -ODeliveryMode=queueonly - OQueueDirectory=/var/spool/mqueue.in And one sendmail queue runner for local/clientmqueue: sendmail -Ac -q15m -L sm-cm We use Mailscanner with the "Delivery Method = batch" setting, so my understanding is that that means that MailScanner will take care of the messages after they get to mqueue. This works fine -- except where there is a problem. It appears that nothing ever retries them. Is that correct? As a solution, I've added another sendmail queue runner for mqueue: sendmail -q15m -L sm-mq So, I now have three sendmails: one daemon listening on 25 and putting mail in mqueue.in, one queue runner for local mail in clientmqueue, and one queue runner for mail that might hang out in mqueue if it doesn't go the first time MailScanner tells it to go. Is that how it should be? Almost all of the documentation or guides that I could find for setting up MailScanner with sendmail don't seem to mention that second queue runner for mqueue. And, as I said, I ran for years without it (and likely missed sending some delayed emails now and then that were never retried). I just want to make sure that I'm not missing something. Thanks! - John... From ecasarero at gmail.com Wed Aug 13 19:38:18 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Aug 13 19:38:28 2008 Subject: Sendmail: Number of queue runners? In-Reply-To: <loom.20080813T165529-885@post.gmane.org> References: <loom.20080813T165529-885@post.gmane.org> Message-ID: <7d9b3cf20808131138x2494199bu8eff16f3d6b189f0@mail.gmail.com> 2008/8/13 John Goggan <jgoggan@gmail.com> > I have been using MailScanner with a sendmail configuration for years now. > Today, I noticed that I had about 30 messages in my /var/spool/mqueue > directory > that had not been delivered -- some of which were over a month old. After > some > research, it appears that almost all of them were to server that do > greylisting -- so all of these were the deferred messages. > > Basically, I don't see anything that would be watching mqueue for these > messages and attempting to redeliver them. Should I have another queue > runner > for mqueue? We've always run like this: > > One sendmail for incoming email that goes to mqueue.in: > > sendmail -bd -L sm-mta -OPrivacyOptions=noetrn -ODeliveryMode=queueonly - > OQueueDirectory=/var/spool/mqueue.in > > And one sendmail queue runner for local/clientmqueue: > > sendmail -Ac -q15m -L sm-cm > > We use Mailscanner with the "Delivery Method = batch" setting, so my > understanding is that that means that MailScanner will take care of the > messages after they get to mqueue. > > This works fine -- except where there is a problem. It appears that > nothing > ever retries them. Is that correct? > > As a solution, I've added another sendmail queue runner for mqueue: > > sendmail -q15m -L sm-mq > > So, I now have three sendmails: one daemon listening on 25 and putting mail > in > mqueue.in, one queue runner for local mail in clientmqueue, and one queue > runner for mail that might hang out in mqueue if it doesn't go the first > time > MailScanner tells it to go. > > Is that how it should be? Almost all of the documentation or guides that I > could find for setting up MailScanner with sendmail don't seem to mention > that > second queue runner for mqueue. And, as I said, I ran for years without it > (and likely missed sending some delayed emails now and then that were never > retried). I just want to make sure that I'm not missing something. > > Thanks! > > - John... Yes, you need the three instances of sendmail, a queue runner trying to send emails that mailscanner batch didn't. Here in Latinamerica is very common to have conectivity problems so, the third sendmail will watch your back. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/d03a42ad/attachment.html From nassera at alz-inc.com Wed Aug 13 19:40:30 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Wed Aug 13 19:40:47 2008 Subject: MailScanner running very slow Message-ID: <007f01c8fd74$1106a160$e8c8a8c0@ALZGW2kXPMC> Hi, I have a Dell PowerEdge server 2950 with 2 Dual Core Xeon processors 3.0GHz with 2GB RAM running RedHat ES 4. The MTA is sendmail and I am using the latest MailScanner version (4.70.7-1). The system processes about 2,000 emails per day and about half of it are spam. See the following: #--------------- MailScanner Status: 1920 messages Scanned by MailScanner 73657132 Total Bytes 1122 Spam messages detected by MailScanner 6 Viruses found by MailScanner 935 Messages delivered by MailScanner #--------------- The mail delivery is very slow. Some time it takes 2 hrs before it gets delivered. I tried the tips under http://wiki.mailscanner.info/doku.php?id=documentation:tweaking:some_thi ngs_to_try_if_your_incoming_queue_is_running_slow but they did not help. The mail keeps accumulating under /var/spool/mqueue.in while all the MailScanner processors are running at 100% CPU. Then all the sudden (after 1-2 hours) it starts delivering the emails and the /var/spool/mqueue.in files go down to 0. I monitored the system today; the system stopped delivering emails between 9:12AM till 11:35AM. During that time, top showed something like this: #---------------- top - 10:46:26 up 3 days, 7:42, 1 user, load average: 5.81, 6.09, 5.48 Tasks: 233 total, 5 running, 226 sleeping, 0 stopped, 2 zombie Cpu(s): 59.0% us, 1.2% sy, 0.0% ni, 39.5% id, 0.2% wa, 0.0% hi, 0.0% si Mem: 2074600k total, 1735692k used, 338908k free, 22524k buffers Swap: 2097144k total, 356516k used, 1740628k free, 532576k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2752 root 25 0 85572 75m 2964 R 100 3.7 35:54.85 MailScanner 2880 root 25 0 85572 75m 2956 R 100 3.7 35:50.35 MailScanner 3024 root 25 0 85572 75m 2956 R 100 3.7 35:41.62 MailScanner 2949 root 25 0 85572 75m 2956 R 100 3.7 35:47.07 MailScanner 11393 apache 15 0 26360 9736 3648 S 5 0.5 0:57.14 httpd 11394 apache 15 0 26576 9936 3616 S 5 0.5 0:58.83 httpd 26598 root 16 0 4760 2568 1648 S 1 0.1 0:00.20 ssh #---------------- and the /var/spool/mqueue.in continued to accumulate files till it reached 489 messages, then within 5 minutes it delivered all the messages! This cycles continues all day long, where the emails are withheld for 1 to 2 hours and then the get delivered in one big burst. Here are snippets of the log for that period with "Log Speed = yes": grep ": Batch" /var/log/maillog #----------- Aug 13 09:12:16 samba MailScanner[5852]: Batch completed at 1844 bytes per second (39583 / 21) Aug 13 09:12:16 samba MailScanner[5852]: Batch (2 messages) processed in 21.46 seconds Aug 13 09:12:42 samba MailScanner[6013]: Batch completed at 3752 bytes per second (9167 / 2) . Aug 13 11:28:55 samba MailScanner[2949]: Batch (10 messages) processed in 24.54 seconds Aug 13 11:28:55 samba MailScanner[3024]: Batch completed at 657 bytes per second (3825 / 5) Aug 13 11:28:55 samba MailScanner[3024]: Batch (1 message) processed in 5.82 seconds #----------- I would appreciate any clues on resolving this issue. Best regards, Nasser -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/374336e4/attachment.html From ecasarero at gmail.com Wed Aug 13 19:53:42 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Aug 13 19:53:53 2008 Subject: MailScanner running very slow In-Reply-To: <007f01c8fd74$1106a160$e8c8a8c0@ALZGW2kXPMC> References: <007f01c8fd74$1106a160$e8c8a8c0@ALZGW2kXPMC> Message-ID: <7d9b3cf20808131153o31fe9f54nc8ec3436ec4fdba2@mail.gmail.com> 2008/8/13 Nasser Al-Zawawi <nassera@alz-inc.com> > Hi, > > I have a Dell PowerEdge server 2950 with 2 Dual Core Xeon processors 3.0GHz > with 2GB RAM running RedHat ES 4. The MTA is sendmail and I am using the > latest MailScanner version (4.70.7-1). The system processes about 2,000 > emails per day and about half of it are spam. See the following: > > #--------------- > > MailScanner Status: > > 1920 messages Scanned by MailScanner > > 73657132 Total Bytes > > 1122 Spam messages detected by MailScanner > > 6 Viruses found by MailScanner > > 935 Messages delivered by MailScanner > > #--------------- > > > > The mail delivery is very slow. Some time it takes 2 hrs before it gets > delivered. I tried the tips under > http://wiki.mailscanner.info/doku.php?id=documentation:tweaking:some_things_to_try_if_your_incoming_queue_is_running_slowbut they did not help. > The mail keeps accumulating under /var/spool/mqueue.in while all the > MailScanner processors are running at 100% CPU. Then all the sudden > (after 1-2 hours) it starts delivering the emails and the /var/spool/ > mqueue.in files go down to 0. > > I monitored the system today; the system stopped delivering emails between > 9:12AM till 11:35AM. During that time, top showed something like this: > > #---------------- > > top - 10:46:26 up 3 days, 7:42, 1 user, load average: 5.81, 6.09, 5.48 > > Tasks: 233 total, 5 running, 226 sleeping, 0 stopped, 2 zombie > > Cpu(s): 59.0% us, 1.2% sy, 0.0% ni, 39.5% id, 0.2% wa, 0.0% hi, 0.0% > si > > Mem: 2074600k total, 1735692k used, 338908k free, 22524k buffers > > Swap: 2097144k total, 356516k used, 1740628k free, 532576k cached > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > > 2752 root 25 0 85572 75m 2964 R 100 3.7 35:54.85 MailScanner > > 2880 root 25 0 85572 75m 2956 R 100 3.7 35:50.35 MailScanner > > 3024 root 25 0 85572 75m 2956 R 100 3.7 35:41.62 MailScanner > > 2949 root 25 0 85572 75m 2956 R 100 3.7 35:47.07 MailScanner > > 11393 apache 15 0 26360 9736 3648 S 5 0.5 0:57.14 httpd > > 11394 apache 15 0 26576 9936 3616 S 5 0.5 0:58.83 httpd > > 26598 root 16 0 4760 2568 1648 S 1 0.1 0:00.20 ssh > > #---------------- > > > > and the /var/spool/mqueue.in continued to accumulate files till it reached > 489 messages, then within 5 minutes it delivered all the messages! > > > > This cycles continues all day long, where the emails are withheld for 1 to > 2 hours and then the get delivered in one big burst. > > > > Here are snippets of the log for that period with "Log Speed = yes": > > > > grep ": Batch" /var/log/maillog > > #----------- > > Aug 13 09:12:16 samba MailScanner[5852]: Batch completed at 1844 bytes per > second (39583 / 21) > > Aug 13 09:12:16 samba MailScanner[5852]: Batch (2 messages) processed in > 21.46 seconds > > Aug 13 09:12:42 samba MailScanner[6013]: Batch completed at 3752 bytes per > second (9167 / 2) > > ? > > Aug 13 11:28:55 samba MailScanner[2949]: Batch (10 messages) processed in > 24.54 seconds > > Aug 13 11:28:55 samba MailScanner[3024]: Batch completed at 657 bytes per > second (3825 / 5) > > Aug 13 11:28:55 samba MailScanner[3024]: Batch (1 message) processed in > 5.82 seconds > > #----------- > > I would appreciate any clues on resolving this issue. > > > Are you using a local caching dns? dns are critical, remove rbl checking to see if speed increases. Do you use clamavmodule? switch to clamd, are you using tmpfs for /var/spool/MailScanner/incomming? delete spamassassin cache and the bayes DB. sometimes they get corrupted and mess things up. Regards, Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/7a09e7f5/attachment.html From dave.list at pixelhammer.com Wed Aug 13 20:02:37 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 13 20:02:59 2008 Subject: Sendmail: Number of queue runners? In-Reply-To: <loom.20080813T165529-885@post.gmane.org> References: <loom.20080813T165529-885@post.gmane.org> Message-ID: <48A32FCD.6050003@pixelhammer.com> John Goggan wrote: > I have been using MailScanner with a sendmail configuration for years now. > Today, I noticed that I had about 30 messages in my /var/spool/mqueue directory > that had not been delivered -- some of which were over a month old. After some > research, it appears that almost all of them were to server that do > greylisting -- so all of these were the deferred messages. > > Basically, I don't see anything that would be watching mqueue for these > messages and attempting to redeliver them. Should I have another queue runner > for mqueue? We've always run like this: > > One sendmail for incoming email that goes to mqueue.in: > > sendmail -bd -L sm-mta -OPrivacyOptions=noetrn -ODeliveryMode=queueonly - > OQueueDirectory=/var/spool/mqueue.in > > And one sendmail queue runner for local/clientmqueue: > > sendmail -Ac -q15m -L sm-cm > > We use Mailscanner with the "Delivery Method = batch" setting, so my > understanding is that that means that MailScanner will take care of the > messages after they get to mqueue. > > This works fine -- except where there is a problem. It appears that nothing > ever retries them. Is that correct? > > As a solution, I've added another sendmail queue runner for mqueue: > > sendmail -q15m -L sm-mq > > So, I now have three sendmails: one daemon listening on 25 and putting mail in > mqueue.in, one queue runner for local mail in clientmqueue, and one queue > runner for mail that might hang out in mqueue if it doesn't go the first time > MailScanner tells it to go. > > Is that how it should be? Almost all of the documentation or guides that I > could find for setting up MailScanner with sendmail don't seem to mention that > second queue runner for mqueue. And, as I said, I ran for years without it > (and likely missed sending some delayed emails now and then that were never > retried). I just want to make sure that I'm not missing something. Yes, we use a third queue runner as well. We have several clients we do "scrubbing" for acting as a front end for their in house Exchange servers. Several of those clients have <unamed poorly functioning security devices> which they cannot seem to figure out how to whitelist my MailScanner servers through. So our MailScanner servers become greylisted and the messages do not go through. Currently we run a cron task that pulls them out once and hour and drops them into a slow queue we process once every four hours. DAve -- Don't tell me I'm driving the cart! From shuttlebox at gmail.com Wed Aug 13 20:21:17 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Aug 13 20:21:26 2008 Subject: Sendmail: Number of queue runners? In-Reply-To: <loom.20080813T165529-885@post.gmane.org> References: <loom.20080813T165529-885@post.gmane.org> Message-ID: <625385e30808131221m37a06370o44376be48c4d3a89@mail.gmail.com> On Wed, Aug 13, 2008 at 7:02 PM, John Goggan <jgoggan@gmail.com> wrote: > Is that how it should be? Almost all of the documentation or guides that I > could find for setting up MailScanner with sendmail don't seem to mention that > second queue runner for mqueue. And, as I said, I ran for years without it > (and likely missed sending some delayed emails now and then that were never > retried). I just want to make sure that I'm not missing something. It's documented here: http://mailscanner.info/sendmail.html. Most package based install should take care of it as well. -- /peter From jgoggan at gmail.com Wed Aug 13 21:05:16 2008 From: jgoggan at gmail.com (John Goggan) Date: Wed Aug 13 21:05:42 2008 Subject: Sendmail: Number of queue runners? References: <loom.20080813T165529-885@post.gmane.org> <625385e30808131221m37a06370o44376be48c4d3a89@mail.gmail.com> Message-ID: <loom.20080813T200108-285@post.gmane.org> shuttlebox <shuttlebox <at> gmail.com> writes: > > On Wed, Aug 13, 2008 at 7:02 PM, John Goggan <jgoggan <at> gmail.com> wrote: > > Is that how it should be? Almost all of the documentation or guides that I > > could find for setting up MailScanner with sendmail don't seem to mention that > > second queue runner for mqueue. And, as I said, I ran for years without it > > (and likely missed sending some delayed emails now and then that were never > > retried). I just want to make sure that I'm not missing something. > > It's documented here: http://mailscanner.info/sendmail.html. Most > package based install should take care of it as well. Interesting. It is indeed documented there. Can you tell me how you get to that page through any of the MailScanner documentation? I see links in the docs for everything except that sendmail page. Using Google's link search, I could find no sites on the web that link to that page actually. On a side note, even that page is a bit odd though -- because it implies that you'd then have 2 sendmail processes when, in fact, most would then have 3. That page doesn't mention recent sendmail -- which would be running a clientmqueue also. But, yes, at least it is documented somewhere. None of the non-MailScanner sites that I could find for installing MailScanner with sendmail under Gentoo, for example (and even some non-Gentoo specific ones) mentioned that extra queue runner at all. They all document the change so that they go to mqueue.in in "queueonly" mode -- and a 2nd sendmail for a queue runner for handling clientmqueue, but nothing about another queue runner for mqueue. In any case, please let me know if that page is linked from anywhere, because I didn't see anything in the MailScanner docs that would have taken someone there that was trying to use MailScanner and sendmail. Thanks! - John... From pedro.hoffmann at gmail.com Wed Aug 13 21:18:31 2008 From: pedro.hoffmann at gmail.com (Pedro Bordin Hoffmann - [M]orpheus) Date: Wed Aug 13 21:18:40 2008 Subject: Filename block Message-ID: <21be6cae0808131318t4162aecfp4b115bccbb9fc012@mail.gmail.com> When recieving an e-mail and I have a filename blocking rule, like to block jpg. Why it doesnt send me the e-mail only removing the attachment? It just blocks the whole e-mail... How may I still recieve the message, just with the attach removed? Thanks!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080813/f0acc073/attachment.html From roland at inbox4u.de Wed Aug 13 21:27:24 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Wed Aug 13 21:28:22 2008 Subject: AW: AW: New beta released In-Reply-To: <48A2A411.9060105@ecs.soton.ac.uk> References: <489708BC.2020207@ecs.soton.ac.uk> <EMEW-k7BLwya4c6d24e0d0c843434977b43b0857687-D0C18CC5B0171C419B96B1D3ADFD783108B509D03A@TS-DC2.ts-webarts.local> <48A2A411.9060105@ecs.soton.ac.uk> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108E90F0E9F@TS-DC2.ts-webarts.local> > Ehle, Roland wrote: > > Jules, > > > > no performance impact so far on my machine, dealing with ~ 35k > messages. One thing I realized and did not find the reason so far: Sign > Clean Messages option does not work for HTML-Messages anymore :-( Only > Text-messages are signed. So probably something has happened. > > > Have you noticed there are quite a few new config options to do with > signing HTML messages. You well might be falling foul of one of them. > Please can you double check with the new options for me? [...] I noticed the config options that deal with signing messages. I have the following settings: Inline HTML Signature = /etc/MailScanner/rules/sign-html.rules Inline Text Signature = /etc/MailScanner/rules/sign-text.rules Sign Messages Already Processed = yes Sign Clean Messages = /etc/MailScanner/rules/signature.rules Attach Image To Signature = no Allow Multiple HTML Signatures = yes Dont Sign HTML If Headers Exist = # In-Reply-To: References: I have copied the working sign-text.rules to sign-html.rules to make sure, that it is not a problem with the rules file. I have triple checked all configuration options and found no errors in the configuration. Text E-Mails are signed, as it should be, but neither HTML nor Richtext formatted messages are signed. I use Exchange 2k7 as Mailserver. Regards, Roland From shuttlebox at gmail.com Wed Aug 13 21:44:00 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Aug 13 21:44:09 2008 Subject: Sendmail: Number of queue runners? In-Reply-To: <loom.20080813T200108-285@post.gmane.org> References: <loom.20080813T165529-885@post.gmane.org> <625385e30808131221m37a06370o44376be48c4d3a89@mail.gmail.com> <loom.20080813T200108-285@post.gmane.org> Message-ID: <625385e30808131344o73f80a85qf934b0b960764513@mail.gmail.com> On Wed, Aug 13, 2008 at 10:05 PM, John Goggan <jgoggan@gmail.com> wrote: >> It's documented here: http://mailscanner.info/sendmail.html. Most >> package based install should take care of it as well. > > Interesting. It is indeed documented there. Can you tell me how you get to > that page through any of the MailScanner documentation? I see links in the > docs for everything except that sendmail page. Using Google's link search, I > could find no sites on the web that link to that page actually. Documentation - Installaton Guides - Installing using the tar distribution - Configuring Sendmail. > On a side note, even that page is a bit odd though -- because it implies that > you'd then have 2 sendmail processes when, in fact, most would then have 3. > That page doesn't mention recent sendmail -- which would be running a > clientmqueue also. It was written years ago, yes. -- /peter From jgoggan at gmail.com Wed Aug 13 21:53:35 2008 From: jgoggan at gmail.com (John Goggan) Date: Wed Aug 13 21:53:53 2008 Subject: Sendmail: Number of queue runners? References: <loom.20080813T165529-885@post.gmane.org> <625385e30808131221m37a06370o44376be48c4d3a89@mail.gmail.com> <loom.20080813T200108-285@post.gmane.org> <625385e30808131344o73f80a85qf934b0b960764513@mail.gmail.com> Message-ID: <loom.20080813T205003-349@post.gmane.org> shuttlebox <shuttlebox <at> gmail.com> writes: > Documentation - Installaton Guides - Installing using the tar > distribution - Configuring Sendmail. Thanks! I installed from a Gentoo ebuild, so I hadn't followed the "using the tarball" path all the way. I can't help but wonder why it isn't linked straight from the Installation Guide page -- like it is for Postfix, Exim, and ZMailer. Seems like having sendmail right there would make good sense. :) In any case, it looks like the real problem is that whoever did the Gentoo ebuild/package didn't do the init scripts right. If they had, then it would already start the queue runner for mqueue. I'll go report it as a bug. It's actually fairly easy to miss -- because it otherwise works fine without it. You only miss messages that were delayed/deferred. So, normal emails go out fine. As greylisting gets more popular, it gets more noticeable. :) Thanks again. - John... From jra at baylink.com Wed Aug 13 21:57:48 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Wed Aug 13 21:57:59 2008 Subject: quiet here In-Reply-To: <489B0E2B.5020503@mail.wvnet.edu> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <EMEW-k75G6699784d5529ea9b0d89e0d76562f9399c-4899BC26.6030702@trayerproducts.com> <4899C0F7.6070603@ecs.soton.ac.uk> <EMEW-k7687X130dfacb87266a45e797dbbf77ec2829-5489f9700808070002jd709094i875ea1e532a209fd@mail.gmail.com> <EMEW-k769KU8aadb5e58046bea3ffc68b1799ffcdfc-489AF542.3090608@ecs.soton.ac.uk> <EMEW-k76FYda86cea5eee60f46c6f585c44b3d99f97-489B055E.2020400@mail.wvnet.edu> <EMEW-k76AfCd970b5fc5360b6ad15e687788908035b-489B07DB.6040207@ecs.soton.ac.uk> <489B0E2B.5020503@mail.wvnet.edu> Message-ID: <20080813205748.GC22364@cgi.jachomes.com> On Thu, Aug 07, 2008 at 11:00:59AM -0400, Richard Lynch wrote: > >>Up until now I had never even heard of 7zip. I just tested F-Prot > >>and ClamAV against an archive with a virus in it. Neither detected > >>the virus inside. So, isn't it just a matter of time before viruses > >>start spreading in this format? If so I think you're going to be > >>compelled to support the scanning of this format. > >But if no-one has the software for reading this format already, they > >aren't any harm. > > > Agreed but how long before people start using this format in large > numbers. I don't know. It's not a problem yet so there's no hurray but > sometime down the road... who knows. I certainly wouldn't put a high > priority on it. I think what you'll see is Windoze users installing (or their geeks installing) the Win 7zip because it's free and easier to deal with than fooling with WinZip, which gets more and more limited in its free install as time goes on. So, it will be on the machine, and registered in the registry. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From jra at baylink.com Wed Aug 13 21:58:51 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Wed Aug 13 21:59:01 2008 Subject: quiet here In-Reply-To: <489A1EE1.8050003@gdcon.net> References: <4899AC93.10501@trayerproducts.com> <7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e@mail.gmail.com> <4899CE7A.6090201@vanderkooij.org> <489A1EE1.8050003@gdcon.net> Message-ID: <20080813205851.GD22364@cgi.jachomes.com> On Wed, Aug 06, 2008 at 11:00:01PM +0100, Andrew MacLachlan wrote: > My logs are full of ssh brute-force attempts... google://samhain+brute+force I like the /etc/hosts.allow version, myself. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From hvdkooij at vanderkooij.org Wed Aug 13 22:07:56 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Aug 13 22:08:05 2008 Subject: Filename block In-Reply-To: <21be6cae0808131318t4162aecfp4b115bccbb9fc012@mail.gmail.com> References: <21be6cae0808131318t4162aecfp4b115bccbb9fc012@mail.gmail.com> Message-ID: <48A34D2C.7080908@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pedro Bordin Hoffmann - [M]orpheus wrote: | When recieving an e-mail and I have a filename blocking rule, like to | block jpg. | | Why it doesnt send me the e-mail only removing the attachment? | | It just blocks the whole e-mail... | | How may I still recieve the message, just with the attach removed? That would involve rebuilding the message instead of just blocking it. Picking it apart is much easier then rebuilding it again with some of the pieces missing. What did you change in the configuration to activate blocking? What is the output of: MailScanner -c Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIo00qBvzDRVjxmYERAiLvAJ0c99ElhDYGvR+P3KWIOvyyOVhnwQCgpVxg owa8XtnY/7OWZz7hb1Iuucg= =aAoZ -----END PGP SIGNATURE----- From andrew at gdcon.net Wed Aug 13 23:36:34 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Aug 13 23:36:55 2008 Subject: quiet here In-Reply-To: <20080813205851.GD22364@cgi.jachomes.com> References: <4899AC93.10501@trayerproducts.com> <7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e@mail.gmail.com> <4899CE7A.6090201@vanderkooij.org> <489A1EE1.8050003@gdcon.net> <20080813205851.GD22364@cgi.jachomes.com> Message-ID: <48A361F2.3080404@gdcon.net> Jay R. Ashworth wrote: > On Wed, Aug 06, 2008 at 11:00:01PM +0100, Andrew MacLachlan wrote: > >> My logs are full of ssh brute-force attempts... >> > > google://samhain+brute+force > > I like the /etc/hosts.allow version, myself. > I'm RSA key based & don't allow password auth, but it's worth noting... -- This message was scanned by ESVA and is believed to be clean. From Richard.Frovarp at sendit.nodak.edu Wed Aug 13 23:45:39 2008 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Aug 13 23:45:50 2008 Subject: Ruleset questions Message-ID: <48A36413.5080101@sendit.nodak.edu> How would one go about blacklisting a From email address that is did not come from a subnet. Email would for this one address would only come legitimately from one of my subnets. Everything else should be thrown away. What would be the best way to accomplish this? Thanks, Richard From andrew at gdcon.net Thu Aug 14 00:45:07 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Aug 14 00:45:26 2008 Subject: Ruleset questions In-Reply-To: <48A36413.5080101@sendit.nodak.edu> References: <48A36413.5080101@sendit.nodak.edu> Message-ID: <48A37203.2050805@gdcon.net> Richard Frovarp wrote: > How would one go about blacklisting a From email address that is did > not come from a subnet. Email would for this one address would only > come legitimately from one of my subnets. Everything else should be > thrown away. What would be the best way to accomplish this? > > Thanks, > Richard Use SPF??? -- This message was scanned by ESVA and is believed to be clean. From glenn.steen at gmail.com Thu Aug 14 01:13:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 14 01:13:54 2008 Subject: Ruleset questions In-Reply-To: <48A36413.5080101@sendit.nodak.edu> References: <48A36413.5080101@sendit.nodak.edu> Message-ID: <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> 2008/8/14 Richard Frovarp <Richard.Frovarp@sendit.nodak.edu>: > How would one go about blacklisting a From email address that is did not > come from a subnet. Email would for this one address would only come > legitimately from one of my subnets. Everything else should be thrown away. > What would be the best way to accomplish this? > > Thanks, > Richard Apart from SPF, which I'm sure one could use to reject fakers, one could do as I do in postfix... I simply reject all faked senders (we only allow internal senders for our domain, exactly as you would likedo it)... A simple access map restriction on the sender... something like "smtpd_sender_restrictions permit_mynetworks,check_access regexp:/path/to/accessfile ... How one would do it with other MTAs... I do not know... Should be possible though:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 14 01:17:46 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 14 01:18:01 2008 Subject: Ruleset questions In-Reply-To: <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> References: <48A36413.5080101@sendit.nodak.edu> <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> Message-ID: <223f97700808131717l1f02c0eeub9513f3f83223ccc@mail.gmail.com> 2008/8/14 Glenn Steen <glenn.steen@gmail.com>: > 2008/8/14 Richard Frovarp <Richard.Frovarp@sendit.nodak.edu>: >> How would one go about blacklisting a From email address that is did not >> come from a subnet. Email would for this one address would only come >> legitimately from one of my subnets. Everything else should be thrown away. >> What would be the best way to accomplish this? >> >> Thanks, >> Richard > Apart from SPF, which I'm sure one could use to reject fakers, one > could do as I do in postfix... I simply reject all faked senders (we > only allow internal senders for our domain, exactly as you would > likedo it)... A simple access map restriction on the sender... > something like "smtpd_sender_restrictions > permit_mynetworks,check_access regexp:/path/to/accessfile ... How one > would do it with other MTAs... I do not know... Should be possible > though:-). > > Cheers Ah, the drawbacks of being a PF user.... Always replying to oneself... It should be check_sender_access regexp:/path/to/access_file ... nothing else (unless there are more ... intricate... typos in there:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Richard.Frovarp at sendit.nodak.edu Thu Aug 14 02:00:55 2008 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Aug 14 02:01:08 2008 Subject: Ruleset questions In-Reply-To: <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> References: <48A36413.5080101@sendit.nodak.edu> <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> Message-ID: <48A383C7.40901@sendit.nodak.edu> Glenn Steen wrote: > 2008/8/14 Richard Frovarp <Richard.Frovarp@sendit.nodak.edu>: > >> How would one go about blacklisting a From email address that is did not >> come from a subnet. Email would for this one address would only come >> legitimately from one of my subnets. Everything else should be thrown away. >> What would be the best way to accomplish this? >> >> Thanks, >> Richard >> > Apart from SPF, which I'm sure one could use to reject fakers, one > could do as I do in postfix... I simply reject all faked senders (we > only allow internal senders for our domain, exactly as you would > likedo it)... A simple access map restriction on the sender... > something like "smtpd_sender_restrictions > permit_mynetworks,check_access regexp:/path/to/accessfile ... How one > would do it with other MTAs... I do not know... Should be possible > though:-). > > Cheers > SPF wouldn't do it. SPF would only check the envelope from. We are concerned about the displayed from. And in particular of only one of our accounts. We run sendmail. However, how does your system handle mail from other systems claiming to be from your users? Like say this mailing list? Richard From gdoris at rogers.com Thu Aug 14 02:35:20 2008 From: gdoris at rogers.com (Gerry Doris) Date: Thu Aug 14 02:35:51 2008 Subject: Feature Request - Virus Scanner Updates Message-ID: <48A38BD8.1010900@rogers.com> I used to run several virus scanners but have recently cut back to clamd and f-prot. However, I've noticed that the update_virus_scanner utility is still updating the full set of installed scanners instead of just the active ones. Can this be changed to check only the scanners listed in MailScanner.conf? From hvdkooij at vanderkooij.org Thu Aug 14 05:41:35 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Aug 14 05:41:47 2008 Subject: Ruleset questions In-Reply-To: <48A383C7.40901@sendit.nodak.edu> References: <48A36413.5080101@sendit.nodak.edu> <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> <48A383C7.40901@sendit.nodak.edu> Message-ID: <48A3B77F.7070303@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Frovarp wrote: | Glenn Steen wrote: |> 2008/8/14 Richard Frovarp <Richard.Frovarp@sendit.nodak.edu>: |> |>> How would one go about blacklisting a From email address that is did not |>> come from a subnet. Email would for this one address would only come |>> legitimately from one of my subnets. Everything else should be thrown |>> away. |>> What would be the best way to accomplish this? |>> |>> Thanks, |>> Richard |>> |> Apart from SPF, which I'm sure one could use to reject fakers, one |> could do as I do in postfix... I simply reject all faked senders (we |> only allow internal senders for our domain, exactly as you would |> likedo it)... A simple access map restriction on the sender... |> something like "smtpd_sender_restrictions |> permit_mynetworks,check_access regexp:/path/to/accessfile ... How one |> would do it with other MTAs... I do not know... Should be possible |> though:-). |> |> Cheers |> | | SPF wouldn't do it. SPF would only check the envelope from. We are | concerned about the displayed from. And in particular of only one of our | accounts. | | We run sendmail. However, how does your system handle mail from other | systems claiming to be from your users? Like say this mailing list? First off. Only Microsoft made the error to rely on the From: line above ~ the SMTP sender in their interpretation of SPF. Check the SA rules as there are some rules there that check if Yahoo users originate from Yahoo and do not falsify the From: line. You could use those to learn how to do it yourself. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIo7d9BvzDRVjxmYERAqnRAJ0eDyqSfi4fOKkHJXr6vw1BCBTh0gCeOP0W A+P85afHHFmnTAMkAtsDGTM= =/EXi -----END PGP SIGNATURE----- From shuttlebox at gmail.com Thu Aug 14 08:17:49 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Aug 14 08:17:59 2008 Subject: Feature Request - Virus Scanner Updates In-Reply-To: <48A38BD8.1010900@rogers.com> References: <48A38BD8.1010900@rogers.com> Message-ID: <625385e30808140017r68cfbc52ta092a65ac0c46320@mail.gmail.com> On Thu, Aug 14, 2008 at 3:35 AM, Gerry Doris <gdoris@rogers.com> wrote: > I used to run several virus scanners but have recently cut back to clamd and > f-prot. However, I've noticed that the update_virus_scanner utility is > still updating the full set of installed scanners instead of just the active > ones. Can this be changed to check only the scanners listed in > MailScanner.conf? That's a design decision by Julian so the scanners are ready when you need them. Uninstall them if you have no intention of using them. -- /peter From shuttlebox at gmail.com Thu Aug 14 08:53:52 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Aug 14 08:54:02 2008 Subject: Sendmail: Number of queue runners? In-Reply-To: <loom.20080813T205003-349@post.gmane.org> References: <loom.20080813T165529-885@post.gmane.org> <625385e30808131221m37a06370o44376be48c4d3a89@mail.gmail.com> <loom.20080813T200108-285@post.gmane.org> <625385e30808131344o73f80a85qf934b0b960764513@mail.gmail.com> <loom.20080813T205003-349@post.gmane.org> Message-ID: <625385e30808140053w855cdf1lc187d060d5bed01c@mail.gmail.com> On Wed, Aug 13, 2008 at 10:53 PM, John Goggan <jgoggan@gmail.com> wrote: > shuttlebox <shuttlebox <at> gmail.com> writes: > >> Documentation - Installaton Guides - Installing using the tar >> distribution - Configuring Sendmail. > > Thanks! I installed from a Gentoo ebuild, so I hadn't followed the "using the > tarball" path all the way. > > I can't help but wonder why it isn't linked straight from the Installation > Guide page -- like it is for Postfix, Exim, and ZMailer. Seems like having > sendmail right there would make good sense. :) > > In any case, it looks like the real problem is that whoever did the Gentoo > ebuild/package didn't do the init scripts right. If they had, then it would > already start the queue runner for mqueue. I'll go report it as a bug. > > It's actually fairly easy to miss -- because it otherwise works fine without > it. You only miss messages that were delayed/deferred. So, normal emails go > out fine. As greylisting gets more popular, it gets more noticeable. :) Everything MailScanner is based on the tar distribution, all the packages are just a service to the community. As a *user* of a package you shouldn't have to have deep knowledge of how to configure everything, the package should do that automatically or at least provide its own specific documentation. If you want to make a package you read the tar dist documentation and the maintainer of MailScanner for Gentoo apparently didn't do a good job of that so go ahead and file a bug. -- /peter From martinh at solidstatelogic.com Thu Aug 14 08:59:02 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Aug 14 08:59:17 2008 Subject: MailScanner running very slow In-Reply-To: <007f01c8fd74$1106a160$e8c8a8c0@ALZGW2kXPMC> Message-ID: <f7107bf6be5efc4b8a569969f7ed620a@solidstatelogic.com> Hi Well mailscanner is doing it's job nice and quickly...but the outgoing MTA isn't. Would be nice to know versions of the MTA, MailScanner and the O/S. Given you're only processing 2,000 messages (you don't mention size, but the logs are clearing the email quickly) the system does seem unusually busy for this small number of messages. Have you got anything else running on the host? This looks like a sendmail issue. There's a setting in sendmail that stops it working is the system is too busy. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Nasser Al-Zawawi > Sent: 13 August 2008 19:41 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner running very slow > > Hi, > I have a Dell PowerEdge server 2950 with 2 Dual Core Xeon > processors 3.0GHz with 2GB RAM running RedHat ES 4. The MTA > is sendmail and I am using the latest MailScanner version > (4.70.7-1). The system processes about 2,000 emails per day > and about half of it are spam. See the following: > #--------------- > MailScanner Status: > 1920 messages Scanned by MailScanner > 73657132 Total Bytes > 1122 Spam messages detected by MailScanner > 6 Viruses found by MailScanner > 935 Messages delivered by MailScanner > #--------------- > > The mail delivery is very slow. Some time it takes 2 hrs > before it gets delivered. I tried the tips under > http://wiki.mailscanner.info/doku.php?id=documentation:tweakin g:some_things_to_try_if_your_incoming_queue_is_running_slow but > they did not help. The mail keeps accumulating under > /var/spool/mqueue.in while all the MailScanner processors are > running at 100% CPU. Then all the sudden (after 1-2 hours) > it starts delivering the emails and the /var/spool/mqueue.in > files go down to 0. > I monitored the system today; the system stopped delivering > emails between 9:12AM till 11:35AM. During that time, top > showed something like this: > #---------------- > top - 10:46:26 up 3 days, 7:42, 1 user, load average: > 5.81, 6.09, 5.48 > Tasks: 233 total, 5 running, 226 sleeping, 0 stopped, 2 zombie > Cpu(s): 59.0% us, 1.2% sy, 0.0% ni, 39.5% id, 0.2% wa, > 0.0% hi, 0.0% si > Mem: 2074600k total, 1735692k used, 338908k free, > 22524k buffers > Swap: 2097144k total, 356516k used, 1740628k free, > 532576k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 2752 root 25 0 85572 75m 2964 R 100 3.7 35:54.85 > MailScanner > 2880 root 25 0 85572 75m 2956 R 100 3.7 35:50.35 > MailScanner > 3024 root 25 0 85572 75m 2956 R 100 3.7 35:41.62 > MailScanner > 2949 root 25 0 85572 75m 2956 R 100 3.7 35:47.07 > MailScanner > 11393 apache 15 0 26360 9736 3648 S 5 0.5 0:57.14 httpd > 11394 apache 15 0 26576 9936 3616 S 5 0.5 0:58.83 httpd > 26598 root 16 0 4760 2568 1648 S 1 0.1 0:00.20 ssh > #---------------- > > and the /var/spool/mqueue.in continued to accumulate files > till it reached 489 messages, then within 5 minutes it > delivered all the messages! > > This cycles continues all day long, where the emails are > withheld for 1 to 2 hours and then the get delivered in one big burst. > > Here are snippets of the log for that period with "Log Speed = yes": > > grep ": Batch" /var/log/maillog > #----------- > Aug 13 09:12:16 samba MailScanner[5852]: Batch completed at > 1844 bytes per second (39583 / 21) Aug 13 09:12:16 samba > MailScanner[5852]: Batch (2 messages) processed in 21.46 > seconds Aug 13 09:12:42 samba MailScanner[6013]: Batch > completed at 3752 bytes per second (9167 / 2) ... Aug 13 > 11:28:55 samba MailScanner[2949]: Batch (10 messages) > processed in 24.54 seconds Aug 13 11:28:55 samba > MailScanner[3024]: Batch completed at 657 bytes per second > (3825 / 5) Aug 13 11:28:55 samba MailScanner[3024]: Batch (1 > message) processed in 5.82 seconds > #----------- > I would appreciate any clues on resolving this issue. > > Best regards, > > Nasser > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From garyalex at gmail.com Thu Aug 14 09:02:13 2008 From: garyalex at gmail.com (Gary Alexander) Date: Thu Aug 14 09:02:23 2008 Subject: Sendmail: Number of queue runners? In-Reply-To: <loom.20080813T205003-349@post.gmane.org> References: <loom.20080813T165529-885@post.gmane.org> <625385e30808131221m37a06370o44376be48c4d3a89@mail.gmail.com> <loom.20080813T200108-285@post.gmane.org> <625385e30808131344o73f80a85qf934b0b960764513@mail.gmail.com> <loom.20080813T205003-349@post.gmane.org> Message-ID: <5489f9700808140102l1d7f8105x271533c4973dc0e4@mail.gmail.com> > Thanks! I installed from a Gentoo ebuild, so I hadn't followed the "using the > tarball" path all the way. > > I can't help but wonder why it isn't linked straight from the Installation > Guide page -- like it is for Postfix, Exim, and ZMailer. Seems like having > sendmail right there would make good sense. :) > > In any case, it looks like the real problem is that whoever did the Gentoo > ebuild/package didn't do the init scripts right. If they had, then it would > already start the queue runner for mqueue. I'll go report it as a bug. > > It's actually fairly easy to miss -- because it otherwise works fine without > it. You only miss messages that were delayed/deferred. So, normal emails go > out fine. As greylisting gets more popular, it gets more noticeable. :) > > Thanks again. > > - John... FYI For gentoo you would need to modify 2 files to get this running: /etc/conf.d/sendmail: SENDMAIL_OPTS="-L sm-mta -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in" MQUEUE_OPTS="-q15m -L sm-qm" # clientmqueue CLIENTMQUEUE_OPTS="-Ac -q30m -L sm-cm" /etc/init.d/sendmail: start() { ebegin "Starting sendmail" /usr/bin/newaliases > /dev/null 2>&1 (cd /var/spool/mqueue; rm -f xf*) /usr/sbin/sendmail ${SENDMAIL_OPTS} > /dev/null 2>&1 /usr/sbin/sendmail ${CLIENTMQUEUE_OPTS} > /dev/null 2>&1 /usr/sbin/sendmail ${MQUEUE_OPTS} > /dev/null 2>&1 eend $? } -- Fax2mail: 086 607 9109 Website: http://blahlinux.blogspot.com Courage is resistance to fear, mastery of fear - not absence of fear. - Mark Twain From MailScanner at ecs.soton.ac.uk Thu Aug 14 09:48:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 14 09:49:03 2008 Subject: New beta released In-Reply-To: <EMEW-k7CB7v4e193766f372c2aa4a008fc9cea717be-555570cfa4de6b4a888f280bceae39a1@solidstatelogic.com> References: <EMEW-k7CB7v4e193766f372c2aa4a008fc9cea717be-555570cfa4de6b4a888f280bceae39a1@solidstatelogic.com> Message-ID: <48A3F16A.9000006@ecs.soton.ac.uk> I've just tried it and it seems to be working fine for me too. It now notices the </body> tag as well as the </html> tag, make sure you haven't got any stray ones of those in the message somewhere. Martin.Hepworth wrote: > Roland > > if you get a <silly disclaimer.h> at the bottom here then it's wokring > using latest beta (4.71.6) > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Ehle, Roland > > Sent: 12 August 2008 21:49 > > To: MailScanner discussion > > Subject: AW: New beta released > > > > Jules, > > > > no performance impact so far on my machine, dealing with ~ > > 35k messages. One thing I realized and did not find the > > reason so far: Sign Clean Messages option does not work for > > HTML-Messages anymore :-( Only Text-messages are signed. So > > probably something has happened. > > > > Regards, > > Roland > > > > > -----Urspr?ngliche Nachricht----- > > > Von: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] Im Auftrag von Julian Field > > > Gesendet: Montag, 4. August 2008 15:49 > > > An: MailScanner discussion; MailScanner-Beta mailing list > > > Betreff: New beta released > > > > > > The new beta including complete protection against bugs and > > crashes in > > > HTML::Parser is just uploading now... You're looking for > > 4.71.5-1 or > > > greater. > > > > > > Note there is a new languages.conf setting, so you will need to run > > > upgrade_languages_conf > > > after upgrading to this new release. If you don't then the > > report will > > > always come out in English, which you may not want. :-( > > > > > > Please let me know how you get on with this. It appears to > > work for me > > > with the message with all the nested <FONT> tags that kills > > > HTML::Parser. > > > > > > I would be particularly interested in your views on the performance > > > impact this fix has, and therefore whether I need to add a > > feature to > > > enable/disable it or anything else like that. > > > > > > Cheers, > > > Jules. > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Aug 14 09:52:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 14 09:53:01 2008 Subject: AW: AW: New beta released In-Reply-To: <EMEW-k7CLWIb4545858d88383ec9d696be8c873481b-D0C18CC5B0171C419B96B1D3ADFD783108E90F0E9F@TS-DC2.ts-webarts.local> References: <489708BC.2020207@ecs.soton.ac.uk> <EMEW-k7BLwya4c6d24e0d0c843434977b43b0857687-D0C18CC5B0171C419B96B1D3ADFD783108B509D03A@TS-DC2.ts-webarts.local> <48A2A411.9060105@ecs.soton.ac.uk> <EMEW-k7CLWIb4545858d88383ec9d696be8c873481b-D0C18CC5B0171C419B96B1D3ADFD783108E90F0E9F@TS-DC2.ts-webarts.local> Message-ID: <48A3F250.8050303@ecs.soton.ac.uk> Ehle, Roland wrote: >> Ehle, Roland wrote: >> >>> Jules, >>> >>> no performance impact so far on my machine, dealing with ~ 35k >>> >> messages. One thing I realized and did not find the reason so far: Sign >> Clean Messages option does not work for HTML-Messages anymore :-( Only >> Text-messages are signed. So probably something has happened. >> >> Have you noticed there are quite a few new config options to do with >> signing HTML messages. You well might be falling foul of one of them. >> Please can you double check with the new options for me? >> > [...] > > I noticed the config options that deal with signing messages. I have the following settings: > > Inline HTML Signature = /etc/MailScanner/rules/sign-html.rules > Inline Text Signature = /etc/MailScanner/rules/sign-text.rules > Sign Messages Already Processed = yes > Sign Clean Messages = /etc/MailScanner/rules/signature.rules > Attach Image To Signature = no > Allow Multiple HTML Signatures = yes > Dont Sign HTML If Headers Exist = # In-Reply-To: References: > > I have copied the working sign-text.rules to sign-html.rules to make sure, that it is not a problem with the rules file. I have triple checked all configuration options and found no errors in the configuration. Text E-Mails are signed, as it should be, but neither HTML nor Richtext formatted messages are signed. > > I use Exchange 2k7 as Mailserver. > Just tried that bunch of settings for you, and it works fine for me. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Aug 14 10:02:15 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 14 10:02:24 2008 Subject: Ruleset questions In-Reply-To: <48A383C7.40901@sendit.nodak.edu> References: <48A36413.5080101@sendit.nodak.edu> <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> <48A383C7.40901@sendit.nodak.edu> Message-ID: <223f97700808140202x7c39cbdesbf363b60d3d7dc9e@mail.gmail.com> 2008/8/14 Richard Frovarp <Richard.Frovarp@sendit.nodak.edu>: > Glenn Steen wrote: >> >> 2008/8/14 Richard Frovarp <Richard.Frovarp@sendit.nodak.edu>: >> >>> >>> How would one go about blacklisting a From email address that is did not >>> come from a subnet. Email would for this one address would only come >>> legitimately from one of my subnets. Everything else should be thrown >>> away. >>> What would be the best way to accomplish this? >>> >>> Thanks, >>> Richard >>> >> >> Apart from SPF, which I'm sure one could use to reject fakers, one >> could do as I do in postfix... I simply reject all faked senders (we >> only allow internal senders for our domain, exactly as you would >> likedo it)... A simple access map restriction on the sender... >> something like "smtpd_sender_restrictions >> permit_mynetworks,check_access regexp:/path/to/accessfile ... How one >> would do it with other MTAs... I do not know... Should be possible >> though:-). >> >> Cheers >> > > SPF wouldn't do it. SPF would only check the envelope from. We are concerned > about the displayed from. And in particular of only one of our accounts. Ah. Well, the same goes for my little thing. I think you'll have to look at some SA rule creation, it is the best tool for the job. MailScanner rulesets are out of the question too, since they only operate on the envelope info too. Same for BLs and such. So SA it is. > We run sendmail. However, how does your system handle mail from other > systems claiming to be from your users? Like say this mailing list? Pure and simple... REJECT;-). This works since the mailing list doesn't try forge the envelope info, of course. The few "greeting card" type things that actually (very naively) do such things are rejected... and if they care, will soon notice the relative idiocy of doing something like that. When I set this up, SPF wasn't that well spread (meaning I didn't know about it... Was "some" years ago...:-), and ... well... "if it works, don't fix it"... So I'm sticking with it. It's very cheap, resource-wise, so I've never seen any reason to change it. > Richard Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Thu Aug 14 10:05:59 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 14 10:06:25 2008 Subject: MailScanner running very slow In-Reply-To: <f7107bf6be5efc4b8a569969f7ed620a@solidstatelogic.com> References: <007f01c8fd74$1106a160$e8c8a8c0@ALZGW2kXPMC> <f7107bf6be5efc4b8a569969f7ed620a@solidstatelogic.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0475B0BA@HC-MBX02.herefordshire.gov.uk> The hardware is cerainly fast enough. We've got two quad-core 2950s with 4GB RAM running CentOS 5.2 64-bit and they fly. > Swap: 2097144k total, 356516k used, 1740628k free, 532576k cached eek, MailScanner causes swapping!!!! (evil grin) What are your Batch size and number of children settings? What's Max SpamAssassin Size set to? Which version of SpamAssassin? Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 14 August 2008 08:59 To: MailScanner discussion Subject: RE: MailScanner running very slow Hi Well mailscanner is doing it's job nice and quickly...but the outgoing MTA isn't. Would be nice to know versions of the MTA, MailScanner and the O/S. Given you're only processing 2,000 messages (you don't mention size, but the logs are clearing the email quickly) the system does seem unusually busy for this small number of messages. Have you got anything else running on the host? This looks like a sendmail issue. There's a setting in sendmail that stops it working is the system is too busy. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Nasser Al-Zawawi > Sent: 13 August 2008 19:41 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner running very slow > > Hi, > I have a Dell PowerEdge server 2950 with 2 Dual Core Xeon processors > 3.0GHz with 2GB RAM running RedHat ES 4. The MTA is sendmail and I am > using the latest MailScanner version (4.70.7-1). The system processes > about 2,000 emails per day and about half of it are spam. See the > following: > #--------------- > MailScanner Status: > 1920 messages Scanned by MailScanner > 73657132 Total Bytes > 1122 Spam messages detected by MailScanner > 6 Viruses found by MailScanner > 935 Messages delivered by MailScanner > #--------------- > > The mail delivery is very slow. Some time it takes 2 hrs before it > gets delivered. I tried the tips under > http://wiki.mailscanner.info/doku.php?id=documentation:tweakin g:some_things_to_try_if_your_incoming_queue_is_running_slow but > they did not help. The mail keeps accumulating under > /var/spool/mqueue.in while all the MailScanner processors are running > at 100% CPU. Then all the sudden (after 1-2 hours) it starts > delivering the emails and the /var/spool/mqueue.in files go down to 0. > I monitored the system today; the system stopped delivering emails > between 9:12AM till 11:35AM. During that time, top showed something > like this: > #---------------- > top - 10:46:26 up 3 days, 7:42, 1 user, load average: > 5.81, 6.09, 5.48 > Tasks: 233 total, 5 running, 226 sleeping, 0 stopped, 2 zombie > Cpu(s): 59.0% us, 1.2% sy, 0.0% ni, 39.5% id, 0.2% wa, 0.0% hi, > 0.0% si > Mem: 2074600k total, 1735692k used, 338908k free, > 22524k buffers > Swap: 2097144k total, 356516k used, 1740628k free, > 532576k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 2752 root 25 0 85572 75m 2964 R 100 3.7 35:54.85 > MailScanner > 2880 root 25 0 85572 75m 2956 R 100 3.7 35:50.35 > MailScanner > 3024 root 25 0 85572 75m 2956 R 100 3.7 35:41.62 > MailScanner > 2949 root 25 0 85572 75m 2956 R 100 3.7 35:47.07 > MailScanner > 11393 apache 15 0 26360 9736 3648 S 5 0.5 0:57.14 httpd > 11394 apache 15 0 26576 9936 3616 S 5 0.5 0:58.83 httpd > 26598 root 16 0 4760 2568 1648 S 1 0.1 0:00.20 ssh > #---------------- > > and the /var/spool/mqueue.in continued to accumulate files till it > reached 489 messages, then within 5 minutes it delivered all the > messages! > > This cycles continues all day long, where the emails are withheld for > 1 to 2 hours and then the get delivered in one big burst. > > Here are snippets of the log for that period with "Log Speed = yes": > > grep ": Batch" /var/log/maillog > #----------- > Aug 13 09:12:16 samba MailScanner[5852]: Batch completed at > 1844 bytes per second (39583 / 21) Aug 13 09:12:16 samba > MailScanner[5852]: Batch (2 messages) processed in 21.46 seconds Aug > 13 09:12:42 samba MailScanner[6013]: Batch completed at 3752 bytes per > second (9167 / 2) ... Aug 13 > 11:28:55 samba MailScanner[2949]: Batch (10 messages) processed in > 24.54 seconds Aug 13 11:28:55 samba > MailScanner[3024]: Batch completed at 657 bytes per second > (3825 / 5) Aug 13 11:28:55 samba MailScanner[3024]: Batch (1 > message) processed in 5.82 seconds > #----------- > I would appreciate any clues on resolving this issue. > > Best regards, > > Nasser > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Thu Aug 14 10:08:24 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Aug 14 10:08:36 2008 Subject: AW: AW: New beta released In-Reply-To: <48A3F250.8050303@ecs.soton.ac.uk> Message-ID: <cf9493eb382db04382c70008a25eb7ff@solidstatelogic.com> Roland Can the mailscanner user read the signature file? Can you put the html sig somewhere ([pastebin?) so we can have a look to make sure it's reasonable html? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 14 August 2008 09:53 > To: MailScanner discussion > Subject: Re: AW: AW: New beta released > > > > Ehle, Roland wrote: > >> Ehle, Roland wrote: > >> > >>> Jules, > >>> > >>> no performance impact so far on my machine, dealing with ~ 35k > >>> > >> messages. One thing I realized and did not find the reason so far: > >> Sign Clean Messages option does not work for HTML-Messages anymore > >> :-( Only Text-messages are signed. So probably something > has happened. > >> > >> Have you noticed there are quite a few new config options > to do with > >> signing HTML messages. You well might be falling foul of > one of them. > >> Please can you double check with the new options for me? > >> > > [...] > > > > I noticed the config options that deal with signing > messages. I have the following settings: > > > > Inline HTML Signature = /etc/MailScanner/rules/sign-html.rules > > Inline Text Signature = /etc/MailScanner/rules/sign-text.rules > > Sign Messages Already Processed = yes > > Sign Clean Messages = /etc/MailScanner/rules/signature.rules > > Attach Image To Signature = no > > Allow Multiple HTML Signatures = yes > > Dont Sign HTML If Headers Exist = # In-Reply-To: References: > > > > I have copied the working sign-text.rules to > sign-html.rules to make sure, that it is not a problem with > the rules file. I have triple checked all configuration > options and found no errors in the configuration. Text > E-Mails are signed, as it should be, but neither HTML nor > Richtext formatted messages are signed. > > > > I use Exchange 2k7 as Mailserver. > > > Just tried that bunch of settings for you, and it works fine for me. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Thu Aug 14 10:22:34 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 14 10:22:54 2008 Subject: MailScanner running very slow In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0475B0BA@HC-MBX02.herefordshire.gov.uk> References: <007f01c8fd74$1106a160$e8c8a8c0@ALZGW2kXPMC><f7107bf6be5efc4b8a569969f7ed620a@solidstatelogic.com> <7EF0EE5CB3B263488C8C18823239BEBA0475B0BA@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0475B0C1@HC-MBX02.herefordshire.gov.uk> And I forgot to ask if you run a local DNS cache. Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 14 August 2008 10:06 To: MailScanner discussion Subject: RE: MailScanner running very slow The hardware is cerainly fast enough. We've got two quad-core 2950s with 4GB RAM running CentOS 5.2 64-bit and they fly. > Swap: 2097144k total, 356516k used, 1740628k free, 532576k cached eek, MailScanner causes swapping!!!! (evil grin) What are your Batch size and number of children settings? What's Max SpamAssassin Size set to? Which version of SpamAssassin? Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 14 August 2008 08:59 To: MailScanner discussion Subject: RE: MailScanner running very slow Hi Well mailscanner is doing it's job nice and quickly...but the outgoing MTA isn't. Would be nice to know versions of the MTA, MailScanner and the O/S. Given you're only processing 2,000 messages (you don't mention size, but the logs are clearing the email quickly) the system does seem unusually busy for this small number of messages. Have you got anything else running on the host? This looks like a sendmail issue. There's a setting in sendmail that stops it working is the system is too busy. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Nasser Al-Zawawi > Sent: 13 August 2008 19:41 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner running very slow > > Hi, > I have a Dell PowerEdge server 2950 with 2 Dual Core Xeon processors > 3.0GHz with 2GB RAM running RedHat ES 4. The MTA is sendmail and I am > using the latest MailScanner version (4.70.7-1). The system processes > about 2,000 emails per day and about half of it are spam. See the > following: > #--------------- > MailScanner Status: > 1920 messages Scanned by MailScanner > 73657132 Total Bytes > 1122 Spam messages detected by MailScanner > 6 Viruses found by MailScanner > 935 Messages delivered by MailScanner > #--------------- > > The mail delivery is very slow. Some time it takes 2 hrs before it > gets delivered. I tried the tips under > http://wiki.mailscanner.info/doku.php?id=documentation:tweakin g:some_things_to_try_if_your_incoming_queue_is_running_slow but > they did not help. The mail keeps accumulating under > /var/spool/mqueue.in while all the MailScanner processors are running > at 100% CPU. Then all the sudden (after 1-2 hours) it starts > delivering the emails and the /var/spool/mqueue.in files go down to 0. > I monitored the system today; the system stopped delivering emails > between 9:12AM till 11:35AM. During that time, top showed something > like this: > #---------------- > top - 10:46:26 up 3 days, 7:42, 1 user, load average: > 5.81, 6.09, 5.48 > Tasks: 233 total, 5 running, 226 sleeping, 0 stopped, 2 zombie > Cpu(s): 59.0% us, 1.2% sy, 0.0% ni, 39.5% id, 0.2% wa, 0.0% hi, > 0.0% si > Mem: 2074600k total, 1735692k used, 338908k free, > 22524k buffers > Swap: 2097144k total, 356516k used, 1740628k free, > 532576k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 2752 root 25 0 85572 75m 2964 R 100 3.7 35:54.85 > MailScanner > 2880 root 25 0 85572 75m 2956 R 100 3.7 35:50.35 > MailScanner > 3024 root 25 0 85572 75m 2956 R 100 3.7 35:41.62 > MailScanner > 2949 root 25 0 85572 75m 2956 R 100 3.7 35:47.07 > MailScanner > 11393 apache 15 0 26360 9736 3648 S 5 0.5 0:57.14 httpd > 11394 apache 15 0 26576 9936 3616 S 5 0.5 0:58.83 httpd > 26598 root 16 0 4760 2568 1648 S 1 0.1 0:00.20 ssh > #---------------- > > and the /var/spool/mqueue.in continued to accumulate files till it > reached 489 messages, then within 5 minutes it delivered all the > messages! > > This cycles continues all day long, where the emails are withheld for > 1 to 2 hours and then the get delivered in one big burst. > > Here are snippets of the log for that period with "Log Speed = yes": > > grep ": Batch" /var/log/maillog > #----------- > Aug 13 09:12:16 samba MailScanner[5852]: Batch completed at > 1844 bytes per second (39583 / 21) Aug 13 09:12:16 samba > MailScanner[5852]: Batch (2 messages) processed in 21.46 seconds Aug > 13 09:12:42 samba MailScanner[6013]: Batch completed at 3752 bytes per > second (9167 / 2) ... Aug 13 > 11:28:55 samba MailScanner[2949]: Batch (10 messages) processed in > 24.54 seconds Aug 13 11:28:55 samba > MailScanner[3024]: Batch completed at 657 bytes per second > (3825 / 5) Aug 13 11:28:55 samba MailScanner[3024]: Batch (1 > message) processed in 5.82 seconds > #----------- > I would appreciate any clues on resolving this issue. > > Best regards, > > Nasser > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From pedro.hoffmann at gmail.com Thu Aug 14 12:39:17 2008 From: pedro.hoffmann at gmail.com (Pedro Bordin Hoffmann - [M]orpheus) Date: Thu Aug 14 12:39:28 2008 Subject: Filename block In-Reply-To: <48A34D2C.7080908@vanderkooij.org> References: <21be6cae0808131318t4162aecfp4b115bccbb9fc012@mail.gmail.com> <48A34D2C.7080908@vanderkooij.org> Message-ID: <21be6cae0808140439s269ea4eck2ecca5d211208c23@mail.gmail.com> Follows my confg of mailscanner: I appreciate your help! observi_2008:~# MailScanner -c Table of Changed Values: Option Name Default Current Value =============================================================================== addenvelopefromheader yes no allowformtags disarm yes allowiframetags disarm yes allowobjectcodebasetags disarm yes allowpartialmessages no yes allowpasswordprotectedarchives no yes allowscripttags disarm yes allowwebbugs disarm yes alwayslookeduplast no FUNCTION:MailWatchLogging attachmentextensionsnottozip .zip .rar .gz .tgz .mpg .mpe .mpeg .mp3 .rpm .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml attachmentwarningfilename VirusWarning.txt Domain-Attachment-Warning.txt clamavfullmessagescan no yes clamdlockfile /var/run/clamav/clamd.pid clamdsocket 127.0.0.1 /var/run/clamav/clamd.ctl contentmodifysubject start yes contentsubjecttext {Dangerous Content?} {Conteudo Perigoso} customfunctionsdir /usr/lib/MailScanner/MailScanner/CustomFunctions /etc/MailScanner/CustomFunctions definitespamishighscoring no yes deletedbadcontentmessagereport /etc/MailScanner/reports/en/deleted.content.message.txt /etc/MailScanner/reports/pt_br/deleted.content.message.txt deletedbadfilenamemessagereport /etc/MailScanner/reports/en/deleted.filename.message.txt /etc/MailScanner/reports/pt_br/deleted.filename.message.txt deletedsizemessagereport /etc/MailScanner/reports/en/deleted.size.message.txt /etc/MailScanner/reports/pt_br/deleted.size.message.txt deletedvirusmessagereport /etc/MailScanner/reports/en/deleted.virus.message.txt /etc/MailScanner/reports/pt_br/deleted.virus.message.txt deliverdisinfectedfiles no yes disarmedmodifysubject start no disinfectedreport /etc/MailScanner/reports/en/disinfected.report.txt /etc/MailScanner/reports/pt_br/disinfected.report.txt enablespambounce no RULESET:Default=no envelopefromheader X-MailScanner-Envelope-From: envelopetoheader X-MailScanner-Envelope-To: filenamemodifysubject start yes filenamerules RULESET:Default=/etc/MailScanner/filename.rules.conf filenamesubjecttext {Filename?} {Anexo} highscoringmcpmodifysubject start yes highscoringspamactions deliver header "X-Spam-Status: Yes" bounce highscoringspammodifysubject start yes highscoringspamsubjecttext {Spam?} {Spam} highspamassassinscore 10 FUNCTION:SQLHighSpamScores hostname the MailScanner the Domain () ignoredwebbugfilenames spacer pixel.gif pixel.png gap ignorespamwhitelistifrecipientsexceed 20 100 incomingqueuedir /var/spool/mqueue.in/var/spool/postfix/hold incomingworkgroup postfix incomingworkuser postfix inlinehtmlsignature /etc/MailScanner/reports/en/inline.sig.html /etc/MailScanner/reports/pt_br/inline.sig.html inlinehtmlwarning /etc/MailScanner/reports/en/inline.warning.html /etc/MailScanner/reports/pt_br/inline.warning.html inlinespamwarning /etc/MailScanner/reports/en/inline.spam.warning.txt /etc/MailScanner/reports/pt_br/inline.spam.warning.txt inlinetextsignature /etc/MailScanner/reports/en/inline.sig.txt /etc/MailScanner/reports/pt_br/inline.sig.txt inlinetextwarning /etc/MailScanner/reports/en/inline.warning.txt /etc/MailScanner/reports/pt_br/inline.warning.txt isdefinitelynotspam no FUNCTION:ByDomainSpamWhitelist isdefinitelyspam no FUNCTION:ByDomainSpamBlacklist knownwebbugservers msgtag.com languagestrings /etc/MailScanner/reports/pt_br/languages.conf localpostmaster postmaster spam@domain.com lockfiledir /var/lock/subsys/MailScanner/ /var/lock/subsys/MailScanner lognonspam no yes logpermittedfilenames no yes logsilentviruses no yes logspam no yes mailheader X-MailScanner: mailscannerversionnumber 1.0.0 4.66.5 maxchildren 5 3 maximumarchivedepth 2 10 maximumattachmentspermessage 200 15 maximummessagesize 0 10485760 maxnormalqueuesize 800 1000 maxspamassassinsize 30000 200000 maxspamassassintimeouts 10 100 maxspamchecksize 150000 65000000 maxspamlisttimeouts 7 70 mcpheader X-MailScanner-MCPCheck: X-Domain-MailScanner-MCPCheck: mcpmaxspamassassinsize 100000 200000 mcpmaxspamassassintimeouts 20 50 mcpmodifysubject start yes mcpspamassassintimeout 10 50 monitorsforclamavupdates /usr/local/share/clamav/*.cvd /var/lib/clamav/*.cvd mta sendmail postfix nonforgingviruses Joke/ OF97/ WM97/ W97M/ eicar nonspamactions deliver header "X-Spam-Status: No" deliver noticesfrom MailScanner Firewall Domain noticesignature -- \nMailScanner\nEmail Virus Scanner\ nwww.mailscanner.info -- \nDomain Ltda\nObservi_2008\nwww.domain.com noticesto postmaster spam@domain.com notifysenders yes no notifysendersofblockedfilenamesorfiletypes yes no notifysendersofotherblockedcontent yes no notifysendersofviruses no yes outgoingqueuedir /var/spool/mqueue /var/spool/postfix/incoming phishingsubjecttext {Fraud?} {Fraud} pidfile /var/run/MailScanner.pid /var/run/MailScanner/MailScanner.pid quarantinegroup www-data quarantinepermissions 0600 0777 quarantinesilentviruses no yes quarantineuser postfix quarantinewholemessage no yes recipientmcpreport /etc/MailScanner/reports/en/recipient.mcp.report.txt /etc/MailScanner/reports/pt_br/recipient.mcp.report.txt recipientspamreport /etc/MailScanner/reports/en/recipient.spam.report.txt /etc/MailScanner/reports/pt_br/recipient.spam.report.txt rejectionreport /etc/MailScanner/reports/en/message.rejection.report.txt /etc/MailScanner/reports/pt_br/rejection.report.txt requiredspamassassinscore 6 FUNCTION:SQLSpamScores runasgroup 0 postfix runasuser 0 postfix senderbadcontentreport /etc/MailScanner/reports/en/sender.content.report.txt /etc/MailScanner/reports/pt_br/sender.content.report.txt senderbadfilenamereport /etc/MailScanner/reports/en/sender.filename.report.txt /etc/MailScanner/reports/pt_br/sender.filename.report.txt sendererrorreport /etc/MailScanner/reports/en/sender.error.report.txt /etc/MailScanner/reports/pt_br/sender.error.report.txt sendermcpreport /etc/MailScanner/reports/en/sender.mcp.report.txt /etc/MailScanner/reports/pt_br/sender.mcp.report.txt sendersizereport /etc/MailScanner/reports/en/sender.size.report.txt /etc/MailScanner/reports/pt_br/sender.size.report.txt senderspamassassinreport /etc/MailScanner/reports/en/sender.spam.sa.report.txt /etc/MailScanner/reports/pt_br/sender.spam.sa.report.txt senderspamlistreport /etc/MailScanner/reports/en/sender.spam.rbl.report.txt /etc/MailScanner/reports/pt_br/sender.spam.rbl.report.txt senderspamreport /etc/MailScanner/reports/en/sender.spam.report.txt /etc/MailScanner/reports/pt_br/sender.spam.report.txt sendervirusreport /etc/MailScanner/reports/en/sender.virus.report.txt /etc/MailScanner/reports/pt_br/sender.virus.report.txt sendmail2 /usr/sbin/sendmail /usr/sbin/sendmail -DOUTGOING signatureimagefilename /etc/MailScanner/reports/pt_br/sig.jpg signatureimageimgfilename signature.jpg signmessagesalreadyprocessed no yes spamactions deliver header "X-Spam-Status: Yes" forward spam@domain.com spamassassinautowhitelist yes no spamassassindefaultrulesdir /etc/spamassassin spamassassininstallprefix /usr/bin spamassassinlocalrulesdir /etc/spamassassin/RuleDuJour spamassassinruleactions /etc/MailScanner/rules/spam.rules spamassassinsiterulesdir /etc/spamassassin spamassassintimeout 75 200 spamassassinuserstatedir /var/lib/MailScanner spamheader X-MailScanner-SpamCheck: spammodifysubject start yes spamscoreheader X-MailScanner-SpamScore: spamsubjecttext {Spam?} {Spam} storedbadcontentmessagereport /etc/MailScanner/reports/en/stored.content.message.txt /etc/MailScanner/reports/pt_br/stored.content.message.txt storedbadfilenamemessagereport /etc/MailScanner/reports/en/stored.filename.message.txt /etc/MailScanner/reports/pt_br/stored.filename.message.txt storedsizemessagereport /etc/MailScanner/reports/en/stored.size.message.txt /etc/MailScanner/reports/pt_br/stored.size.message.txt storedvirusmessagereport /etc/MailScanner/reports/en/stored.virus.message.txt /etc/MailScanner/reports/pt_br/stored.virus.message.txt treatinvalidwatermarkswithnosenderasspam spam nothing usewatermarking yes no virusmodifysubject start yes virusscanners auto clamav virusscannertimeout 300 3000 virussubjecttext {Virus?} {Virus} watermarkheader MailScanner-NULL-Check: X-domain-MailScanner-Watermark: watermarksecret Watermark-secret Domain-Secret webbugreplacement http://www.mailscanner.info/images/1x1spacer.gif http://www.sng.ecs.soton.ac.uk/mailscanner/images/1x1spacer.gif 2008/8/13 Hugo van der Kooij <hvdkooij@vanderkooij.org> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Pedro Bordin Hoffmann - [M]orpheus wrote: > | When recieving an e-mail and I have a filename blocking rule, like to > | block jpg. > | > | Why it doesnt send me the e-mail only removing the attachment? > | > | It just blocks the whole e-mail... > | > | How may I still recieve the message, just with the attach removed? > > That would involve rebuilding the message instead of just blocking it. > Picking it apart is much easier then rebuilding it again with some of > the pieces missing. > > What did you change in the configuration to activate blocking? > What is the output of: > MailScanner -c > > > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIo00qBvzDRVjxmYERAiLvAJ0c99ElhDYGvR+P3KWIOvyyOVhnwQCgpVxg > owa8XtnY/7OWZz7hb1Iuucg= > =aAoZ > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080814/1ef21f57/attachment.html From ismail at ismailozatay.net Thu Aug 14 13:28:36 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Thu Aug 14 13:28:46 2008 Subject: About watermark References: <007f01c8fd74$1106a160$e8c8a8c0@ALZGW2kXPMC><f7107bf6be5efc4b8a569969f7ed620a@solidstatelogic.com><7EF0EE5CB3B263488C8C18823239BEBA0475B0BA@HC-MBX02.herefordshire.gov.uk> <7EF0EE5CB3B263488C8C18823239BEBA0475B0C1@HC-MBX02.herefordshire.gov.uk> Message-ID: <32DB3E403F224B3788BD0CD5373B516C@pc> Hi all , I am using watermark with mailscanner 4.68.8 . Somebody reports me that i can not receive the Read mail. That's right i have just checked this problem from mailwatch. A user sent a clean e-mail to some one then the other people read mail and sent back an read mail then mailscanner stored it. Sometimes it works properly but i do not kno what is happening ? Can you help me ? thanks ismail From martinh at solidstatelogic.com Thu Aug 14 13:45:11 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Aug 14 13:45:24 2008 Subject: About watermark In-Reply-To: <32DB3E403F224B3788BD0CD5373B516C@pc> Message-ID: <459706e9bf47c14789671887f01aa9e5@solidstatelogic.com> Hi There's a lot of fixes for this in latest stable (4.40.7) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ismail OZATAY > Sent: 14 August 2008 13:29 > To: MailScanner discussion > Subject: About watermark > > Hi all , > > I am using watermark with mailscanner 4.68.8 . Somebody > reports me that i can not receive the Read mail. That's right > i have just checked this problem from mailwatch. A user sent > a clean e-mail to some one then the other people read mail > and sent back an read mail then mailscanner stored it. > Sometimes it works properly but i do not kno what is > happening ? Can you help me ? > > thanks > > ismail > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ismail at ismailozatay.net Thu Aug 14 14:04:00 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Thu Aug 14 14:04:11 2008 Subject: About watermark References: <459706e9bf47c14789671887f01aa9e5@solidstatelogic.com> Message-ID: <E33935E461E544D6BF54BD15B964A1A6@pc> Hmm, i have to upgrade my rpm installation. This will be first for me so before the upgrade should i stop MailScanner, i mean the mail traffic ? I have checked the upgrade document and it do not say anything about this. Thanks ismail ----- Original Message ----- From: "Martin.Hepworth" <martinh@solidstatelogic.com> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Sent: Thursday, August 14, 2008 3:45 PM Subject: RE: About watermark Hi There's a lot of fixes for this in latest stable (4.40.7) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ismail OZATAY > Sent: 14 August 2008 13:29 > To: MailScanner discussion > Subject: About watermark > > Hi all , > > I am using watermark with mailscanner 4.68.8 . Somebody > reports me that i can not receive the Read mail. That's right > i have just checked this problem from mailwatch. A user sent > a clean e-mail to some one then the other people read mail > and sent back an read mail then mailscanner stored it. > Sometimes it works properly but i do not kno what is > happening ? Can you help me ? > > thanks > > ismail > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From achim+mailscanner at qustodium.net Thu Aug 14 14:06:44 2008 From: achim+mailscanner at qustodium.net (Achim J. Latz) Date: Thu Aug 14 14:07:11 2008 Subject: update_virus_scanners fix for Debian/Ubuntu Message-ID: <48A42DE4.6090406@qustodium.net> Good day (and first post for me :) In /usr/sbin/update_virus_scanners the detection of the autoupdate scripts will fail because of the following replacement: UPDATER=`echo $WRAPPER | sed -e 's/-wrapper$/-autoupdate/'` At least in Debian and Ubuntu, the wrappers are stored in /etc/MailScanner/wrapper/, but the autoupdate scripts are in /etc/MailScanner/autoupdate/ Example BitDefender: /usr/sbin/update_virus_scanners finds /etc/MailScanner/wrapper/bitdefender-wrapper, then the above expression substitutes for /etc/MailScanner/wrapper/bitdefender-autoupdate, and then tests whether the autoupdate script exists if [ -x ${UPDATER} ] then # echo Updating $NAME logger -p mail.info -t update.virus.scanners Running autoupdate for $NAME ${UPDATER} "${PACKAGEDIR}" >/dev/null 2>&1 fi HOWEVER, it will not find /etc/MailScanner/wrapper/bitdefender-autoupdate because the file actually lives in /etc/MailScanner/autoupdate/bitdefender-autoupdate. The replacement should IMHO read as follows, to replace all occurrences of wrapper with autoupdate (including those in the path): UPDATER=`echo $WRAPPER | sed -e 's/wrapper/autoupdate/g'` Is that a problem limited to the Debian version, or does it affect other installations as well? Should I file a bug downstream? Best regards, Achim -- Achim J. Latz, Qustodium Internet Security achim.latz@qustodium.net ? http://www.qustodium.net Data Encryption ? Backup Automatisation ? E-Mail Protection From prandal at herefordshire.gov.uk Thu Aug 14 14:18:01 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 14 14:18:22 2008 Subject: About watermark In-Reply-To: <E33935E461E544D6BF54BD15B964A1A6@pc> References: <459706e9bf47c14789671887f01aa9e5@solidstatelogic.com> <E33935E461E544D6BF54BD15B964A1A6@pc> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0475B181@HC-MBX02.herefordshire.gov.uk> service MailScanner stop service MailScanner startin cd to unpacked MailScanner archive directory ./install.sh upgrade_MailScanner_conf (and follow the instructions) upgrade_languages_conf (and follow the instructions) MailScanner --lint if errors, panic and start debugging service MailScanner restart and you are back in business. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ismail OZATAY Sent: 14 August 2008 14:04 To: MailScanner discussion Subject: Re: About watermark Hmm, i have to upgrade my rpm installation. This will be first for me so before the upgrade should i stop MailScanner, i mean the mail traffic ? I have checked the upgrade document and it do not say anything about this. Thanks ismail ----- Original Message ----- From: "Martin.Hepworth" <martinh@solidstatelogic.com> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Sent: Thursday, August 14, 2008 3:45 PM Subject: RE: About watermark Hi There's a lot of fixes for this in latest stable (4.40.7) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ismail OZATAY > Sent: 14 August 2008 13:29 > To: MailScanner discussion > Subject: About watermark > > Hi all , > > I am using watermark with mailscanner 4.68.8 . Somebody > reports me that i can not receive the Read mail. That's right > i have just checked this problem from mailwatch. A user sent > a clean e-mail to some one then the other people read mail > and sent back an read mail then mailscanner stored it. > Sometimes it works properly but i do not kno what is > happening ? Can you help me ? > > thanks > > ismail > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Aug 14 14:24:54 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 14 14:25:14 2008 Subject: update_virus_scanners fix for Debian/Ubuntu In-Reply-To: <EMEW-k7DEAWd7c58f78472a3bb4f7addb840fb00320-48A42DE4.6090406@qustodium.net> References: <EMEW-k7DEAWd7c58f78472a3bb4f7addb840fb00320-48A42DE4.6090406@qustodium.net> Message-ID: <48A43226.8030605@ecs.soton.ac.uk> Achim J. Latz wrote: > Good day (and first post for me :) > > In /usr/sbin/update_virus_scanners the detection of the autoupdate > scripts will fail because of the following replacement: > > UPDATER=`echo $WRAPPER | sed -e 's/-wrapper$/-autoupdate/'` > > At least in Debian and Ubuntu, the wrappers are stored in > /etc/MailScanner/wrapper/, but the autoupdate scripts are in > /etc/MailScanner/autoupdate/ > > Example BitDefender: > > /usr/sbin/update_virus_scanners finds > /etc/MailScanner/wrapper/bitdefender-wrapper, then the above > expression substitutes for > /etc/MailScanner/wrapper/bitdefender-autoupdate, and then tests > whether the autoupdate script exists > > if [ -x ${UPDATER} ] > then > # echo Updating $NAME > logger -p mail.info -t update.virus.scanners Running > autoupdate for $NAME > ${UPDATER} "${PACKAGEDIR}" >/dev/null 2>&1 > fi > > HOWEVER, it will not find > /etc/MailScanner/wrapper/bitdefender-autoupdate because the file > actually lives in /etc/MailScanner/autoupdate/bitdefender-autoupdate. > > The replacement should IMHO read as follows, to replace all > occurrences of wrapper with autoupdate (including those in the path): > > UPDATER=`echo $WRAPPER | sed -e 's/wrapper/autoupdate/g'` > > Is that a problem limited to the Debian version, or does it affect > other installations as well? Should I file a bug downstream? Don't I just live for times when packagers arbitrarily change my layout of stuff, and a) don't tell me and b) break things as a result, cause they couldn't be arsed to test it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.frovarp at sendit.nodak.edu Thu Aug 14 14:38:00 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Aug 14 14:38:13 2008 Subject: Ruleset questions In-Reply-To: <223f97700808140202x7c39cbdesbf363b60d3d7dc9e@mail.gmail.com> References: <48A36413.5080101@sendit.nodak.edu> <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> <48A383C7.40901@sendit.nodak.edu> <223f97700808140202x7c39cbdesbf363b60d3d7dc9e@mail.gmail.com> Message-ID: <48A43538.5070607@sendit.nodak.edu> Glenn Steen wrote: > >> SPF wouldn't do it. SPF would only check the envelope from. We are concerned >> about the displayed from. And in particular of only one of our accounts. >> > > Ah. Well, the same goes for my little thing. I think you'll have to > look at some SA rule creation, it is the best tool for the job. > MailScanner rulesets are out of the question too, since they only > operate on the envelope info too. Same for BLs and such. > So SA it is. > > Thanks for the information. Trying to look at how to reduce the number of social engineering attacks against our users using our own help desk email address (not like they aren't successful using any other email address out there anyway). So the visible From from the headers is what matters here. Richard From nassera at alz-inc.com Thu Aug 14 15:34:25 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Thu Aug 14 15:34:31 2008 Subject: MailScanner running very slow (Resolved!) In-Reply-To: <7d9b3cf20808131153o31fe9f54nc8ec3436ec4fdba2@mail.gmail.com> Message-ID: <006501c8fe1a$da359a90$e8c8a8c0@ALZGW2kXPMC> Thank you very much for all the tips. It was a virus scanner issue. I upgraded to the latest ClamAV and switched to clamd instead of the default clamavmodule as suggested by Eduardo. I changed "Virus Scanners = auto" to "Virus Scanners = clamd". It is running like a champ now! This command: "MailScanner -lint" was very helpful in narrowing the cause too. Thanks again, Best regards, Nasser 2008/8/13 Nasser Al-Zawawi <nassera@alz-inc.com> Hi, I have a Dell PowerEdge server 2950 with 2 Dual Core Xeon processors 3.0GHz with 2GB RAM running RedHat ES 4. The MTA is sendmail and I am using the latest MailScanner version (4.70.7-1). The system processes about 2,000 emails per day and about half of it are spam. See the following: #--------------- MailScanner Status: 1920 messages Scanned by MailScanner 73657132 Total Bytes 1122 Spam messages detected by MailScanner 6 Viruses found by MailScanner 935 Messages delivered by MailScanner #--------------- The mail delivery is very slow. Some time it takes 2 hrs before it gets delivered. I tried the tips under http://wiki.mailscanner.info/doku.php?id=documentation:tweaking:some_thi ngs_to_try_if_your_incoming_queue_is_running_slow but they did not help. The mail keeps accumulating under /var/spool/mqueue.in while all the MailScanner processors are running at 100% CPU. Then all the sudden (after 1-2 hours) it starts delivering the emails and the /var/spool/mqueue.in files go down to 0. I monitored the system today; the system stopped delivering emails between 9:12AM till 11:35AM. During that time, top showed something like this: #---------------- top - 10:46:26 up 3 days, 7:42, 1 user, load average: 5.81, 6.09, 5.48 Tasks: 233 total, 5 running, 226 sleeping, 0 stopped, 2 zombie Cpu(s): 59.0% us, 1.2% sy, 0.0% ni, 39.5% id, 0.2% wa, 0.0% hi, 0.0% si Mem: 2074600k total, 1735692k used, 338908k free, 22524k buffers Swap: 2097144k total, 356516k used, 1740628k free, 532576k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2752 root 25 0 85572 75m 2964 R 100 3.7 35:54.85 MailScanner 2880 root 25 0 85572 75m 2956 R 100 3.7 35:50.35 MailScanner 3024 root 25 0 85572 75m 2956 R 100 3.7 35:41.62 MailScanner 2949 root 25 0 85572 75m 2956 R 100 3.7 35:47.07 MailScanner 11393 apache 15 0 26360 9736 3648 S 5 0.5 0:57.14 httpd 11394 apache 15 0 26576 9936 3616 S 5 0.5 0:58.83 httpd 26598 root 16 0 4760 2568 1648 S 1 0.1 0:00.20 ssh #---------------- and the /var/spool/mqueue.in continued to accumulate files till it reached 489 messages, then within 5 minutes it delivered all the messages! This cycles continues all day long, where the emails are withheld for 1 to 2 hours and then the get delivered in one big burst. Here are snippets of the log for that period with "Log Speed = yes": grep ": Batch" /var/log/maillog #----------- Aug 13 09:12:16 samba MailScanner[5852]: Batch completed at 1844 bytes per second (39583 / 21) Aug 13 09:12:16 samba MailScanner[5852]: Batch (2 messages) processed in 21.46 seconds Aug 13 09:12:42 samba MailScanner[6013]: Batch completed at 3752 bytes per second (9167 / 2) . Aug 13 11:28:55 samba MailScanner[2949]: Batch (10 messages) processed in 24.54 seconds Aug 13 11:28:55 samba MailScanner[3024]: Batch completed at 657 bytes per second (3825 / 5) Aug 13 11:28:55 samba MailScanner[3024]: Batch (1 message) processed in 5.82 seconds #----------- I would appreciate any clues on resolving this issue. Are you using a local caching dns? dns are critical, remove rbl checking to see if speed increases. Do you use clamavmodule? switch to clamd, are you using tmpfs for /var/spool/MailScanner/incomming? delete spamassassin cache and the bayes DB. sometimes they get corrupted and mess things up. Regards, Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080814/5a955a6d/attachment-0001.html From gmatt at nerc.ac.uk Thu Aug 14 15:54:05 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Thu Aug 14 15:54:22 2008 Subject: clamd and RH kernel 2.6.9-67.0.20 Message-ID: <48A4470D.5040407@nerc.ac.uk> guess I really chose the wrong moment to change from clamavmodule to clamd! I hit this bug: http://bugs.centos.org/view.php?id=3007 https://bugzilla.redhat.com/show_bug.cgi?id=453507 where the combination of clamd and kernel 2.6.9-67.0.20 results in a kernel panic (under heavy IO?). The patches that caused the problem were removed in 2.6.9-67.0.22 but the full fix isnt available until 2.6.9-78.0.1 (the first update /after/ release of RHEL4.7). In other words, the fix didnt make it into 4.7 where the problem still exists but the latest kernel rev /does/ include the fix. CentOS has not yet released 4.7 so I am currently running with 2.6.9-67.0.22. The alternative was to roll back to 2.6.9-67.0.15. I assume that once CentOS release 4.7 it will already include the fixed kernel. just a heads up for anyone else choosing this moment to switch to clamd. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From prandal at herefordshire.gov.uk Thu Aug 14 15:58:24 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 14 15:58:48 2008 Subject: MailScanner running very slow (Resolved!) In-Reply-To: <006501c8fe1a$da359a90$e8c8a8c0@ALZGW2kXPMC> References: <7d9b3cf20808131153o31fe9f54nc8ec3436ec4fdba2@mail.gmail.com> <006501c8fe1a$da359a90$e8c8a8c0@ALZGW2kXPMC> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0475B1C0@HC-MBX02.herefordshire.gov.uk> The latest ClamAV wiht ClamAVModule works fine for me, though it is a bit of a memory hog. I hope you have something in place to restart clamd if it fails for any reason. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nasser Al-Zawawi Sent: 14 August 2008 15:34 To: 'MailScanner discussion' Subject: RE: MailScanner running very slow (Resolved!) Thank you very much for all the tips. It was a virus scanner issue. I upgraded to the latest ClamAV and switched to clamd instead of the default clamavmodule as suggested by Eduardo. I changed "Virus Scanners = auto" to "Virus Scanners = clamd". It is running like a champ now! This command: "MailScanner -lint" was very helpful in narrowing the cause too. Thanks again, Best regards, Nasser 2008/8/13 Nasser Al-Zawawi <nassera@alz-inc.com> Hi, I have a Dell PowerEdge server 2950 with 2 Dual Core Xeon processors 3.0GHz with 2GB RAM running RedHat ES 4. The MTA is sendmail and I am using the latest MailScanner version (4.70.7-1). The system processes about 2,000 emails per day and about half of it are spam. See the following: #--------------- MailScanner Status: 1920 messages Scanned by MailScanner 73657132 Total Bytes 1122 Spam messages detected by MailScanner 6 Viruses found by MailScanner 935 Messages delivered by MailScanner #--------------- The mail delivery is very slow. Some time it takes 2 hrs before it gets delivered. I tried the tips under http://wiki.mailscanner.info/doku.php?id=documentation:tweaking:some_thi ngs_to_try_if_your_incoming_queue_is_running_slow but they did not help. The mail keeps accumulating under /var/spool/mqueue.in while all the MailScanner processors are running at 100% CPU. Then all the sudden (after 1-2 hours) it starts delivering the emails and the /var/spool/mqueue.in files go down to 0. I monitored the system today; the system stopped delivering emails between 9:12AM till 11:35AM. During that time, top showed something like this: #---------------- top - 10:46:26 up 3 days, 7:42, 1 user, load average: 5.81, 6.09, 5.48 Tasks: 233 total, 5 running, 226 sleeping, 0 stopped, 2 zombie Cpu(s): 59.0% us, 1.2% sy, 0.0% ni, 39.5% id, 0.2% wa, 0.0% hi, 0.0% si Mem: 2074600k total, 1735692k used, 338908k free, 22524k buffers Swap: 2097144k total, 356516k used, 1740628k free, 532576k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2752 root 25 0 85572 75m 2964 R 100 3.7 35:54.85 MailScanner 2880 root 25 0 85572 75m 2956 R 100 3.7 35:50.35 MailScanner 3024 root 25 0 85572 75m 2956 R 100 3.7 35:41.62 MailScanner 2949 root 25 0 85572 75m 2956 R 100 3.7 35:47.07 MailScanner 11393 apache 15 0 26360 9736 3648 S 5 0.5 0:57.14 httpd 11394 apache 15 0 26576 9936 3616 S 5 0.5 0:58.83 httpd 26598 root 16 0 4760 2568 1648 S 1 0.1 0:00.20 ssh #---------------- and the /var/spool/mqueue.in continued to accumulate files till it reached 489 messages, then within 5 minutes it delivered all the messages! This cycles continues all day long, where the emails are withheld for 1 to 2 hours and then the get delivered in one big burst. Here are snippets of the log for that period with "Log Speed = yes": grep ": Batch" /var/log/maillog #----------- Aug 13 09:12:16 samba MailScanner[5852]: Batch completed at 1844 bytes per second (39583 / 21) Aug 13 09:12:16 samba MailScanner[5852]: Batch (2 messages) processed in 21.46 seconds Aug 13 09:12:42 samba MailScanner[6013]: Batch completed at 3752 bytes per second (9167 / 2) ... Aug 13 11:28:55 samba MailScanner[2949]: Batch (10 messages) processed in 24.54 seconds Aug 13 11:28:55 samba MailScanner[3024]: Batch completed at 657 bytes per second (3825 / 5) Aug 13 11:28:55 samba MailScanner[3024]: Batch (1 message) processed in 5.82 seconds #----------- I would appreciate any clues on resolving this issue. Are you using a local caching dns? dns are critical, remove rbl checking to see if speed increases. Do you use clamavmodule? switch to clamd, are you using tmpfs for /var/spool/MailScanner/incomming? delete spamassassin cache and the bayes DB. sometimes they get corrupted and mess things up. Regards, Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080814/890e058d/attachment.html From lars+lister.mailscanner at adventuras.no Thu Aug 14 21:06:25 2008 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Thu Aug 14 21:06:52 2008 Subject: Ruleset questions In-Reply-To: <48A43538.5070607@sendit.nodak.edu> References: <48A36413.5080101@sendit.nodak.edu> <223f97700808131713p63459edahc8eabbe955f98cef@mail.gmail.com> <48A383C7.40901@sendit.nodak.edu> <223f97700808140202x7c39cbdesbf363b60d3d7dc9e@mail.gmail.com> <48A43538.5070607@sendit.nodak.edu> Message-ID: <48A49041.4090104@adventuras.no> Richard Frovarp skrev: > Glenn Steen wrote: >> >>> SPF wouldn't do it. SPF would only check the envelope from. We are >>> concerned >>> about the displayed from. And in particular of only one of our accounts. >>> >> >> Ah. Well, the same goes for my little thing. I think you'll have to >> look at some SA rule creation, it is the best tool for the job. >> MailScanner rulesets are out of the question too, since they only >> operate on the envelope info too. Same for BLs and such. >> So SA it is. >> >> > Thanks for the information. Trying to look at how to reduce the number > of social engineering attacks against our users using our own help desk > email address (not like they aren't successful using any other email > address out there anyway). So the visible From from the headers is what > matters here. > > Richard FWIW: DKIM operates on From header if not Sender header is present. Regards, Lars From lars+lister.mailscanner at adventuras.no Thu Aug 14 21:21:15 2008 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Thu Aug 14 21:21:35 2008 Subject: MailScanner running very slow (Resolved!) In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0475B1C0@HC-MBX02.herefordshire.gov.uk> References: <7d9b3cf20808131153o31fe9f54nc8ec3436ec4fdba2@mail.gmail.com> <006501c8fe1a$da359a90$e8c8a8c0@ALZGW2kXPMC> <7EF0EE5CB3B263488C8C18823239BEBA0475B1C0@HC-MBX02.herefordshire.gov.uk> Message-ID: <48A493BB.5040302@adventuras.no> Randal, Phil skrev: > The latest ClamAV wiht ClamAVModule works fine for me, though it is a > bit of a memory hog. > > I hope you have something in place to restart clamd if it fails for any > reason. > And if you do not have something already, there is a small script you can run from cron called clamdwatch in the contrib directory of the clamav distribution. Regards, Lars From jcputter at centreweb.co.za Thu Aug 14 21:31:55 2008 From: jcputter at centreweb.co.za (JC ) Date: Thu Aug 14 21:33:06 2008 Subject: /var/spool/mailscanner/spamassassin Message-ID: <000001c8fe4c$cac5f640$6051e2c0$@co.za> Hi i am using postfix with mailscanner When i tail -f /var/log/maillog i get "Could not create SpamAssassin cache database /var/spool/MailScanner/spamassassin" I did go chown postfix.postfix Could not create SpamAssassin cache database /var/spool/MailScanner/spamassassin Chown postfix.postfix /var/spool/MailScanner/incoming Chown postfix.postfix /var/spool/MailScanner/quarantine -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080814/9d55aaa0/attachment.html From andrew at gdcon.net Thu Aug 14 21:34:18 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Aug 14 21:34:41 2008 Subject: Spam/Ham learning address In-Reply-To: <48A493BB.5040302@adventuras.no> References: <7d9b3cf20808131153o31fe9f54nc8ec3436ec4fdba2@mail.gmail.com> <006501c8fe1a$da359a90$e8c8a8c0@ALZGW2kXPMC> <7EF0EE5CB3B263488C8C18823239BEBA0475B1C0@HC-MBX02.herefordshire.gov.uk> <48A493BB.5040302@adventuras.no> Message-ID: <48A496CA.6060907@gdcon.net> Is there any way that MailScanner can force an sa-learn operation on messages sent to a specific address? i.e. learn as the message passes through rather than interrogate a mailbox? (I guess it could then file the message in /dev/nul rather than forward it ) -Andrew -- This message was scanned by ESVA and is believed to be clean. From jra at baylink.com Thu Aug 14 21:50:05 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Thu Aug 14 21:50:14 2008 Subject: Spam/Ham learning address In-Reply-To: <48A496CA.6060907@gdcon.net> References: <7d9b3cf20808131153o31fe9f54nc8ec3436ec4fdba2@mail.gmail.com> <006501c8fe1a$da359a90$e8c8a8c0@ALZGW2kXPMC> <7EF0EE5CB3B263488C8C18823239BEBA0475B1C0@HC-MBX02.herefordshire.gov.uk> <48A493BB.5040302@adventuras.no> <48A496CA.6060907@gdcon.net> Message-ID: <20080814205005.GD27167@cgi.jachomes.com> On Thu, Aug 14, 2008 at 09:34:18PM +0100, Andrew MacLachlan wrote: > Is there any way that MailScanner can force an sa-learn operation on > messages sent to a specific address? i.e. learn as the message passes > through rather than interrogate a mailbox? (I guess it could then file > the message in /dev/nul rather than forward it ) This has come up before, *somewhere* that I remember seeing it. The problem is that to do it safely, the mail user agent forwarding the message can't actually *forward* it, it has to do something closer to what Mutt refers to as a 'bounce' -- and even that may not preserve enough headers to do the job properly. Or do you mean "spamtrap/sneakemail" kinda stuff? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From andrew at gdcon.net Thu Aug 14 21:59:41 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Aug 14 22:00:04 2008 Subject: Spam/Ham learning address In-Reply-To: <20080814205005.GD27167@cgi.jachomes.com> References: <7d9b3cf20808131153o31fe9f54nc8ec3436ec4fdba2@mail.gmail.com> <006501c8fe1a$da359a90$e8c8a8c0@ALZGW2kXPMC> <7EF0EE5CB3B263488C8C18823239BEBA0475B1C0@HC-MBX02.herefordshire.gov.uk> <48A493BB.5040302@adventuras.no> <48A496CA.6060907@gdcon.net> <20080814205005.GD27167@cgi.jachomes.com> Message-ID: <48A49CBD.2020903@gdcon.net> Jay R. Ashworth wrote: > On Thu, Aug 14, 2008 at 09:34:18PM +0100, Andrew MacLachlan wrote: > >> Is there any way that MailScanner can force an sa-learn operation on >> messages sent to a specific address? i.e. learn as the message passes >> through rather than interrogate a mailbox? (I guess it could then file >> the message in /dev/nul rather than forward it ) >> > > This has come up before, *somewhere* that I remember seeing it. > > The problem is that to do it safely, the mail user agent forwarding the > message can't actually *forward* it, it has to do something closer to > what Mutt refers to as a 'bounce' -- and even that may not preserve > enough headers to do the job properly. > > Hmmm... just as I suspected. Thanks. -- This message was scanned by ESVA and is believed to be clean. From martinh at solidstatelogic.com Fri Aug 15 08:38:40 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Aug 15 08:38:53 2008 Subject: /var/spool/mailscanner/spamassassin In-Reply-To: <000001c8fe4c$cac5f640$6051e2c0$@co.za> Message-ID: <7b06a17d92ecee44b9c9eceb7727c789@solidstatelogic.com> Hi Have you got the SQLlite perl module? "Mailscanner -v" will help here. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of JC > Sent: 14 August 2008 21:32 > To: mailscanner@lists.mailscanner.info > Subject: /var/spool/mailscanner/spamassassin > > Hi i am using postfix with mailscanner > > > > When i tail -f /var/log/maillog i get "Could not create > SpamAssassin cache database /var/spool/MailScanner/spamassassin" > > > > I did go chown postfix.postfix Could not create SpamAssassin > cache database /var/spool/MailScanner/spamassassin > > Chown postfix.postfix /var/spool/MailScanner/incoming > > Chown postfix.postfix /var/spool/MailScanner/quarantine > > > > > > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner <http://www.mailscanner.info/> , and > is believed to be clean. > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From support-lists at petdoctors.co.uk Fri Aug 15 13:27:07 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Aug 15 13:27:49 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST Message-ID: <6EE23F6198EA4D0A9CD52C8FC923E0DA@SUPPORT01V> Just noticed ClamAV throwing the following error into Maillog: Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line 120. In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a freshcalm and restarted MailScanner and still getting the same. Can't find much in the way of notes about this...!? Thanks Nigel Kendrick From MailScanner at ecs.soton.ac.uk Fri Aug 15 14:20:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 15 14:20:24 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST In-Reply-To: <EMEW-k7EDcHad988ceb4b084fefff03557bf602bde3-6EE23F6198EA4D0A9CD52C8FC923E0DA@SUPPORT01V> References: <EMEW-k7EDcHad988ceb4b084fefff03557bf602bde3-6EE23F6198EA4D0A9CD52C8FC923E0DA@SUPPORT01V> Message-ID: <48A58280.4030001@ecs.soton.ac.uk> Nigel Kendrick wrote: > Just noticed ClamAV throwing the following error into Maillog: > > Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed > with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line > 120. > > In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a > freshcalm and restarted MailScanner and still getting the same. Can't find > much in the way of notes about this...!? > Did the "make test" phase of building the Mail::ClamAV module succeed? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From itdept at fractalweb.com Fri Aug 15 18:10:22 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Aug 15 18:10:52 2008 Subject: Filetype rules - blocking exes not working Message-ID: <008601c8fef9$d00290c0$7007b240$@com> Hi everyone, We've noticed a bit of an oddity here. Files that are .exe are getting through our mail system, and I'm not quite sure why. In MailScanner.conf, we have: Filetype Rules = %rules-dir%/filetype.rules In filetype.rules.conf, we have: deny executable No executables No programs allowed We also have: Maximum Archive Depth = %rules-dir%/max.archive.depth.rules And the contents of max.archive.depth.rules are: FromOrTo: default 0 I've checked and made sure that fields are separated by tabs. I'm not sure what else I must be missing. Any ideas? Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080815/34219562/attachment.html From cbarber at techquility.net Fri Aug 15 18:27:58 2008 From: cbarber at techquility.net (Chris Barber) Date: Fri Aug 15 18:28:55 2008 Subject: Blacklist and delete? Message-ID: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> I was wondering if this is possible... I have a few users who get tons of spam every day. MailScanner successfully blocks most of these through rules and/or blacklists. The problem is when users are viewing their quarantine, there are so many messages that it takes a long time to see if anything legitimate is in there. On servers running MailWatch with a quarantine report, the report has 150+ messages in it, again very time consuming to look through. So is it possible to have a blacklist entry that also deletes the message? This way the quarantine and/or the report email will not be overloaded? Thanks, Chris From martinh at solidstatelogic.com Fri Aug 15 18:41:37 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Aug 15 18:40:03 2008 Subject: Filetype rules - blocking exes not working Message-ID: <auto-001218821989@solidstatelogic.com> What does "file" say about these files? -- martin -----Original Message----- From: Chris Yuzik <itdept@fractalweb.com> Sent: Friday, August 15, 2008 6:21 PM To: mailscanner@lists.mailscanner.info Subject: Filetype rules - blocking exes not working Hi everyone, We've noticed a bit of an oddity here. Files that are .exe are getting through our mail system, and I'm not quite sure why. In MailScanner.conf, we have: Filetype Rules = %rules-dir%/filetype.rules In filetype.rules.conf, we have: deny executable No executables No programs allowed We also have: Maximum Archive Depth = %rules-dir%/max.archive.depth.rules And the contents of max.archive.depth.rules are: FromOrTo: default 0 I've checked and made sure that fields are separated by tabs. I'm not sure what else I must be missing. Any ideas? Chris ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Denis.Beauchemin at USherbrooke.ca Fri Aug 15 18:42:12 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Aug 15 18:42:35 2008 Subject: Filetype rules - blocking exes not working In-Reply-To: <008601c8fef9$d00290c0$7007b240$@com> References: <008601c8fef9$d00290c0$7007b240$@com> Message-ID: <48A5BFF4.4090400@USherbrooke.ca> Chris Yuzik a ?crit : > > Hi everyone, > > We?ve noticed a bit of an oddity here. Files that are .exe are getting > through our mail system, and I?m not quite sure why. > > In MailScanner.conf, we have: > > Filetype Rules = %rules-dir%/filetype.rules > > In filetype.rules.conf, we have: > > Chris, Is this just a typo: filetype.rules vs filetype.rules.conf ? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From Kevin_Miller at ci.juneau.ak.us Fri Aug 15 18:45:08 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 15 18:45:22 2008 Subject: Blacklist and delete? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> References: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> Message-ID: <D1587DCF6294524BAFA2C9944312FCC8C7D690@city-exch-w3e.cbj.local> Chris Barber wrote: > I was wondering if this is possible... > > I have a few users who get tons of spam every day. MailScanner > successfully blocks most of these through rules and/or blacklists. The > problem is when users are viewing their quarantine, there are so many > messages that it takes a long time to see if anything legitimate is in > there. On servers running MailWatch with a quarantine report, the > report has 150+ messages in it, again very time consuming to look > through. > > So is it possible to have a blacklist entry that also deletes the > message? This way the quarantine and/or the report email will not be > overloaded? How have you set your spam action and high scoring spam action. I quarantine spam, but vaporize high scoring spam. If you're quarantining both, you could probably cut back on the amount quite a bit if you delete the high scoring stuff. Assuming you have the luxury of doing so. How do the users look at the quarantine? Are you using MailWatch? If so they can sort by spam score and probably ignore the stuff that is scoring a lot of points... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Denis.Beauchemin at USherbrooke.ca Fri Aug 15 18:45:46 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Aug 15 18:46:06 2008 Subject: Blacklist and delete? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> References: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> Message-ID: <48A5C0CA.20501@USherbrooke.ca> Chris Barber a ?crit : > I was wondering if this is possible... > > I have a few users who get tons of spam every day. MailScanner > successfully blocks most of these through rules and/or blacklists. The > problem is when users are viewing their quarantine, there are so many > messages that it takes a long time to see if anything legitimate is in > there. On servers running MailWatch with a quarantine report, the report > has 150+ messages in it, again very time consuming to look through. > > So is it possible to have a blacklist entry that also deletes the > message? This way the quarantine and/or the report email will not be > overloaded? > > Thanks, > Chris > Chris, Use High Scoring Spam (High SpamAssassin Score) for that. Just delete spam with a score you're confident could not be FP... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3608 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080815/3a5dcd25/smime.bin From dnsadmin at 1bigthink.com Fri Aug 15 19:02:09 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Aug 15 19:02:26 2008 Subject: Blacklist and delete? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquili ty.net> References: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> Message-ID: <200808151802.m7FI2HAr007620@mxt.1bigthink.com> At 01:27 PM 8/15/2008, you wrote: >I was wondering if this is possible... > >I have a few users who get tons of spam every day. MailScanner >successfully blocks most of these through rules and/or blacklists. The >problem is when users are viewing their quarantine, there are so many >messages that it takes a long time to see if anything legitimate is in >there. On servers running MailWatch with a quarantine report, the report >has 150+ messages in it, again very time consuming to look through. > >So is it possible to have a blacklist entry that also deletes the >message? This way the quarantine and/or the report email will not be >overloaded? > >Thanks, >Chris Slightly OT, but what I did to solve my volume problem was rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html); my own RBL. I've never trusted any of the RBL's entirely, except maybe Zen, but then we started doing major loads of International email and still wasn't sure about them. The point being, I not only took a load out of my user's inbox, but also off my MTA, because I use my own RBL to block at MTA. I compile my RBL list from MailWatch database of spammers and of all infected Zombies. It really helped me! Cheers, Glenn -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dnsadmin at 1bigthink.com Fri Aug 15 19:04:13 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Aug 15 19:04:32 2008 Subject: Blacklist and delete? -- Clarification Message-ID: <200808151804.m7FI4LGn007827@mxt.1bigthink.com> At 01:27 PM 8/15/2008, you wrote: >I was wondering if this is possible... > >I have a few users who get tons of spam every day. MailScanner >successfully blocks most of these through rules and/or blacklists. The >problem is when users are viewing their quarantine, there are so many >messages that it takes a long time to see if anything legitimate is in >there. On servers running MailWatch with a quarantine report, the report >has 150+ messages in it, again very time consuming to look through. > >So is it possible to have a blacklist entry that also deletes the >message? This way the quarantine and/or the report email will not be >overloaded? > >Thanks, >Chris Slightly OT, but what I did to solve my volume problem was rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html); my own RBL. I've never trusted any of the RBL's entirely, except maybe Zen, but then we started doing major loads of International email and still wasn't sure about them. Clarification, here: --------------------------- I do use other RBLs, but only in SpamAssassin for scoring. I didn't feel I could trust any of them fully at the MTA. Cheers, Glenn -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Sun Aug 17 22:53:51 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Aug 17 22:54:41 2008 Subject: Blacklist and delete? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> References: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> Message-ID: <g8a6mb$d1h$1@ger.gmane.org> on 8-15-2008 10:27 AM Chris Barber spake the following: > I was wondering if this is possible... > > I have a few users who get tons of spam every day. MailScanner > successfully blocks most of these through rules and/or blacklists. The > problem is when users are viewing their quarantine, there are so many > messages that it takes a long time to see if anything legitimate is in > there. On servers running MailWatch with a quarantine report, the report > has 150+ messages in it, again very time consuming to look through. > > So is it possible to have a blacklist entry that also deletes the > message? This way the quarantine and/or the report email will not be > overloaded? > > Thanks, > Chris You can also use the Spamassassin Rule Actions and delete stuff that scores somewhat higher then your base high spam score. I do that with stuff that scores over 25, and eliminate a good portion of stuff that is very unlikely to be a FP. SpamAssassin Rule Actions = SpamScore>25=>not-store -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080817/1aa841f0/signature.bin From andrew at gdcon.net Mon Aug 18 00:23:22 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Mon Aug 18 00:18:03 2008 Subject: Spam report addressed to multiple people Message-ID: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> Hi - This is a strange one. Shouldn't MailScanner send a seperate spam notification to each recipient of a suspected spam when spam actions = notify? rather than include the entire recipient list in the to: field? From: MailScanner <postmaster@domain.tld> To: aaaa@domain.tld; bbbb@domain.tld; cccc@domain.tld Sent: Thursday, August 14, 2008 11:49:18 PM Subject: {Spam not delivered} Some Subject Our UCE (spam) detectors have been triggered by a message you received:- ...... - Andrew -- This message was scanned by ESVA and is believed to be clean. From hvdkooij at vanderkooij.org Mon Aug 18 06:26:29 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Aug 18 06:26:38 2008 Subject: Spam report addressed to multiple people In-Reply-To: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> Message-ID: <48A90805.20000@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew MacLachlan wrote: > Hi - This is a strange one. > Shouldn't MailScanner send a seperate spam notification to each recipient > of a suspected spam when spam actions = notify? rather than include the > entire recipient list in the to: field? > > From: MailScanner <postmaster@domain.tld> > To: aaaa@domain.tld; bbbb@domain.tld; cccc@domain.tld > Sent: Thursday, August 14, 2008 11:49:18 PM > Subject: {Spam not delivered} Some Subject > > > Our UCE (spam) detectors have been triggered by a message you received:- > ...... Are you saying you send a notification for each spam message? Do you happen to send out some to senders as well? (If that is the case you will propably end up being blacklisted as spam amplifier.) But do you split messages before MailScanner? It sounds like you don't do that (properly). Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIqQgDBvzDRVjxmYERAj6dAJ9ylRwWdJykJsbLb/q3i5UM9IBtQQCeLAin d7pKM6vLUCeRe9we2HStZMg= =afXC -----END PGP SIGNATURE----- From jan-peter at koopmann.eu Mon Aug 18 07:10:04 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Aug 18 07:10:26 2008 Subject: yum upgrade trouble Message-ID: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> Hi, after installing MailScanner via install.sh my yum upgrade gives me trouble: Transaction Check Error: file /usr/share/man/man3/File::Temp.3pm.gz from install of perl-File-Temp-0.20-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_2.3 file /usr/share/man/man3/bigint.3pm.gz from install of perl-bignum-0.23-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_2.3 file /usr/share/man/man3/bignum.3pm.gz from install of perl-bignum-0.23-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_2.3 etc. Any ideas? Is this related to install.sh installing its own perl modules in any way? Kind regards, JP From ismail at ismailozatay.net Mon Aug 18 07:25:32 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Mon Aug 18 07:25:48 2008 Subject: yum upgrade trouble References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <DA2FE9FA245E48F6BCD694113C753A6F@pc> Hi , You can try to exclude perl modules using yum upgrade --exclude=perl-* ----- Original Message ----- From: "Koopmann, Jan-Peter" <jan-peter@koopmann.eu> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Sent: Monday, August 18, 2008 9:10 AM Subject: yum upgrade trouble Hi, after installing MailScanner via install.sh my yum upgrade gives me trouble: Transaction Check Error: file /usr/share/man/man3/File::Temp.3pm.gz from install of perl-File-Temp-0.20-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_2.3 file /usr/share/man/man3/bigint.3pm.gz from install of perl-bignum-0.23-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_2.3 file /usr/share/man/man3/bignum.3pm.gz from install of perl-bignum-0.23-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_2.3 etc. Any ideas? Is this related to install.sh installing its own perl modules in any way? Kind regards, JP -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From tgc at statsbiblioteket.dk Mon Aug 18 07:54:15 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Aug 18 07:54:25 2008 Subject: yum upgrade trouble In-Reply-To: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <48A91C97.5060507@statsbiblioteket.dk> Koopmann, Jan-Peter wrote: > Hi, > > after installing MailScanner via install.sh my yum upgrade gives me > trouble: > > Transaction Check Error: > file /usr/share/man/man3/File::Temp.3pm.gz from install of > perl-File-Temp-0.20-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > file /usr/share/man/man3/bigint.3pm.gz from install of > perl-bignum-0.23-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > file /usr/share/man/man3/bignum.3pm.gz from install of > perl-bignum-0.23-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > > etc. Any ideas? Is this related to install.sh installing its own perl > modules in any way? > Don't know for sure but could be, since install.sh likes to use --force to replace files that are part of other packages. Hugo van der Kooij is maintaining a yum repo that attempts to solve this problem. Most of the info is in the list archives but you can have a look at http://yum.vanderkooij.org/ for a bit of info. To solve your immediate problem you can manually install the perl update with rpm -Uvh --force, just make sure the conflicting files are innocent ones like the manpages listed above. Otherwise you risk finding yourself with a broken MailScanner. -tgc From jan-peter at koopmann.eu Mon Aug 18 07:54:10 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Aug 18 07:54:32 2008 Subject: yum upgrade trouble In-Reply-To: <EMEW-k7H8YL836dbe21edf484790d8b0dfe0882e21d-DA2FE9FA245E48F6BCD694113C753A6F@pc> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <EMEW-k7H8YL836dbe21edf484790d8b0dfe0882e21d-DA2FE9FA245E48F6BCD694113C753A6F@pc> Message-ID: <EMEW-k7H8sMde452e908a5db4934f0d40cb504a787c-5F9EB2B0731E5B4D88FC20780DFD1610432512@DE-SEXB01RZ.intern.seceidos.de> Hi, > You can try to exclude perl modules using yum upgrade --exclude=perl-* That is clear. But I would like the perl upgrades! Why would I want to exclude them from yum upgrade just because MailScanner is installed? Regards, JP From ismail at ismailozatay.net Mon Aug 18 09:06:21 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Mon Aug 18 09:06:39 2008 Subject: yum upgrade trouble References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de><EMEW-k7H8YL836dbe21edf484790d8b0dfe0882e21d-DA2FE9FA245E48F6BCD694113C753A6F@pc> <EMEW-k7H8sMde452e908a5db4934f0d40cb504a787c-5F9EB2B0731E5B4D88FC20780DFD1610432512@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <6A12B94D61A448EAB1CB245A607CC60C@pc> Hi; Some of those perl packages are installed by MailScanner. So if you choose upgrading all perl packages Julian should answer this question because after the upgrade maybe something do not work. I have never upgraded perl modules , i always excluded . ----- Original Message ----- From: "Koopmann, Jan-Peter" <jan-peter@koopmann.eu> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Sent: Monday, August 18, 2008 9:54 AM Subject: RE: yum upgrade trouble Hi, > You can try to exclude perl modules using yum upgrade --exclude=perl-* That is clear. But I would like the perl upgrades! Why would I want to exclude them from yum upgrade just because MailScanner is installed? Regards, JP -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Aug 18 09:13:01 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 18 09:13:21 2008 Subject: yum upgrade trouble In-Reply-To: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <48A92F0D.3050305@ecs.soton.ac.uk> Koopmann, Jan-Peter wrote: > Hi, > > after installing MailScanner via install.sh my yum upgrade gives me > trouble: > > Transaction Check Error: > file /usr/share/man/man3/File::Temp.3pm.gz from install of > perl-File-Temp-0.20-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > file /usr/share/man/man3/bigint.3pm.gz from install of > perl-bignum-0.23-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > file /usr/share/man/man3/bignum.3pm.gz from install of > perl-bignum-0.23-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > > etc. Any ideas? Is this related to install.sh installing its own perl > modules in any way? > If you are prepared to stop MailScanner for a little while, during your upgrade, you can service MailScanner stop rpm -e perl-File-Temp perl-bignum yum update perl Then re-install MailScanner (the same version you had before will be fine) using the ./install.sh script. service MailScanner start Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andrew at gdcon.net Mon Aug 18 09:18:56 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Mon Aug 18 09:13:39 2008 Subject: Spam report addressed to multiple people In-Reply-To: <48A90805.20000@vanderkooij.org> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> <48A90805.20000@vanderkooij.org> Message-ID: <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> On Mon, August 18, 2008 6:26 am, Hugo van der Kooij wrote: > Are you saying you send a notification for each spam message? Do you > happen to send out some to senders as well? (If that is the case you > will propably end up being blacklisted as spam amplifier.) Sending notification on low-scoring spam to the recipient only - not to the "sender" that would be stupid. > > But do you split messages before MailScanner? It sounds like you don't > do that (properly). OK - any pointers to the _correct_ way of doing this with PF? > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIqQgDBvzDRVjxmYERAj6dAJ9ylRwWdJykJsbLb/q3i5UM9IBtQQCeLAin > d7pKM6vLUCeRe9we2HStZMg= > =afXC > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://mail-gw01.gdcon.net/cgi-bin/learn-msg.cgi?id=6207127F11.951D0 > > > -- This message was scanned by ESVA and is believed to be clean. From jan-peter at koopmann.eu Mon Aug 18 11:10:35 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Aug 18 11:10:56 2008 Subject: yum upgrade trouble In-Reply-To: <EMEW-k7HAHa83d0adbbd0dc86ca5e3c19870c65d197-48A92F0D.3050305@ecs.soton.ac.uk> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <EMEW-k7HAHa83d0adbbd0dc86ca5e3c19870c65d197-48A92F0D.3050305@ecs.soton.ac.uk> Message-ID: <EMEW-k7HCAk79c12c90da6c0755a4b2e042b752272e-5F9EB2B0731E5B4D88FC20780DFD161043252D@DE-SEXB01RZ.intern.seceidos.de> Hi Jules, > If you are prepared to stop MailScanner for a little while, during your > upgrade, you can I can live with that. > service MailScanner stop > rpm -e perl-File-Temp perl-bignum > yum update perl > Then re-install MailScanner (the same version you had before will be > fine) using the ./install.sh script. > service MailScanner start Ok so the install.sh _does_ break the yum update mechanism a bit? So either live with it and use install.sh or use Hugos yum.repository? I could live with both unless there is a very strong argument for the one or the other. Regards, JP From steve at fsl.com Mon Aug 18 15:07:33 2008 From: steve at fsl.com (Stephen Swaney) Date: Mon Aug 18 15:07:45 2008 Subject: yum upgrade trouble In-Reply-To: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <48A98225.9090909@fsl.com> Jan-peter, We'll shortly be announcing a version of MailScanner with all related applications that is completely rpm based using our own yum repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes (using Postgres) will all be installed on CentOS 5 / RH 5 simply by running: yum -y groupinstall MailScannerGold Best of all of the Perl Packages and all of their dependencies are separated from the system libraries. This allows MailScanner and the related applications as well as the system itself to be safely updated by simply running; yum -y update Now more Perl conflicts since our schema eliminates all of the Perl related problems. This will be a subscription based service with IP based secure keys required to access the repositories. Along with access to the repositories, subscribers will receive reduced support hourly rates. It will be available for testing very shortly. What do you think? Best regards, Steve Koopmann, Jan-Peter wrote: > Hi, > > after installing MailScanner via install.sh my yum upgrade gives me > trouble: > > Transaction Check Error: > file /usr/share/man/man3/File::Temp.3pm.gz from install of > perl-File-Temp-0.20-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > file /usr/share/man/man3/bigint.3pm.gz from install of > perl-bignum-0.23-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > file /usr/share/man/man3/bignum.3pm.gz from install of > perl-bignum-0.23-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_2.3 > > etc. Any ideas? Is this related to install.sh installing its own perl > modules in any way? > > > Kind regards, > JP > > From uxbod at splatnix.net Mon Aug 18 15:15:58 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Aug 18 15:16:17 2008 Subject: yum upgrade trouble In-Reply-To: <48A98225.9090909@fsl.com> Message-ID: <26228886.29431219068958418.JavaMail.root@office.splatnix.net> Steve, Will you offer a repo for the beta stream aswell ? Regards, Phil -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Stephen Swaney" <steve@fsl.com> wrote: > Jan-peter, > > We'll shortly be announcing a version of MailScanner with all related > > applications that is completely rpm based using our own yum > repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes > (using Postgres) will all be installed on CentOS 5 / RH 5 simply by > running: > > yum -y groupinstall MailScannerGold > > Best of all of the Perl Packages and all of their dependencies are > separated from the system libraries. This allows MailScanner and the > related applications as well as the system itself to be safely updated > > by simply running; > > yum -y update > > Now more Perl conflicts since our schema eliminates all of the Perl > related problems. > > This will be a subscription based service with IP based secure keys > required to access the repositories. Along with access to the > repositories, subscribers will receive reduced support hourly rates. > > It will be available for testing very shortly. What do you think? > > Best regards, > > Steve > > Koopmann, Jan-Peter wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Mon Aug 18 15:21:40 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Aug 18 15:21:53 2008 Subject: yum upgrade trouble In-Reply-To: <48A98225.9090909@fsl.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> Message-ID: <FAF0BADC-A549-4E93-80E6-4F97724FBE4F@rtpty.com> What will the subscription be like? On Aug 18, 2008, at 9:07 AM, Stephen Swaney wrote: > Jan-peter, > > We'll shortly be announcing a version of MailScanner with all > related applications that is completely rpm based using our own yum > repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes > (using Postgres) will all be installed on CentOS 5 / RH 5 simply by > running: > > yum -y groupinstall MailScannerGold > > Best of all of the Perl Packages and all of their dependencies are > separated from the system libraries. This allows MailScanner and the > related applications as well as the system itself to be safely > updated by simply running; > > yum -y update > > Now more Perl conflicts since our schema eliminates all of the Perl > related problems. > > This will be a subscription based service with IP based secure keys > required to access the repositories. Along with access to the > repositories, subscribers will receive reduced support hourly rates. > > It will be available for testing very shortly. What do you think? > > Best regards, > > Steve > > Koopmann, Jan-Peter wrote: >> Hi, >> >> after installing MailScanner via install.sh my yum upgrade gives me >> trouble: >> >> Transaction Check Error: >> file /usr/share/man/man3/File::Temp.3pm.gz from install of >> perl-File-Temp-0.20-1.el5.rf conflicts with file from package >> perl-5.8.8-10.el5_2.3 >> file /usr/share/man/man3/bigint.3pm.gz from install of >> perl-bignum-0.23-1.el5.rf conflicts with file from package >> perl-5.8.8-10.el5_2.3 >> file /usr/share/man/man3/bignum.3pm.gz from install of >> perl-bignum-0.23-1.el5.rf conflicts with file from package >> perl-5.8.8-10.el5_2.3 >> >> etc. Any ideas? Is this related to install.sh installing its own perl >> modules in any way? >> >> >> Kind regards, >> JP >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From shuttlebox at gmail.com Mon Aug 18 15:22:09 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Aug 18 15:22:20 2008 Subject: yum upgrade trouble In-Reply-To: <48A98225.9090909@fsl.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> Message-ID: <625385e30808180722l5a6b04f2m681c0c970278ac7c@mail.gmail.com> On Mon, Aug 18, 2008 at 4:07 PM, Stephen Swaney <steve@fsl.com> wrote: > Jan-peter, > > We'll shortly be announcing a version of MailScanner with all related > applications that is completely rpm based using our own yum repositories. > MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes (using Postgres) will > all be installed on CentOS 5 / RH 5 simply by running: > > yum -y groupinstall MailScannerGold > > Best of all of the Perl Packages and all of their dependencies are separated > from the system libraries. This allows MailScanner and the related > applications as well as the system itself to be safely updated by simply > running; > > yum -y update > > Now more Perl conflicts since our schema eliminates all of the Perl related > problems. > > This will be a subscription based service with IP based secure keys required > to access the repositories. Along with access to the repositories, > subscribers will receive reduced support hourly rates. > > It will be available for testing very shortly. What do you think? That's what I do for Solaris, everything MailScanner needs, including Perl itself, is separated from the OS so updates to the latter doesn't disturb MailScanner. Complete system with all dependencies pulled in automatically: # pkg-get -i mailscanner clamav spamassassin -- /peter From neilw at dcdata.co.za Mon Aug 18 15:20:19 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Mon Aug 18 15:22:49 2008 Subject: yum upgrade trouble In-Reply-To: <48A98225.9090909@fsl.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> Message-ID: <48A98523.7020102@dcdata.co.za> Stephen Swaney wrote: > We'll shortly be announcing a version of MailScanner with all related > applications that is completely rpm based using our own yum > repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes > (using Postgres) will all be installed on CentOS 5 / RH 5 simply by > running: > > yum -y groupinstall MailScannerGold > > Best of all of the Perl Packages and all of their dependencies are > separated from the system libraries. This allows MailScanner and the > related applications as well as the system itself to be safely updated > by simply running; > > yum -y update > > Now more Perl conflicts since our schema eliminates all of the Perl > related problems. > > This will be a subscription based service with IP based secure keys > required to access the repositories. Along with access to the > repositories, subscribers will receive reduced support hourly rates. > > It will be available for testing very shortly. What do you think? > > Best regards, > > Steve I think that's awesome, what about building Mailwatch into this also? Obviously MW hasn't changed in a while though, but at least it's all done in just one command. Neil This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From MailScanner at ecs.soton.ac.uk Mon Aug 18 15:45:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 18 15:45:51 2008 Subject: yum upgrade trouble In-Reply-To: <EMEW-k7HFW4426f02159be6127bb235c5562340d9ec-48A98523.7020102@dcdata.co.za> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <EMEW-k7HFW4426f02159be6127bb235c5562340d9ec-48A98523.7020102@dcdata.co.za> Message-ID: <48A98B09.4010000@ecs.soton.ac.uk> Neil Wilson wrote: > Stephen Swaney wrote: > > We'll shortly be announcing a version of MailScanner with all related >> applications that is completely rpm based using our own yum >> repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes >> (using Postgres) will all be installed on CentOS 5 / RH 5 simply by >> running: >> >> yum -y groupinstall MailScannerGold >> >> Best of all of the Perl Packages and all of their dependencies are >> separated from the system libraries. This allows MailScanner and the >> related applications as well as the system itself to be safely >> updated by simply running; >> >> yum -y update >> >> Now more Perl conflicts since our schema eliminates all of the Perl >> related problems. >> >> This will be a subscription based service with IP based secure keys >> required to access the repositories. Along with access to the >> repositories, subscribers will receive reduced support hourly rates. >> >> It will be available for testing very shortly. What do you think? >> >> Best regards, >> >> Steve > > I think that's awesome, what about building Mailwatch into this also? > > Obviously MW hasn't changed in a while though, but at least it's all > done in just one command. Fort Systems Ltd would probably prefer you bought DefenderMX instead? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Aug 18 15:59:12 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Aug 18 15:59:29 2008 Subject: Kaspersky Message-ID: <29426618.29461219071552624.JavaMail.root@office.splatnix.net> Is anybody using this AV with MS and which version are you running ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Mon Aug 18 16:09:17 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Aug 18 16:09:28 2008 Subject: yum upgrade trouble In-Reply-To: <48A98B09.4010000@ecs.soton.ac.uk> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <EMEW-k7HFW4426f02159be6127bb235c5562340d9ec-48A98523.7020102@dcdata.co.za> <48A98B09.4010000@ecs.soton.ac.uk> Message-ID: <48A9909D.9050701@fsl.com> Julian Field wrote: > > > Neil Wilson wrote: >> Stephen Swaney wrote: >> > We'll shortly be announcing a version of MailScanner with all related >>> applications that is completely rpm based using our own yum >>> repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes >>> (using Postgres) will all be installed on CentOS 5 / RH 5 simply by >>> running: >>> >>> yum -y groupinstall MailScannerGold >>> >>> Best of all of the Perl Packages and all of their dependencies are >>> separated from the system libraries. This allows MailScanner and the >>> related applications as well as the system itself to be safely >>> updated by simply running; >>> >>> yum -y update >>> >>> Now more Perl conflicts since our schema eliminates all of the Perl >>> related problems. >>> >>> This will be a subscription based service with IP based secure keys >>> required to access the repositories. Along with access to the >>> repositories, subscribers will receive reduced support hourly rates. >>> >>> It will be available for testing very shortly. What do you think? >>> >>> Best regards, >>> >>> Steve >> >> I think that's awesome, what about building Mailwatch into this also? >> >> Obviously MW hasn't changed in a while though, but at least it's all >> done in just one command. > Fort Systems Ltd would probably prefer you bought DefenderMX instead? MailWatch doesn't provide all the features of DefenderMX, just the reporting and quarantine functions. I'm actually building MW 2.0 into the repository as we speak as it's part of DefenderMX 2.0 anyway, so will be available for anyone using the repos. Plus it needs more testers anyway. The repo doesn't just do 'regular' RPM stuff - I've spent considerable time on a number of the packages and added RPM 'triggers' to them (hence the requirement for CentOS 5) to automatically configure MailScanner, SpamAssassin, ClamAV etc. as dependencies are installed, for example: %triggerin -- clamd echo "fsl-mailscanner install trigger: clamd" perl -pi - /etc/MailScanner/MailScanner.conf <<EOF s+^Incoming Work Group =.*+Incoming Work Group = clamav+i; s+^Incoming Work Permissions =.*+Incoming Work Permissions = 0640+i; s+^Clamd Socket =.*+Clamd Socket = /tmp/clamd.socket+i; s+^Virus Scanners = auto+Virus Scanners = clamd+i; EOF This allows for optional RPMs to configure other packages on installation automatically and to clean up on uninstallation of packages automatically. Cheers, Steve. From steve.freegard at fsl.com Mon Aug 18 16:11:15 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Aug 18 16:11:27 2008 Subject: yum upgrade trouble In-Reply-To: <26228886.29431219068958418.JavaMail.root@office.splatnix.net> References: <48A98225.9090909@fsl.com> <26228886.29431219068958418.JavaMail.root@office.splatnix.net> Message-ID: <48A99113.5010400@fsl.com> --[ UxBoD ]-- wrote: > Will you offer a repo for the beta stream aswell ? Yes - we'll have a separate repo for beta testing new perl modules and MailScanner versions and associated software before they are moved into the main repo. Cheers, Steve. From steve.swaney at fsl.com Mon Aug 18 16:14:22 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 18 16:13:28 2008 Subject: yum upgrade trouble In-Reply-To: <FAF0BADC-A549-4E93-80E6-4F97724FBE4F@rtpty.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <FAF0BADC-A549-4E93-80E6-4F97724FBE4F@rtpty.com> Message-ID: <07be01c90145$18bc3ad0$4a34b070$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans > Sent: Monday, August 18, 2008 10:22 AM > To: MailScanner discussion > Subject: Re: yum upgrade trouble > > What will the subscription be like? > > On Aug 18, 2008, at 9:07 AM, Stephen Swaney wrote: > > > Jan-peter, > > > > We'll shortly be announcing a version of MailScanner with all > > related applications that is completely rpm based using our own yum > > repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes > > (using Postgres) will all be installed on CentOS 5 / RH 5 simply by > > running: > > > > yum -y groupinstall MailScannerGold > > > > Best of all of the Perl Packages and all of their dependencies are > > separated from the system libraries. This allows MailScanner and the > > related applications as well as the system itself to be safely > > updated by simply running; > > > > yum -y update > > > > Now more Perl conflicts since our schema eliminates all of the Perl > > related problems. > > > > This will be a subscription based service with IP based secure keys > > required to access the repositories. Along with access to the > > repositories, subscribers will receive reduced support hourly rates. > > > > It will be available for testing very shortly. What do you think? > > > > Best regards, > > > > Steve > > Oops. I meant to release this to only Jan-Peter since we haven't set pricing yet, Jan-Peter is one of our VARs and I was hoping to get some ideas from him on what the pricing should be. Also Julian will need to bless the pricing since part of the revenue will go to Julian to help offset his MailScanner development and maintenance costs. But since the cat is out of the bag, I can say that this rpm schema was not a trivial exercise to develop and will cost a bit to maintain and support correctly. Currently we're thinking of pricing the service by number of machines on the site and payment schedule. Paying yearly would be less than paying monthly. Still we're trying to keep the pricing as affordable as possible and less than it would cost for a local administrator to perform the same level of maintenance. If you have any thoughts or suggestions on pricing or the service please email me off list. We also hope that a simplified, low cost method of installing and maintaining complete MailScanner systems will entice others to join the satisfied group of MailScanner users. You can expect a formal announcement of the pricing and availability for this service soon. Best regards, Steve Steve Swaney Fort Systems Ltd. Office Phone: 202 595-7760 ext. 601 Cell: 202 352-3262 Steve@fsl.com www.fsl.com From neilw at dcdata.co.za Mon Aug 18 16:12:52 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Mon Aug 18 16:15:26 2008 Subject: yum upgrade trouble In-Reply-To: <48A98B09.4010000@ecs.soton.ac.uk> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <EMEW-k7HFW4426f02159be6127bb235c5562340d9ec-48A98523.7020102@dcdata.co.za> <48A98B09.4010000@ecs.soton.ac.uk> Message-ID: <48A99174.8010703@dcdata.co.za> Julian Field wrote: > Fort Systems Ltd would probably prefer you bought DefenderMX instead? > > Jules True :) Neil This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From jan-peter at koopmann.eu Mon Aug 18 16:26:31 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Aug 18 16:26:47 2008 Subject: yum upgrade trouble In-Reply-To: <EMEW-k7HGGF0c194a56c999d0b94db6507deefcb32a-48A98225.9090909@fsl.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <EMEW-k7HGGF0c194a56c999d0b94db6507deefcb32a-48A98225.9090909@fsl.com> Message-ID: <EMEW-k7HHQc5598a0fd149a69200558ec7caadf3ecc-5F9EB2B0731E5B4D88FC20780DFD1610432568@DE-SEXB01RZ.intern.seceidos.de> > It will be available for testing very shortly. What do you think? Simple question. Simple answer: Where is my beta? :-) Great news. Thanks. Regards, JP From steve.swaney at fsl.com Mon Aug 18 16:39:53 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 18 16:38:58 2008 Subject: yum upgrade trouble In-Reply-To: <48A99174.8010703@dcdata.co.za> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <EMEW-k7HFW4426f02159be6127bb235c5562340d9ec-48A98523.7020102@dcdata.co.za> <48A98B09.4010000@ecs.soton.ac.uk> <48A99174.8010703@dcdata.co.za> Message-ID: <07ee01c90148$a8d5d970$fa818c50$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Neil Wilson > Sent: Monday, August 18, 2008 11:13 AM > To: MailScanner discussion > Subject: Re: yum upgrade trouble > > Julian Field wrote: > > > Fort Systems Ltd would probably prefer you bought DefenderMX instead? > > > > Jules > > > True :) > > > Neil Actually we're trying to come up with range of MailScanner and BarricadeMX products that fit various users needs and skill levels. And we're trying to do this while maintaining the open source roots of MailScanner and contributing both ideas, code and some cash to MailScanner and MailWatch development. Steve Steve Swaney steve@fsl.com Office Phone: 202 595-7760 ext. 601 From andrew at gdcon.net Mon Aug 18 17:13:36 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Mon Aug 18 17:08:01 2008 Subject: Kaspersky In-Reply-To: <29426618.29461219071552624.JavaMail.root@office.splatnix.net> References: <29426618.29461219071552624.JavaMail.root@office.splatnix.net> Message-ID: <77bf95471cb0ee58a8dc17d3626c61a2.squirrel@wm.gdcon.net> On Mon, August 18, 2008 3:59 pm, --[ UxBoD ]-- wrote: > Is anybody using this AV with MS and which version are you running ? > Someone on my forum is: http://www.global-domination.org/forum/viewtopic.php?t=1147 You can PM/email the user though the forum. -Andy -- This message was scanned by ESVA and is believed to be clean. From andrew at gdcon.net Mon Aug 18 17:37:57 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Mon Aug 18 17:32:21 2008 Subject: Spam report addressed to multiple people In-Reply-To: <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> <48A90805.20000@vanderkooij.org> <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> Message-ID: <4f51e024c094cf5793c3e29c0e5c0b35.squirrel@wm.gdcon.net> On Mon, August 18, 2008 9:18 am, Andrew MacLachlan wrote: > On Mon, August 18, 2008 6:26 am, Hugo van der Kooij wrote: > >> >> But do you split messages before MailScanner? It sounds like you don't >> do that (properly). > > OK - any pointers to the _correct_ way of doing this with PF? > After spending some quality time with Google I found this: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient Is this still valid? -- This message was scanned by ESVA and is believed to be clean. From ssilva at sgvwater.com Tue Aug 19 00:03:14 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 19 00:04:21 2008 Subject: Spam report addressed to multiple people In-Reply-To: <4f51e024c094cf5793c3e29c0e5c0b35.squirrel@wm.gdcon.net> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> <48A90805.20000@vanderkooij.org> <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> <4f51e024c094cf5793c3e29c0e5c0b35.squirrel@wm.gdcon.net> Message-ID: <g8cv4u$7pf$1@ger.gmane.org> on 8-18-2008 9:37 AM Andrew MacLachlan spake the following: > On Mon, August 18, 2008 9:18 am, Andrew MacLachlan wrote: >> On Mon, August 18, 2008 6:26 am, Hugo van der Kooij wrote: >> >>> But do you split messages before MailScanner? It sounds like you don't >>> do that (properly). >> OK - any pointers to the _correct_ way of doing this with PF? >> > After spending some quality time with Google I found this: > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient > > Is this still valid? > > It should still be valid. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080818/0bdfa974/signature.bin From andrew at gdcon.net Tue Aug 19 01:19:54 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Aug 19 01:20:14 2008 Subject: Spam report addressed to multiple people In-Reply-To: <g8cv4u$7pf$1@ger.gmane.org> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> <48A90805.20000@vanderkooij.org> <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> <4f51e024c094cf5793c3e29c0e5c0b35.squirrel@wm.gdcon.net> <g8cv4u$7pf$1@ger.gmane.org> Message-ID: <48AA11AA.3060000@gdcon.net> Scott Silva wrote: >>>> But do you split messages before MailScanner? It sounds like you don't >>>> do that (properly). >>> OK - any pointers to the _correct_ way of doing this with PF? >>> >> After spending some quality time with Google I found this: >> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient >> >> >> Is this still valid? >> >> > It should still be valid. > Does anyone have experience of using this configuration on a busy system? - I'm a little concerned about the caveats in the doc - what's the busiest system anyone would recommend this to be implemented on? -Andy -- This message was scanned by ESVA and is believed to be clean. From gcle at smcaus.com.au Tue Aug 19 05:06:33 2008 From: gcle at smcaus.com.au (Gerard Cleary) Date: Tue Aug 19 05:07:02 2008 Subject: Kaspersky In-Reply-To: <29426618.29461219071552624.JavaMail.root@office.splatnix.net> References: <29426618.29461219071552624.JavaMail.root@office.splatnix.net> Message-ID: <200808191406.33298.gcle@smcaus.com.au> On Tue, 19 Aug 2008 00:59:12 --[ UxBoD ]-- wrote: > Is anybody using this AV with MS and which version are you running ? > > Regards, > > -- > --[ UxBoD ]-- We're currently using version 5.5.10 of the Kaspersky product kav4mailservers, sendmail 8.14.1 and MailScanner 4.65.3. I'm just in the process of building a new box which will use Kaspersky version 5.6.26 of kav4lms with sendmail 8.14.3 and MailScanner 4.70 but this won't be ready for another week or so. All the best, Gerard. -- Gerard Cleary SMC Systems Administration Ph: +61 2 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From jan-peter at koopmann.eu Tue Aug 19 07:29:10 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Aug 19 07:29:37 2008 Subject: Kaspersky In-Reply-To: <EMEW-k7I6Fv92d811311b65d1d2cfd7a937a4d25076-200808191406.33298.gcle@smcaus.com.au> References: <29426618.29461219071552624.JavaMail.root@office.splatnix.net> <EMEW-k7I6Fv92d811311b65d1d2cfd7a937a4d25076-200808191406.33298.gcle@smcaus.com.au> Message-ID: <EMEW-k7I8YOb173dc6fc80f1947eb2350be7350b7ae-5F9EB2B0731E5B4D88FC20780DFD161043259F@DE-SEXB01RZ.intern.seceidos.de> Hi, > We're currently using version 5.5.10 of the Kaspersky product kav4mailservers, > sendmail 8.14.1 and MailScanner 4.65.3. Why are you using the mailserver version? Any technical reason or due to license restrictions of Kaspersky? Does the mailserver version include a command-line only option? Thanks, JP From tgc at statsbiblioteket.dk Tue Aug 19 08:06:28 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Tue Aug 19 08:06:38 2008 Subject: yum upgrade trouble In-Reply-To: <48A98225.9090909@fsl.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> Message-ID: <48AA70F4.5020004@statsbiblioteket.dk> Stephen Swaney wrote: > Jan-peter, > > We'll shortly be announcing a version of MailScanner with all related > applications that is completely rpm based using our own yum > repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes > (using Postgres) will all be installed on CentOS 5 / RH 5 simply by running: > > yum -y groupinstall MailScannerGold > > Best of all of the Perl Packages and all of their dependencies are > separated from the system libraries. This allows MailScanner and the > related applications as well as the system itself to be safely updated > by simply running; > > yum -y update > > Now more Perl conflicts since our schema eliminates all of the Perl > related problems. > > This will be a subscription based service with IP based secure keys > required to access the repositories. Along with access to the > repositories, subscribers will receive reduced support hourly rates. > > It will be available for testing very shortly. What do you think? > Technically I like it, we shall see about the pricing though. Will the src.rpms be available to all or only to customers? -tgc From jcputter at centreweb.co.za Tue Aug 19 08:25:07 2008 From: jcputter at centreweb.co.za (JC Putter) Date: Tue Aug 19 08:26:22 2008 Subject: yum upgrade trouble In-Reply-To: <48AA70F4.5020004@statsbiblioteket.dk> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <48AA70F4.5020004@statsbiblioteket.dk> Message-ID: <000001c901cc$b516db60$1f449220$@co.za> Why pay for something that is already "free-beer" and easy to deploy? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tom G. Christensen Sent: 19 August 2008 09:06 AM To: MailScanner discussion Subject: Re: yum upgrade trouble Stephen Swaney wrote: > Jan-peter, > > We'll shortly be announcing a version of MailScanner with all related > applications that is completely rpm based using our own yum > repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes > (using Postgres) will all be installed on CentOS 5 / RH 5 simply by running: > > yum -y groupinstall MailScannerGold > > Best of all of the Perl Packages and all of their dependencies are > separated from the system libraries. This allows MailScanner and the > related applications as well as the system itself to be safely updated > by simply running; > > yum -y update > > Now more Perl conflicts since our schema eliminates all of the Perl > related problems. > > This will be a subscription based service with IP based secure keys > required to access the repositories. Along with access to the > repositories, subscribers will receive reduced support hourly rates. > > It will be available for testing very shortly. What do you think? > Technically I like it, we shall see about the pricing though. Will the src.rpms be available to all or only to customers? -tgc -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jan-peter at koopmann.eu Tue Aug 19 08:34:14 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Aug 19 08:34:34 2008 Subject: SpamAssassin Temp Dir running full Message-ID: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> Hi, I just noticed that on several machines the SpamAssassin Temp Dir is running full. All SpamAssassin runs seem to leave .tmp files and directories there. The question is: Why are they not deleted? Is this a bug or a debug setting (maybe in Spamassassin) which I forgot about? Any ideas? Regards, JP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/c899803f/attachment.html From MailScanner at ecs.soton.ac.uk Tue Aug 19 08:58:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 19 08:58:47 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <48AA7D21.2010801@ecs.soton.ac.uk> Koopmann, Jan-Peter wrote: > > Hi, > > > > I just noticed that on several machines the SpamAssassin Temp Dir is > running full. All SpamAssassin runs seem to leave .tmp files and > directories there. The question is: Why are they not deleted? > SpamAssassin should delete them. > > Is this a bug or a debug setting (maybe in Spamassassin) which I > forgot about? > Bug, I suspect. Mine are okay /var/spool/MailScanner/incoming/SpamAssassin-Temp, they have a few old files in them, but not loads. I believe I'm running the latest SpamAssassin (325). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Tue Aug 19 09:13:02 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Tue Aug 19 09:13:30 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <48AA7D21.2010801@ecs.soton.ac.uk> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> Message-ID: <003801c901d3$66ad9930$3408cb90$@dk> Koopmann, Jan-Peter wrote: > > Hi, > > > > I just noticed that on several machines the SpamAssassin Temp Dir is > running full. All SpamAssassin runs seem to leave .tmp files and > directories there. The question is: Why are they not deleted? > SpamAssassin should delete them. > > Is this a bug or a debug setting (maybe in Spamassassin) which I > forgot about? > Bug, I suspect. Mine are okay /var/spool/MailScanner/incoming/SpamAssassin-Temp, they have a few old files in them, but not loads. I believe I'm running the latest SpamAssassin (325). Jules -- Could it be caused by MailScanner children dying now and then? Have you had any other issues with your MS recently? Best regards Jonas A. Larsen From jan-peter at koopmann.eu Tue Aug 19 09:35:22 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Aug 19 09:35:45 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <EMEW-k7IA6U048f33eb178d72ff28bb811eca873cd5-48AA7D21.2010801@ecs.soton.ac.uk> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <EMEW-k7IA6U048f33eb178d72ff28bb811eca873cd5-48AA7D21.2010801@ecs.soton.ac.uk> Message-ID: <EMEW-k7IAZY9f0d051a28a35f10df323476d176a825-5F9EB2B0731E5B4D88FC20780DFD16104325B2@DE-SEXB01RZ.intern.seceidos.de> There was a similar post back in August 2007. I am currently running 3.2.4. I cannot see those files on a BarricadeMX system with spamd. So I am not sure if this is a spamd problem or a MailScanner problem. From fssilva at gmail.com Tue Aug 19 11:51:13 2008 From: fssilva at gmail.com (Fabio Silva) Date: Tue Aug 19 11:51:24 2008 Subject: Probem with mailscanner + fetchmail + mailwatch Message-ID: <c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> Hello all, i have a server that gets email from another server with fetchmail... no problem.. its working fine... and... i have mailscanner to scan the mails for virus and spam anddd.. extensions attachments... and.. the mailwatch to see the email traffic and statistics from web.. I have done this steps form mailwatch.. http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq#why_are_messages_quarantined_again_when_i_release_them_in_mailwatch But... im using fetchmail.. and when i use fetchmail.. all mail is delivered to postfix from IP 127.0.0.1 ... and... to solve the above problem i have all mail classified as Whitelist... Does anybody have any clue about how to solve it?? Best Regards... -- Fabio S. Silva Mail: fssilva@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/0d1c031b/attachment.html From MailScanner at ecs.soton.ac.uk Tue Aug 19 12:06:54 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 19 12:07:13 2008 Subject: {Disarmed} Probem with mailscanner + fetchmail + mailwatch In-Reply-To: <EMEW-k7IBxya441c5b80b227f76651c80427c87b1d8-c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> References: <EMEW-k7IBxya441c5b80b227f76651c80427c87b1d8-c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> Message-ID: <48AAA94E.1030006@ecs.soton.ac.uk> Fabio Silva wrote: > Hello all, i have a server that gets email from another server with > fetchmail... no problem.. its working fine... and... i have > mailscanner to scan the mails for virus and spam anddd.. extensions > attachments... and.. the mailwatch to see the email traffic and > statistics from web.. > > I have done this steps form mailwatch.. > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq#why_are_messages_quarantined_again_when_i_release_them_in_mailwatch > > But... im using fetchmail.. and when i use fetchmail.. all mail is > delivered to postfix from IP 127.0.0.1 <http://127.0.0.1> ... and... > to solve the above problem i have all mail classified as Whitelist... > > Does anybody have any clue about how to solve it?? Fetchmail is running on your local machine, and is using SMTP to deliver mail to Postfix, just like it's supposed to. As a result, the IP address of the machine sending the SMTP traffic is your system, i.e. localhost. The only thing that will make MailScanner read the IP address from the first Received: header in the message (this is a Postfix-only behaviour I seem to remember) is when there isn't an IP address in the message's envelope details at all. So if you can get fetchmail to inject the message straight into Postfix without using SMTP (you'll have to check the fetchmail+Postfix docs to see if this is possible) then MailScanner will pull out the IP address you want. Others more familiar with the deeper innards of fetchmail can probably tell us more. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From velda.midanovic at trezor.sr.gov.yu Tue Aug 19 12:23:39 2008 From: velda.midanovic at trezor.sr.gov.yu (Velda Midanovic) Date: Tue Aug 19 12:30:46 2008 Subject: A reports problem Message-ID: <002401c901ee$0da39b80$28ead280$@midanovic@trezor.sr.gov.yu> Reports are working fine. Except one (and even that one USED to work). And that one is "SpamAssassin Rule <http://mailscanner.ujp.sr.gov.yu/rep_sa_rule_hits.php> Hits" . It is quite important because I periodically remove kez words that are no longer "valid". Now it gives a error message in http log : ---- PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/mailscanner/rep_sa_rule_hits ---- I have no idea how to solve this. Please help. Velda -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/654672fd/attachment.html From list-mailscanner at linguaphone.com Tue Aug 19 12:35:56 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 19 12:36:13 2008 Subject: A reports problem In-Reply-To: <002401c901ee$0da39b80$28ead280$@midanovic@trezor.sr.gov.yu> References: <002401c901ee$0da39b80$28ead280$@midanovic@trezor.sr.gov.yu> Message-ID: <1219145756.15423.9.camel@gblades-suse.linguaphone-intranet.co.uk> Its taking too long to run. Either increase the maximum execution time in php.ini or add a filter to the reports to restrict the date range so the report doesnt have as much work to do and therefore takes <30 seconds to run. On Tue, 2008-08-19 at 12:23, Velda Midanovic wrote: > Reports are working fine. > > Except one (and even that one USED to work). And that one is > ?SpamAssassin Rule Hits? . It is quite important because I > periodically remove kez words that are no longer ?valid?. Now it gives > a error message in http log : > > ---- > > PHP Fatal error: Maximum execution time of 30 seconds exceeded in > /var/www/html/mailscanner/rep_sa_rule_hits > > ---- > > I have no idea how to solve this. > > Please help. > > Velda > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From exp at protos.mine.nu Tue Aug 19 12:50:42 2008 From: exp at protos.mine.nu (Hans Bergman) Date: Tue Aug 19 12:48:08 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <48AA7D21.2010801@ecs.soton.ac.uk> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> Message-ID: <48AAB392.5030301@protos.mine.nu> Julian Field skrev: > > > Koopmann, Jan-Peter wrote: >> >> Hi, >> >> >> >> I just noticed that on several machines the SpamAssassin Temp Dir is >> running full. All SpamAssassin runs seem to leave .tmp files and >> directories there. The question is: Why are they not deleted? >> > SpamAssassin should delete them. >> >> Is this a bug or a debug setting (maybe in Spamassassin) which I >> forgot about? >> > Bug, I suspect. Mine are okay > /var/spool/MailScanner/incoming/SpamAssassin-Temp, they have a few old > files in them, but not loads. > > I believe I'm running the latest SpamAssassin (325). > > Jules > I have 166344 hidden files in my SpamAssassin-Temp dir ;) Hans -- Meddelandet har kontrollerats mot virus samt skadligt inneh?ll av MailScanner och f?rmodas vara s?kert. From MailScanner at ecs.soton.ac.uk Tue Aug 19 13:53:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 19 13:53:53 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <EMEW-k7ICqK206c06fb71c3b12858a453f89f94ee6b-48AAB392.5030301@protos.mine.nu> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <EMEW-k7ICqK206c06fb71c3b12858a453f89f94ee6b-48AAB392.5030301@protos.mine.nu> Message-ID: <48AAC24A.6000001@ecs.soton.ac.uk> Hans Bergman wrote: > Julian Field skrev: >> >> >> Koopmann, Jan-Peter wrote: >>> >>> Hi, >>> >>> >>> >>> I just noticed that on several machines the SpamAssassin Temp Dir is >>> running full. All SpamAssassin runs seem to leave .tmp files and >>> directories there. The question is: Why are they not deleted? >>> >> SpamAssassin should delete them. >>> >>> Is this a bug or a debug setting (maybe in Spamassassin) which I >>> forgot about? >>> >> Bug, I suspect. Mine are okay >> /var/spool/MailScanner/incoming/SpamAssassin-Temp, they have a few >> old files in them, but not loads. >> >> I believe I'm running the latest SpamAssassin (325). >> >> Jules >> > I have 166344 hidden files in my SpamAssassin-Temp dir ;) In which case I recommend find /var/spool/MailScanner/incoming/SpamAssassin-Temp -mtime +1 -print | xargs rm -f Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Aug 19 14:28:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 19 14:29:07 2008 Subject: Spam report addressed to multiple people In-Reply-To: <48AA11AA.3060000@gdcon.net> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> <48A90805.20000@vanderkooij.org> <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> <4f51e024c094cf5793c3e29c0e5c0b35.squirrel@wm.gdcon.net> <g8cv4u$7pf$1@ger.gmane.org> <48AA11AA.3060000@gdcon.net> Message-ID: <223f97700808190628m45126809y197720c323462533@mail.gmail.com> 2008/8/19 Andrew MacLachlan <andrew@gdcon.net>: > Scott Silva wrote: >>>>> >>>>> But do you split messages before MailScanner? It sounds like you don't >>>>> do that (properly). >>>> >>>> OK - any pointers to the _correct_ way of doing this with PF? >>>> >>> After spending some quality time with Google I found this: >>> >>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient >>> >>> Is this still valid? >>> >>> >> It should still be valid. >> > Does anyone have experience of using this configuration on a busy system? - > I'm a little concerned about the caveats in the doc - what's the busiest > system anyone would recommend this to be implemented on? > > -Andy > Which of the caveats concerns you most? The concerns about performance isn't anything I've experienced, just something logically less-than-optimal... The real hit in this would be from SA, but if you use the SA results cache... that should mitigate things pretty OK. I haven't got any substantial volume, so cannot say how it will stand up to pressure on a "busy" server. It operates very well with *our* distribution of multi-recipient mails and an average of 6K messages/day on a rather weak desktop box... lab equipment that during a time of ... crisis... had to step in and do the production work (while I busily built a few new boxes:-). As I say in the test (IIRC:-), I have very little use for it myself, so ... the new boxes wasn't set up with it. There are other effects, mainly with what you *cannot* do in a ruleset while employing this setup, but I think those are covered in the notes. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Aug 19 14:46:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 19 14:46:58 2008 Subject: Probem with mailscanner + fetchmail + mailwatch In-Reply-To: <c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> References: <c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> Message-ID: <223f97700808190646q1581d8aj7aa1380c5daa83a4@mail.gmail.com> 2008/8/19 Fabio Silva <fssilva@gmail.com>: > Hello all, i have a server that gets email from another server with > fetchmail... no problem.. its working fine... and... i have mailscanner to > scan the mails for virus and spam anddd.. extensions attachments... and.. > the mailwatch to see the email traffic and statistics from web.. > > I have done this steps form mailwatch.. > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq#why_are_messages_quarantined_again_when_i_release_them_in_mailwatch > > But... im using fetchmail.. and when i use fetchmail.. all mail is delivered > to postfix from IP 127.0.0.1 ... and... to solve the above problem i have > all mail classified as Whitelist... > > Does anybody have any clue about how to solve it?? > > Best Regards... This is exactly the same problem you have when using my little ... well, Pete Russell called it "hackish"... solution to split mails into one/recipient. So if you look at the notes at the end of that wiki page, you'll find a solution for this problem, based around submitting mails to another smtpd listener on a high port... that doesn't include the header checks... Look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient#notes (beware line-wrapping) for the details. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve at fsl.com Tue Aug 19 15:07:44 2008 From: steve at fsl.com (Stephen Swaney) Date: Tue Aug 19 15:07:57 2008 Subject: yum upgrade trouble In-Reply-To: <000001c901cc$b516db60$1f449220$@co.za> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <48AA70F4.5020004@statsbiblioteket.dk> <000001c901cc$b516db60$1f449220$@co.za> Message-ID: <48AAD3B0.3040703@fsl.com> JC Putter wrote: > Why pay for something that is already "free-beer" and easy to deploy? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tom G. > Christensen > Sent: 19 August 2008 09:06 AM > To: MailScanner discussion > Subject: Re: yum upgrade trouble > > Stephen Swaney wrote: > >> Jan-peter, >> >> We'll shortly be announcing a version of MailScanner with all related >> applications that is completely rpm based using our own yum >> repositories. MailScanner, SpamAssassin, Razor ClamAV, DCC and Bayes >> (using Postgres) will all be installed on CentOS 5 / RH 5 simply by >> > running: > >> yum -y groupinstall MailScannerGold >> >> Best of all of the Perl Packages and all of their dependencies are >> separated from the system libraries. This allows MailScanner and the >> related applications as well as the system itself to be safely updated >> by simply running; >> >> yum -y update >> >> Now more Perl conflicts since our schema eliminates all of the Perl >> related problems. >> >> This will be a subscription based service with IP based secure keys >> required to access the repositories. Along with access to the >> repositories, subscribers will receive reduced support hourly rates. >> >> It will be available for testing very shortly. What do you think? >> >> > Technically I like it, we shall see about the pricing though. > > Will the src.rpms be available to all or only to customers? > > -tgc > The distribution will be based on the rpms in a yum groupinstall package and only available for Red Hat 5.x and CentOS 5.x. It's relatively easy to migrate MailScanner from any OS to the MailScannerGold package since the full install of the operating system and all MailScanner related applications take about an hour and most of that time is unattended. After that its just a matter of moving configuration files. We're trying to price this service so that it's attractive based on the fact that it's less expensive to subscribe than paying for the time it would take a system admin to keep the MailScanner system fully up to date. That way it's your choice on what is the most cost effective way to keep your systems up to date. And MailScanner of course, will always be a free open source application. We are working to have the announcement of the service with full details and pricing ready in a week or two. Best regards, Steve Steve Swaney steve@fsl.com Cell: 202 352.3262 Office: 202 595.7760, ext 601 www.fsl.com From ssilva at sgvwater.com Tue Aug 19 17:33:25 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 19 17:33:46 2008 Subject: yum upgrade trouble In-Reply-To: <000001c901cc$b516db60$1f449220$@co.za> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <48AA70F4.5020004@statsbiblioteket.dk> <000001c901cc$b516db60$1f449220$@co.za> Message-ID: <g8eskl$q6g$1@ger.gmane.org> on 8-19-2008 12:25 AM JC Putter spake the following: > Why pay for something that is already "free-beer" and easy to deploy? > You would only be paying for the "service", not the software. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/cb97497b/signature.bin From ssilva at sgvwater.com Tue Aug 19 17:36:59 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 19 17:40:14 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <48AAB392.5030301@protos.mine.nu> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <48AAB392.5030301@protos.mine.nu> Message-ID: <g8esrb$q6g$2@ger.gmane.org> on 8-19-2008 4:50 AM Hans Bergman spake the following: > Julian Field skrev: >> >> >> Koopmann, Jan-Peter wrote: >>> >>> Hi, >>> >>> >>> >>> I just noticed that on several machines the SpamAssassin Temp Dir is >>> running full. All SpamAssassin runs seem to leave .tmp files and >>> directories there. The question is: Why are they not deleted? >>> >> SpamAssassin should delete them. >>> >>> Is this a bug or a debug setting (maybe in Spamassassin) which I >>> forgot about? >>> >> Bug, I suspect. Mine are okay >> /var/spool/MailScanner/incoming/SpamAssassin-Temp, they have a few old >> files in them, but not loads. >> >> I believe I'm running the latest SpamAssassin (325). >> >> Jules >> > I have 166344 hidden files in my SpamAssassin-Temp dir ;) > > > Hans > I would set up a cron job to keep it clean until you find out what is happening. Do you get a lot of timeouts? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/aae3a2c3/signature.bin From drew.marshall at technologytiger.net Tue Aug 19 19:19:51 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Aug 19 19:20:07 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <g8esrb$q6g$2@ger.gmane.org> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <48AAB392.5030301@protos.mine.nu> <g8esrb$q6g$2@ger.gmane.org> Message-ID: <FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> On 19 Aug 2008, at 17:36, Scott Silva wrote: >> I have 166344 hidden files in my SpamAssassin-Temp dir ;) >> Hans > I would set up a cron job to keep it clean until you find out what > is happening. Do you get a lot of timeouts? Now that's interesting. I get time outs, randomly, and have ~38Mb of temp files that shouldn't be there. I'm running 3.2.5. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system <www.mail-launder.com> Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From jan-peter at koopmann.eu Tue Aug 19 19:55:46 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Aug 19 19:56:09 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <EMEW-k7IKR4efc1d578a456700843c9fced07594205-FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk><48AAB392.5030301@protos.mine.nu> <g8esrb$q6g$2@ger.gmane.org> <EMEW-k7IKR4efc1d578a456700843c9fced07594205-FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> Message-ID: <EMEW-k7IKu0b9af47500d2cf6fe78f80b2ec6903bdd-5F9EB2B0731E5B4D88FC20780DFD161043263E@DE-SEXB01RZ.intern.seceidos.de> Ok. So I am not alone! That's the good news... Setting up the cronjob to fix a problem is bad news but better than nothing. :-) From drew.marshall at technologytiger.net Tue Aug 19 20:02:26 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Aug 19 20:02:40 2008 Subject: Probem with mailscanner + fetchmail + mailwatch In-Reply-To: <c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> References: <c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> Message-ID: <269283E4-1509-4697-AFD0-EE9ABFE4FED0@technologytiger.net> On 19 Aug 2008, at 11:51, Fabio Silva wrote: > Hello all, i have a server that gets email from another server with > fetchmail... no problem.. its working fine... and... i have > mailscanner to scan the mails for virus and spam anddd.. extensions > attachments... and.. the mailwatch to see the email traffic and > statistics from web.. > > I have done this steps form mailwatch.. http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq#why_are_messages_quarantined_again_when_i_release_them_in_mailwatch > > But... im using fetchmail.. and when i use fetchmail.. all mail is > delivered to postfix from IP Mail Launder has detected a possible > fraud attempt from "127.0.0.1" claiming to be 127.0.0.1 ... and... > to solve the above problem i have all mail classified as Whitelist... > > Does anybody have any clue about how to solve it?? Get Fetchmail to deliver to the external IP of your server and not to the loopback interface. You can do this by specifying smtphost in your fetchmailrc file. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system <www.mail-launder.com> Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/cb418405/attachment.html From ssilva at sgvwater.com Tue Aug 19 20:14:15 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 19 20:14:36 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <48AAB392.5030301@protos.mine.nu> <g8esrb$q6g$2@ger.gmane.org> <FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> Message-ID: <g8f628$cn$1@ger.gmane.org> on 8-19-2008 11:19 AM Drew Marshall spake the following: > On 19 Aug 2008, at 17:36, Scott Silva wrote: >>> I have 166344 hidden files in my SpamAssassin-Temp dir ;) >>> Hans >> I would set up a cron job to keep it clean until you find out what is >> happening. Do you get a lot of timeouts? > > Now that's interesting. I get time outs, randomly, and have ~38Mb of > temp files that shouldn't be there. I'm running 3.2.5. > > Drew > I had that problem also when I had timeouts. It seems that when spamassassin times out, it never gets to the cleanup stage. I don't know if it is a spamassassin issue or a MailScanner issue, but the real problem is the timeouts. Cleaning the temp files over a few hours old by mtime should be safe. or over 24 hours old should be very safe. Fixing the timeouts should be a priority, as any timed out messages will get into your users. MailScanner passes the timed out scans because Julian wanted no mail lost by errors like this. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/2cc84934/signature.bin From jan-peter at koopmann.eu Tue Aug 19 20:22:16 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Aug 19 20:22:46 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <EMEW-k7ILKg5d936e2c6d9801bb0b218afcd578ad8d-g8f628$cn$1@ger.gmane.org> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <48AAB392.5030301@protos.mine.nu><g8esrb$q6g$2@ger.gmane.org><FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> <EMEW-k7ILKg5d936e2c6d9801bb0b218afcd578ad8d-g8f628$cn$1@ger.gmane.org> Message-ID: <EMEW-k7ILMY37e79201049c67892606fdf85ded2557-5F9EB2B0731E5B4D88FC20780DFD1610432647@DE-SEXB01RZ.intern.seceidos.de> > I had that problem also when I had timeouts. Well I am not seeing timeouts at least none that would explain that amount of tmp files. It looks like SpamAssassin here keeps all tempfiles. Not sure why... From jcputter at centreweb.co.za Tue Aug 19 20:38:52 2008 From: jcputter at centreweb.co.za (JC Putter) Date: Tue Aug 19 20:40:12 2008 Subject: {Disarmed} Re: Probem with mailscanner + fetchmail + mailwatch In-Reply-To: <269283E4-1509-4697-AFD0-EE9ABFE4FED0@technologytiger.net> References: <c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> <269283E4-1509-4697-AFD0-EE9ABFE4FED0@technologytiger.net> Message-ID: <001a01c90233$35f02cd0$a1d08670$@co.za> MailScanner without being quarantined again. Set the following in /opt/MailScanner/etc/Mailscanner.conf: Search for "Scan Messages", mine is around line 292, then set as: Scan Messages = %rules-dir%/scan.messages.rules Next, move into the /opt/MailScanner/etc/rules directory and create scan.messages.rules: (NB this depends on your distro for Centos /etc/MailScanner/rules ) On your newly created scan.messages.rules file add these entries From: 127.0.0.1 no FromOrTo: default yes From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Drew Marshall Sent: 19 August 2008 09:02 PM To: MailScanner discussion Subject: {Disarmed} Re: Probem with mailscanner + fetchmail + mailwatch On 19 Aug 2008, at 11:51, Fabio Silva wrote: Hello all, i have a server that gets email from another server with fetchmail... no problem.. its working fine... and... i have mailscanner to scan the mails for virus and spam anddd.. extensions attachments... and.. the mailwatch to see the email traffic and statistics from web.. I have done this steps form mailwatch.. http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq#why_are_messages_ quarantined_again_when_i_release_them_in_mailwatch But... im using fetchmail.. and when i use fetchmail.. all mail is delivered to postfix from IP <http://127.0.0.1> MailScanner has detected a possible fraud attempt from "127.0.0.1" claiming to be Mail Launder has detected a possible fraud attempt from "127.0.0.1" claiming to be 127.0.0.1 ... and... to solve the above problem i have all mail classified as Whitelist... Does anybody have any clue about how to solve it?? Get Fetchmail to deliver to the external IP of your server and not to the loopback interface. You can do this by specifying smtphost in your fetchmailrc file. Drew -- In line with our policy <http://www.technologytiger.net/policy> , this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder <http://www.mail-launder.com> system. Our e-mail policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080819/2e9debff/attachment.html From roland at inbox4u.de Tue Aug 19 21:11:43 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Tue Aug 19 20:59:20 2008 Subject: AW: AW: AW: New beta released In-Reply-To: <cf9493eb382db04382c70008a25eb7ff@solidstatelogic.com> References: <48A3F250.8050303@ecs.soton.ac.uk> <cf9493eb382db04382c70008a25eb7ff@solidstatelogic.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108E90F0EAD@TS-DC2.ts-webarts.local> Hi All, just to keep you up-to-date: the problem seems to be partially solved, although I am not convinced. Please correct me, if I am wrong. I remember that signing clean messages was working in the past for mails in TNEF format too. This seems not to work anymore. Maybe there is a problem with the format, Exchange 2007 delivers. However, I realized, that the function "Use TNEF Contents = Replace" does not work properly anymore, as all attachments are doubled in fact it works as if "Use TNEF Contents" was set to "add". Does someone have Microsoft Exchange 2007 as mailbox server? If yes, do you have similar problems? Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Martin.Hepworth > Gesendet: Donnerstag, 14. August 2008 11:08 > An: MailScanner discussion > Betreff: RE: AW: AW: New beta released > > Roland > > Can the mailscanner user read the signature file? > > Can you put the html sig somewhere ([pastebin?) so we can have a look > to make sure it's reasonable html? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Julian Field > > Sent: 14 August 2008 09:53 > > To: MailScanner discussion > > Subject: Re: AW: AW: New beta released > > > > > > > > Ehle, Roland wrote: > > >> Ehle, Roland wrote: > > >> > > >>> Jules, > > >>> > > >>> no performance impact so far on my machine, dealing with ~ 35k > > >>> > > >> messages. One thing I realized and did not find the reason so far: > > >> Sign Clean Messages option does not work for HTML-Messages anymore > > >> :-( Only Text-messages are signed. So probably something > > has happened. > > >> > > >> Have you noticed there are quite a few new config options > > to do with > > >> signing HTML messages. You well might be falling foul of > > one of them. > > >> Please can you double check with the new options for me? > > >> > > > [...] > > > > > > I noticed the config options that deal with signing > > messages. I have the following settings: > > > > > > Inline HTML Signature = /etc/MailScanner/rules/sign-html.rules > > > Inline Text Signature = /etc/MailScanner/rules/sign-text.rules > > > Sign Messages Already Processed = yes > > > Sign Clean Messages = /etc/MailScanner/rules/signature.rules > > > Attach Image To Signature = no > > > Allow Multiple HTML Signatures = yes > > > Dont Sign HTML If Headers Exist = # In-Reply-To: References: > > > > > > I have copied the working sign-text.rules to > > sign-html.rules to make sure, that it is not a problem with > > the rules file. I have triple checked all configuration > > options and found no errors in the configuration. Text > > E-Mails are signed, as it should be, but neither HTML nor > > Richtext formatted messages are signed. > > > > > > I use Exchange 2k7 as Mailserver. > > > > > Just tried that bunch of settings for you, and it works fine for me. > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Tue Aug 19 21:11:43 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 19 21:12:05 2008 Subject: AW: AW: AW: New beta released In-Reply-To: <EMEW-k7IL4Y6e8607f43e2f2f20363bea00f67a2cd5-D0C18CC5B0171C419B96B1D3ADFD783108E90F0EAD@TS-DC2.ts-webarts.local> References: <48A3F250.8050303@ecs.soton.ac.uk> <cf9493eb382db04382c70008a25eb7ff@solidstatelogic.com> <EMEW-k7IL4Y6e8607f43e2f2f20363bea00f67a2cd5-D0C18CC5B0171C419B96B1D3ADFD783108E90F0EAD@TS-DC2.ts-webarts.local> Message-ID: <48AB28FF.5060600@ecs.soton.ac.uk> Can you mail me off-list first thing tomorrow morning GMT, and I'll take a look at this. I wish I could remember what I did that appeared to cause quite so much damage! :-( Ehle, Roland wrote: > Hi All, > > just to keep you up-to-date: the problem seems to be partially solved, although I am not convinced. Please correct me, if I am wrong. I remember that signing clean messages was working in the past for mails in TNEF format too. This seems not to work anymore. Maybe there is a problem with the format, Exchange 2007 delivers. > > However, I realized, that the function "Use TNEF Contents = Replace" does not work properly anymore, as all attachments are doubled in fact it works as if "Use TNEF Contents" was set to "add". > > Does someone have Microsoft Exchange 2007 as mailbox server? If yes, do you have similar problems? > > Regards, > > Roland > > >> -----Urspr?ngliche Nachricht----- >> Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] Im Auftrag von Martin.Hepworth >> Gesendet: Donnerstag, 14. August 2008 11:08 >> An: MailScanner discussion >> Betreff: RE: AW: AW: New beta released >> >> Roland >> >> Can the mailscanner user read the signature file? >> >> Can you put the html sig somewhere ([pastebin?) so we can have a look >> to make sure it's reasonable html? >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>> Of Julian Field >>> Sent: 14 August 2008 09:53 >>> To: MailScanner discussion >>> Subject: Re: AW: AW: New beta released >>> >>> >>> >>> Ehle, Roland wrote: >>> >>>>> Ehle, Roland wrote: >>>>> >>>>> >>>>>> Jules, >>>>>> >>>>>> no performance impact so far on my machine, dealing with ~ 35k >>>>>> >>>>>> >>>>> messages. One thing I realized and did not find the reason so far: >>>>> Sign Clean Messages option does not work for HTML-Messages anymore >>>>> :-( Only Text-messages are signed. So probably something >>>>> >>> has happened. >>> >>>>> Have you noticed there are quite a few new config options >>>>> >>> to do with >>> >>>>> signing HTML messages. You well might be falling foul of >>>>> >>> one of them. >>> >>>>> Please can you double check with the new options for me? >>>>> >>>>> >>>> [...] >>>> >>>> I noticed the config options that deal with signing >>>> >>> messages. I have the following settings: >>> >>>> Inline HTML Signature = /etc/MailScanner/rules/sign-html.rules >>>> Inline Text Signature = /etc/MailScanner/rules/sign-text.rules >>>> Sign Messages Already Processed = yes >>>> Sign Clean Messages = /etc/MailScanner/rules/signature.rules >>>> Attach Image To Signature = no >>>> Allow Multiple HTML Signatures = yes >>>> Dont Sign HTML If Headers Exist = # In-Reply-To: References: >>>> >>>> I have copied the working sign-text.rules to >>>> >>> sign-html.rules to make sure, that it is not a problem with >>> the rules file. I have triple checked all configuration >>> options and found no errors in the configuration. Text >>> E-Mails are signed, as it should be, but neither HTML nor >>> Richtext formatted messages are signed. >>> >>>> I use Exchange 2k7 as Mailserver. >>>> >>>> >>> Just tried that bunch of settings for you, and it works fine for me. >>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your >>> >> boss? >> >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and dangerous >>> content by MailScanner, and is believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise >> that you consider this fact when e-mailing us. >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Aug 19 21:35:59 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 19 21:36:10 2008 Subject: {Disarmed} Re: Probem with mailscanner + fetchmail + mailwatch In-Reply-To: <001a01c90233$35f02cd0$a1d08670$@co.za> References: <c8c4ee450808190351i1112ebajc663056b8fd1791d@mail.gmail.com> <269283E4-1509-4697-AFD0-EE9ABFE4FED0@technologytiger.net> <001a01c90233$35f02cd0$a1d08670$@co.za> Message-ID: <223f97700808191335v3165a063ufe2ec8ca5afdcab@mail.gmail.com> 2008/8/19 JC Putter <jcputter@centreweb.co.za>: > > > MailScanner without being quarantined again. Set the following in > /opt/MailScanner/etc/Mailscanner.conf: Search for "Scan Messages", mine is > around line 292, then set as: Scan Messages = > %rules-dir%/scan.messages.rules > > > > Next, move into the /opt/MailScanner/etc/rules directory and create > scan.messages.rules: (NB this depends on your distro for Centos > /etc/MailScanner/rules ) > > > > On your newly created scan.messages.rules file add these entries > > > > From: 127.0.0.1 no > > FromOrTo: default yes > JC... The whole problem is that the above would whitelist EVERYTHING, since fetchmail delivers via 127.0.0.1 ... Not a good thing. So either one needs bypass MailScanner when releasing messages (my advice), or make fetchmail deliver via the NIC IFs IP address, thus making it more "equivalent" to how normal smtp delivery happens (Drews advice). ... I think Drews solution is a tad simpler than mine... so would recommend using that:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gcle at smcaus.com.au Tue Aug 19 23:00:30 2008 From: gcle at smcaus.com.au (Gerard Cleary) Date: Tue Aug 19 23:01:14 2008 Subject: Kaspersky In-Reply-To: <EMEW-k7I8YOb173dc6fc80f1947eb2350be7350b7ae-5F9EB2B0731E5B4D88FC20780DFD161043259F@DE-SEXB01RZ.intern.seceidos.de> References: <29426618.29461219071552624.JavaMail.root@office.splatnix.net> <EMEW-k7I6Fv92d811311b65d1d2cfd7a937a4d25076-200808191406.33298.gcle@smcaus.com.au> <EMEW-k7I8YOb173dc6fc80f1947eb2350be7350b7ae-5F9EB2B0731E5B4D88FC20780DFD161043259F@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <200808200800.30713.gcle@smcaus.com.au> On Tue, 19 Aug 2008 16:29:10 Koopmann, Jan-Peter wrote: > Hi, > > > We're currently using version 5.5.10 of the Kaspersky product > > kav4mailservers, sendmail 8.14.1 and MailScanner 4.65.3. > > Why are you using the mailserver version? Any technical reason or due to > license restrictions of Kaspersky? Does the mailserver version include a > command-line only option? > Pathetically simple really. We call the box running Sendmail our "mail server". I saw the product mailserver and didn't look any further. There are executables such as "kavscanner" and "keepup2date" which can be run at the command line. Julian invokes these in his setup for Kaspersky. HTH. Gerard. -- Gerard Cleary SMC Systems Administration Ph: +61 2 9354 8222 From andrew at gdcon.net Tue Aug 19 23:45:20 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Aug 19 23:45:39 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <g8f628$cn$1@ger.gmane.org> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <48AAB392.5030301@protos.mine.nu> <g8esrb$q6g$2@ger.gmane.org> <FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> <g8f628$cn$1@ger.gmane.org> Message-ID: <48AB4D00.9040301@gdcon.net> Scott Silva wrote: > MailScanner passes the timed out scans because Julian wanted no mail > lost by errors like this. > Which is the correct answer... Better to get some spam than to lose ANY mail. -- This message was scanned by ESVA and is believed to be clean. From tgc at statsbiblioteket.dk Wed Aug 20 08:00:18 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Wed Aug 20 08:00:28 2008 Subject: MailScannerGOLD [was Re: yum upgrade trouble] In-Reply-To: <48AAD3B0.3040703@fsl.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <48AA70F4.5020004@statsbiblioteket.dk> <000001c901cc$b516db60$1f449220$@co.za> <48AAD3B0.3040703@fsl.com> Message-ID: <48ABC102.6040104@statsbiblioteket.dk> Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tom G. >> Christensen >> Sent: 19 August 2008 09:06 AM >> To: MailScanner discussion >> Subject: Re: yum upgrade trouble >> <snip MailScannerGOLD information> >> >> Will the src.rpms be available to all or only to customers? >> <snip sales pitch> Stephen, I was not able to infer a clear answer to my question from what you wrote. Would you mind giving a direct answer to my question? -tgc From ismail at ismailozatay.net Wed Aug 20 08:27:43 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Wed Aug 20 08:32:40 2008 Subject: Fetchmail and MailScanner Message-ID: <8F46525BFB69480FB6B64BECA9D20B37@pc> Hi all, I am using fetchmail as a pop connector. It downloads a lot of pop3 inbox from some isps and it works properly. Today i installed postfix and mailscanner for filtering virus and spam mails on the same server but there is something wrong with mail headers. Because mail header says that mail coming from localhost 127.0.0.1 which is already whitelisted. So every incoming mail is tagged as clean. How can i fix this problem ? Can i send incoming mails to smtp with the original header? Thanks ismail From glenn.steen at gmail.com Wed Aug 20 08:50:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 20 08:50:24 2008 Subject: Fetchmail and MailScanner In-Reply-To: <8F46525BFB69480FB6B64BECA9D20B37@pc> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> Message-ID: <223f97700808200050y105c74e6ha725f677cdd6fc2f@mail.gmail.com> 2008/8/20 Ismail OZATAY <ismail@ismailozatay.net>: > Hi all, > > I am using fetchmail as a pop connector. It downloads a lot of pop3 inbox > from some isps and it works properly. Today i installed postfix and > mailscanner for filtering virus and spam mails on the same server but there > is something wrong with mail headers. Because mail header says that mail > coming from localhost 127.0.0.1 which is already whitelisted. So every > incoming mail is tagged as clean. How can i fix this problem ? Can i send > incoming mails to smtp with the original header? > > Thanks > > ismail > Ismail, This seems to be a common question this week...:-). Look at the recent thread named "Problem with mailscanner + fetchmail + mailwatch" .... Here's a link to gmane: http://news.gmane.org/find-root.php?message_id=%3cc8c4ee450808190351i1112ebajc663056b8fd1791d%40mail.gmail.com%3e ... or perhaps http://thread.gmane.org/gmane.mail.virus.mailscanner/65553 ... Should lead to the same info:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edward at tdcs.com.au Wed Aug 20 08:58:10 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Aug 20 08:58:55 2008 Subject: Fetchmail and MailScanner In-Reply-To: <8F46525BFB69480FB6B64BECA9D20B37@pc> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> > Hi all, > > I am using fetchmail as a pop connector. It downloads a lot of pop3 > inbox > from some isps and it works properly. Today i installed postfix and > mailscanner for filtering virus and spam mails on the same server but > there > is something wrong with mail headers. Because mail header says that > mail > coming from localhost 127.0.0.1 which is already whitelisted. So every > incoming mail is tagged as clean. How can i fix this problem ? Can i > send > incoming mails to smtp with the original header? > > Thanks > > ismail Whoa - this sound like d?j?-vu in a big way! I THINK we had this exact discussion with Fabio Silva YESTERDAY. If you've been listening, scroll back to yesterday. If you've just joined, follow this thread: http://lists.mailscanner.info/pipermail/mailscanner/2008-August/086695.html I found it because I knew how the thread started, I'm not sure how you would go searching the archives though, there doesn't appear to be a way to find things based on keywords. This should get you started though. Regards, ED. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Wed Aug 20 09:11:32 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Aug 20 09:11:48 2008 Subject: Fetchmail and MailScanner In-Reply-To: <8F46525BFB69480FB6B64BECA9D20B37@pc> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> Message-ID: <48ABD1B4.7070004@alexb.ch> On 8/20/2008 9:27 AM, Ismail OZATAY wrote: > Hi all, > > I am using fetchmail as a pop connector. It downloads a lot of pop3 > inbox from some isps and it works properly. Today i installed postfix > and mailscanner for filtering virus and spam mails on the same server > but there is something wrong with mail headers. Because mail header says > that mail coming from localhost 127.0.0.1 which is already whitelisted. > So every incoming mail is tagged as clean. How can i fix this problem ? > Can i send incoming mails to smtp with the original header? tell fetchmail to use the NIC's IP as SMTP and not 127.0.0.1 depending how you call it /usr/bin/fetchmail -S 192.168.1.1 that should solve your problem fetchmail docs show this quite clearly. h2h Alex From steve.freegard at fsl.com Wed Aug 20 09:34:47 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Aug 20 09:34:58 2008 Subject: MailScannerGOLD [was Re: yum upgrade trouble] In-Reply-To: <48ABC102.6040104@statsbiblioteket.dk> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <48AA70F4.5020004@statsbiblioteket.dk> <000001c901cc$b516db60$1f449220$@co.za> <48AAD3B0.3040703@fsl.com> <48ABC102.6040104@statsbiblioteket.dk> Message-ID: <48ABD727.6040103@fsl.com> Tom G. Christensen wrote: >>> >>> Will the src.rpms be available to all or only to customers? >>> > Stephen, I was not able to infer a clear answer to my question from what > you wrote. Would you mind giving a direct answer to my question? I think Steve's answer was to JC as that's what my threading shows. But I'll answer your question directly and give you the technical details. The .src.rpms will most likely be available to all - however, simply rebuilding them won't yield the same results as using the main repository as we have a whole build system behind these that Doc and I wrote. The purpose of the build system is to automatically handle all the RPM 'requires' and 'provides' dependencies and move all the FSL generated modules into their own namespace. RPM generates perl dependencies like this: perl(Mail::SpamAssassin) which satisfy system-wide dependencies. All of our modules use their own fsl-perl(Module::Name) namespace and install into /opt/fsl/lib/perl5 so as not to pollute the system-wide namespace and allow the base repositories to handle these. This is how we are able to guarantee that upgrading your system-wide Perl on CentOS etc. won't break MailScanner as our version will look in /opt/fsl/lib/perl5 for MailScanner/SA requirements before it looks at the regular system locations. Using the .src.rpms that are output by our build system would mean that the dependencies generated would be under the system-wide perl() namespace as I don't have any plans to release the code to our build system. The beta repository will also be available to all. This will always contain the last MailScanner beta along with the last MailWatch beta and all associated modules necessary to install. Ultimately there will be three repos 'staging' (FSL use only to test new modules) -> 'fsl-beta' (Public access, for beta testing only, RPMs are moved here from 'staging' repo after testing and finally 'fsl-main' (all FSL customers - contains production RPMS moved in from beta after test phase). Kind regards, Steve. From ismail at ismailozatay.net Wed Aug 20 09:44:46 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Wed Aug 20 09:53:21 2008 Subject: Fetchmail and MailScanner References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> Message-ID: <BE2E08214B2C47E79E2D5510E1B8890D@pc> Hi Edward , I always read every incoming mail carefully. Also i know that Fabio Silva 's problem is still going on because using smtphost setting will never fix that problem. Fetchmail is routing all emails to smtp so source seems interface's ip which is set before by smtphost. Here is my .fetchmailrc file; set daemon 20 set syslog set postmaster root set invisible poll mail.test.net with proto POP3 and options no dns user 'test' with pass "123456" is 'realuser@internal.net' keep norewrite smtphost 192.168.100.3 Here is my incmoing mail header ; Received: from mail.test.net (mail.internal.net [192.168.100.3]) by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) As you see coming source is 192.168.100.3 so mailscanner thinks that it is localhost. My question was how can i leave message source untouched ? Thanks Edward :) Regards, ismail ----- Original Message ----- From: "Edward Dekkers" <edward@tdcs.com.au> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> Sent: Wednesday, August 20, 2008 10:58 AM Subject: RE: Fetchmail and MailScanner > Hi all, > > I am using fetchmail as a pop connector. It downloads a lot of pop3 > inbox > from some isps and it works properly. Today i installed postfix and > mailscanner for filtering virus and spam mails on the same server but > there > is something wrong with mail headers. Because mail header says that > mail > coming from localhost 127.0.0.1 which is already whitelisted. So every > incoming mail is tagged as clean. How can i fix this problem ? Can i > send > incoming mails to smtp with the original header? > > Thanks > > ismail Whoa - this sound like d?j?-vu in a big way! I THINK we had this exact discussion with Fabio Silva YESTERDAY. If you've been listening, scroll back to yesterday. If you've just joined, follow this thread: http://lists.mailscanner.info/pipermail/mailscanner/2008-August/086695.html I found it because I knew how the thread started, I'm not sure how you would go searching the archives though, there doesn't appear to be a way to find things based on keywords. This should get you started though. Regards, ED. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From drew.marshall at technologytiger.net Wed Aug 20 10:17:55 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Wed Aug 20 10:18:20 2008 Subject: Fetchmail and MailScanner In-Reply-To: <BE2E08214B2C47E79E2D5510E1B8890D@pc> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <BE2E08214B2C47E79E2D5510E1B8890D@pc> Message-ID: <E3AF40C1-D4D0-43C1-AB2B-902D72D2D746@technologytiger.net> On 20 Aug 2008, at 09:44, Ismail OZATAY wrote: > Hi Edward , > > I always read every incoming mail carefully. Also i know that Fabio > Silva 's problem is still going on because using smtphost setting > will never fix that problem. Fetchmail is routing all emails to smtp > so source seems interface's ip which is set before by smtphost. > > Here is my .fetchmailrc file; > > set daemon 20 > set syslog > set postmaster root > set invisible > poll mail.test.net with proto POP3 and options no dns > user 'test' with pass "123456" is 'realuser@internal.net' > keep > norewrite > smtphost 192.168.100.3 > > Here is my incmoing mail header ; > > Received: from mail.test.net (mail.internal.net [192.168.100.3]) > by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 > for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) > > As you see coming source is 192.168.100.3 so mailscanner thinks that > it is localhost. My question was how can i leave message source > untouched ? MailScanner will only think something is what you tell it via a ruleset. To use Mailwatch, you will need to whitelist the loopback interface (127.0.0.1) assuming you have a fairly standard set up in the Mailwatch config file. MailScanner with therefore scan all mail received on any other interface including your 192.168.100.3 address. What Postfix calls this (Via the hosts file or PTR record) is irrelevant to MS. HTH Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system <www.mail-launder.com> Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From tgc at statsbiblioteket.dk Wed Aug 20 10:29:06 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Wed Aug 20 10:29:16 2008 Subject: MailScannerGOLD [was Re: yum upgrade trouble] In-Reply-To: <48ABD727.6040103@fsl.com> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <48AA70F4.5020004@statsbiblioteket.dk> <000001c901cc$b516db60$1f449220$@co.za> <48AAD3B0.3040703@fsl.com> <48ABC102.6040104@statsbiblioteket.dk> <48ABD727.6040103@fsl.com> Message-ID: <48ABE3E2.9050606@statsbiblioteket.dk> Steve Freegard wrote: > Tom G. Christensen wrote: >>>> Will the src.rpms be available to all or only to customers? >>>> >> Stephen, I was not able to infer a clear answer to my question from what >> you wrote. Would you mind giving a direct answer to my question? > > I think Steve's answer was to JC as that's what my threading shows. > You're right ofcourse. > But > I'll answer your question directly and give you the technical details. > Thanks, much appreciated. > The .src.rpms will most likely be available to all - however, simply > rebuilding them won't yield the same results as using the main > repository as we have a whole build system behind these that Doc and I > wrote. The purpose of the build system is to automatically handle all > the RPM 'requires' and 'provides' dependencies and move all the FSL > generated modules into their own namespace. RPM generates perl > dependencies like this: perl(Mail::SpamAssassin) which satisfy > system-wide dependencies. All of our modules use their own > fsl-perl(Module::Name) namespace and install into /opt/fsl/lib/perl5 so > as not to pollute the system-wide namespace and allow the base > repositories to handle these. This is how we are able to guarantee that > upgrading your system-wide Perl on CentOS etc. won't break MailScanner > as our version will look in /opt/fsl/lib/perl5 for MailScanner/SA > requirements before it looks at the regular system locations. > Nice and clean. I suppose you're also packaging perl then, so you can control the global @INC. The custom Requires/Provides name space I guess was done by overriding the perl_req and perl_prov scripts. Now writing these replacements are probably not entirely trivial... > Using the .src.rpms that are output by our build system would mean that > the dependencies generated would be under the system-wide perl() > namespace as I don't have any plans to release the code to our build system. > Pity that ;) However you're ofcourse completely within your right to keep it to yourself and I guess you have to have *some* secrets. > The beta repository will also be available to all. This will always > contain the last MailScanner beta along with the last MailWatch beta and > all associated modules necessary to install. Ultimately there will be > three repos 'staging' (FSL use only to test new modules) -> 'fsl-beta' > (Public access, for beta testing only, RPMs are moved here from > 'staging' repo after testing and finally 'fsl-main' (all FSL customers - > contains production RPMS moved in from beta after test phase). > This sounds very nice. Thanks again Steve, this was a most informative post. -tgc From ismail at ismailozatay.net Wed Aug 20 10:22:07 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Wed Aug 20 10:37:29 2008 Subject: Fetchmail and MailScanner References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> Message-ID: <0F582428D31647698C2099A2D36690A4@pc> Hi Edward , I always read every incoming mail carefully. Also i know that Fabio Silva 's problem is still going on because using smtphost setting will never fix that problem. Fetchmail is routing all emails to smtp so source seems interface's ip which is set before by smtphost. Here is my .fetchmailrc file; set daemon 20 set syslog set postmaster root set invisible poll mail.test.net with proto POP3 and options no dns user 'test' with pass "123456" is 'realuser@internal.net' keep norewrite smtphost 192.168.100.3 Here is my incmoing mail header ; Received: from mail.test.net (mail.internal.net [192.168.100.3]) by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) As you see coming source is 192.168.100.3 so mailscanner thinks that it is localhost. My question was how can i leave message source untouched ? Thanks Edward :) Regards, ismail ----- Original Message ----- From: "Edward Dekkers" <edward@tdcs.com.au> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> Sent: Wednesday, August 20, 2008 10:58 AM Subject: RE: Fetchmail and MailScanner > Hi all, > > I am using fetchmail as a pop connector. It downloads a lot of pop3 > inbox > from some isps and it works properly. Today i installed postfix and > mailscanner for filtering virus and spam mails on the same server but > there > is something wrong with mail headers. Because mail header says that > mail > coming from localhost 127.0.0.1 which is already whitelisted. So every > incoming mail is tagged as clean. How can i fix this problem ? Can i > send > incoming mails to smtp with the original header? > > Thanks > > ismail Whoa - this sound like d?j?-vu in a big way! I THINK we had this exact discussion with Fabio Silva YESTERDAY. If you've been listening, scroll back to yesterday. If you've just joined, follow this thread: http://lists.mailscanner.info/pipermail/mailscanner/2008-August/086695.html I found it because I knew how the thread started, I'm not sure how you would go searching the archives though, there doesn't appear to be a way to find things based on keywords. This should get you started though. Regards, ED. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Wed Aug 20 10:46:48 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Aug 20 10:47:04 2008 Subject: Fetchmail and MailScanner In-Reply-To: <0F582428D31647698C2099A2D36690A4@pc> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc> Message-ID: <48ABE808.3080400@alexb.ch> On 8/20/2008 11:22 AM, Ismail OZATAY wrote: > Hi Edward , > > I always read every incoming mail carefully. Also i know that Fabio > Silva 's > problem is still going on because using smtphost setting will never fix > that > problem. Fetchmail is routing all emails to smtp so source seems > interface's > ip which is set before by smtphost. > > Here is my .fetchmailrc file; > > set daemon 20 > set syslog > set postmaster root > set invisible > poll mail.test.net with proto POP3 and options no dns > user 'test' with pass "123456" is 'realuser@internal.net' > keep > norewrite > smtphost 192.168.100.3 > > Here is my incmoing mail header ; > > Received: from mail.test.net (mail.internal.net [192.168.100.3]) > by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 > for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) > > As you see coming source is 192.168.100.3 so mailscanner thinks that it is > localhost. My question was how can i leave message source untouched ? > > Thanks Edward :) > > Regards, > > ismail > > > ----- Original Message ----- From: "Edward Dekkers" <edward@tdcs.com.au> > To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> > Sent: Wednesday, August 20, 2008 10:58 AM > Subject: RE: Fetchmail and MailScanner > > >> Hi all, >> >> I am using fetchmail as a pop connector. It downloads a lot of pop3 >> inbox >> from some isps and it works properly. Today i installed postfix and >> mailscanner for filtering virus and spam mails on the same server but >> there >> is something wrong with mail headers. Because mail header says that >> mail >> coming from localhost 127.0.0.1 which is already whitelisted. So every >> incoming mail is tagged as clean. How can i fix this problem ? Can i >> send >> incoming mails to smtp with the original header? doesn't the fetchmail "silent" switch do that for you? From ram at netcore.co.in Wed Aug 20 11:05:39 2008 From: ram at netcore.co.in (ram) Date: Wed Aug 20 11:05:55 2008 Subject: MailScanner clamavmodule hangs Message-ID: <1219226739.1883.55.camel@darkstar.netcore.co.in> I have some locking problem with Clamavmodule here I have perl-Mail-CLamav version 0.20 and clam version 0.90 used in MailScanner 4.70 (latest) It had been working fine till yesterday , but now when I start MailScanner all the child processes go into a state of "starting children" I disable clamavmodule and MailScanner works fine Thanks Ram From steve.freegard at fsl.com Wed Aug 20 11:41:00 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Aug 20 11:41:11 2008 Subject: MailScannerGOLD [was Re: yum upgrade trouble] In-Reply-To: <48ABE3E2.9050606@statsbiblioteket.dk> References: <EMEW-k7H8AGa414b1bf294bec5b0baf26c325f25e65-5F9EB2B0731E5B4D88FC20780DFD1610432511@DE-SEXB01RZ.intern.seceidos.de> <48A98225.9090909@fsl.com> <48AA70F4.5020004@statsbiblioteket.dk> <000001c901cc$b516db60$1f449220$@co.za> <48AAD3B0.3040703@fsl.com> <48ABC102.6040104@statsbiblioteket.dk> <48ABD727.6040103@fsl.com> <48ABE3E2.9050606@statsbiblioteket.dk> Message-ID: <48ABF4BC.2050406@fsl.com> Tom G. Christensen wrote: > I suppose you're also packaging perl then, so you can control the global > @INC. No - we're not currently packaging Perl as I felt that this would be too much duplication (base Perl is pretty large these days) and a lot of extra complication and possible confusion and more difficult for us to support. Instead we use the system-wide perl and the system-wide modules but simply ensure that our modules are checked first either by using PERL5LIB in the applications init-scripts and via /etc/profile.d or via 'use lib qw{/opt/fsl/perl5/lib}' in the actual perl apps themselves, although this might change if I find a better way to handle these cases. > The custom Requires/Provides name space I guess was done by overriding > the perl_req and perl_prov scripts. Now writing these replacements are > probably not entirely trivial... Yes, that's exactly what we're doing and no it wasn't particularly trivial to achieve ;-) >> Using the .src.rpms that are output by our build system would mean that >> the dependencies generated would be under the system-wide perl() >> namespace as I don't have any plans to release the code to our build >> system. >> > Pity that ;) > However you're ofcourse completely within your right to keep it to > yourself and I guess you have to have *some* secrets. Yeah - plus our build scripts won't make a whole lot of sense to most people anyway. RPM building like this is pretty hard - especially getting things installed in the correct order and satisfying all the build and run-time dependencies - I've spent quite a bit of time banging my head on my desk to get it working properly. >> The beta repository will also be available to all. This will always >> contain the last MailScanner beta along with the last MailWatch beta and >> all associated modules necessary to install. Ultimately there will be >> three repos 'staging' (FSL use only to test new modules) -> 'fsl-beta' >> (Public access, for beta testing only, RPMs are moved here from >> 'staging' repo after testing and finally 'fsl-main' (all FSL customers - >> contains production RPMS moved in from beta after test phase). >> > This sounds very nice. > > Thanks again Steve, this was a most informative post. No problem - you're welcome. Kind regards, Steve. From martinh at solidstatelogic.com Wed Aug 20 11:55:19 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Aug 20 11:55:30 2008 Subject: MailScanner clamavmodule hangs In-Reply-To: <1219226739.1883.55.camel@darkstar.netcore.co.in> Message-ID: <95b26ade1a3c7d418e5e6611abf3efd3@solidstatelogic.com> Ram Clam 0.90 is really old and might not be supported for updates anymore.. What does "clamscan" (with or without the -v) and freshclam give you? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram > Sent: 20 August 2008 11:06 > To: MailScanner discussion > Subject: MailScanner clamavmodule hangs > > I have some locking problem with Clamavmodule here I have > perl-Mail-CLamav version 0.20 and clam version 0.90 used in > MailScanner 4.70 (latest) > > It had been working fine till yesterday , but now when I > start MailScanner all the child processes go into a state of > "starting children" > > I disable clamavmodule and MailScanner works fine > > > > Thanks > Ram > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ms-list at alexb.ch Wed Aug 20 12:07:23 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Aug 20 12:07:41 2008 Subject: Fetchmail and MailScanner In-Reply-To: <48ABE808.3080400@alexb.ch> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc> <48ABE808.3080400@alexb.ch> Message-ID: <48ABFAEB.3050007@alexb.ch> On 8/20/2008 11:46 AM, Alex Broens wrote: > On 8/20/2008 11:22 AM, Ismail OZATAY wrote: >> Hi Edward , >> >> I always read every incoming mail carefully. Also i know that Fabio >> Silva 's >> problem is still going on because using smtphost setting will never >> fix that >> problem. Fetchmail is routing all emails to smtp so source seems >> interface's >> ip which is set before by smtphost. >> >> Here is my .fetchmailrc file; >> >> set daemon 20 >> set syslog >> set postmaster root >> set invisible >> poll mail.test.net with proto POP3 and options no dns >> user 'test' with pass "123456" is 'realuser@internal.net' >> keep >> norewrite >> smtphost 192.168.100.3 >> >> Here is my incmoing mail header ; >> >> Received: from mail.test.net (mail.internal.net [192.168.100.3]) >> by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 >> for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) >> >> As you see coming source is 192.168.100.3 so mailscanner thinks that >> it is >> localhost. My question was how can i leave message source untouched ? >> >> Thanks Edward :) >> >> Regards, >> >> ismail >> >> >> ----- Original Message ----- From: "Edward Dekkers" <edward@tdcs.com.au> >> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> >> Sent: Wednesday, August 20, 2008 10:58 AM >> Subject: RE: Fetchmail and MailScanner >> >> >>> Hi all, >>> >>> I am using fetchmail as a pop connector. It downloads a lot of pop3 >>> inbox >>> from some isps and it works properly. Today i installed postfix and >>> mailscanner for filtering virus and spam mails on the same server but >>> there >>> is something wrong with mail headers. Because mail header says that >>> mail >>> coming from localhost 127.0.0.1 which is already whitelisted. So every >>> incoming mail is tagged as clean. How can i fix this problem ? Can i >>> send >>> incoming mails to smtp with the original header? > > doesn't the fetchmail "silent" switch do that for you? Sorry.. meant "invisible" The --invisible option (keyword: set invisible) tries to make fetchmail invisible. Normally, fetchmail behaves like any other MTA would -- it generates a Received header into each message describing its place in the chain of transmission, and tells the MTA it forwards to that the mail came from the machine fetchmail itself is running on. If the invisible option is on, the Received header is suppressed and fetchmail tries to spoof the MTA it forwards to into thinking it came directly from the mailserver host. Alex From forum at juro.at Wed Aug 20 13:30:11 2008 From: forum at juro.at (forum) Date: Wed Aug 20 13:30:19 2008 Subject: MailScanner keeps restarting, mails are kept on hold Message-ID: <48AC0E53.9050107@juro.at> Hi, I am using MailScanner on a Ubuntu Dapper server (running, productive system, therefore older) and everything was working fine before I did an apt-get upgrade. Now MailScanner keeps restarting with these log entries: timestamp servername MailScanner[##]: Using locktype = flock timestamp servername MailScanner[##]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... timestamp servername MailScanner[##]: Read 676 hostnames from the phishing whitelist Apparently this could result from an unusable bayes database for SpamAssassin but I have rebuilt that and cleared (just to be sure) it. I have re-installed MailScanner and also tried to install a newer version, which failed dismally, as a lot of dependencies are not met with the standard Dapper packages (and I couldn't backport them). How can I resolve this issue without too much trouble/time? juro From MailScanner at ecs.soton.ac.uk Wed Aug 20 15:19:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 20 15:19:54 2008 Subject: Fetchmail and MailScanner In-Reply-To: <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc> <48ABE808.3080400@alexb.ch> <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> Message-ID: <48AC27F2.8080501@ecs.soton.ac.uk> Alex Broens wrote: > On 8/20/2008 11:46 AM, Alex Broens wrote: >> On 8/20/2008 11:22 AM, Ismail OZATAY wrote: >>> Hi Edward , >>> >>> I always read every incoming mail carefully. Also i know that Fabio >>> Silva 's >>> problem is still going on because using smtphost setting will never >>> fix that >>> problem. Fetchmail is routing all emails to smtp so source seems >>> interface's >>> ip which is set before by smtphost. >>> >>> Here is my .fetchmailrc file; >>> >>> set daemon 20 >>> set syslog >>> set postmaster root >>> set invisible >>> poll mail.test.net with proto POP3 and options no dns >>> user 'test' with pass "123456" is 'realuser@internal.net' >>> keep >>> norewrite >>> smtphost 192.168.100.3 >>> >>> Here is my incmoing mail header ; >>> >>> Received: from mail.test.net (mail.internal.net [192.168.100.3]) >>> by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 >>> for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) >>> >>> As you see coming source is 192.168.100.3 so mailscanner thinks that >>> it is >>> localhost. My question was how can i leave message source untouched ? >>> >>> Thanks Edward :) >>> >>> Regards, >>> >>> ismail >>> >>> >>> ----- Original Message ----- From: "Edward Dekkers" >>> <edward@tdcs.com.au> >>> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> >>> Sent: Wednesday, August 20, 2008 10:58 AM >>> Subject: RE: Fetchmail and MailScanner >>> >>> >>>> Hi all, >>>> >>>> I am using fetchmail as a pop connector. It downloads a lot of pop3 >>>> inbox >>>> from some isps and it works properly. Today i installed postfix and >>>> mailscanner for filtering virus and spam mails on the same server but >>>> there >>>> is something wrong with mail headers. Because mail header says that >>>> mail >>>> coming from localhost 127.0.0.1 which is already whitelisted. So every >>>> incoming mail is tagged as clean. How can i fix this problem ? Can i >>>> send >>>> incoming mails to smtp with the original header? >> >> doesn't the fetchmail "silent" switch do that for you? > > Sorry.. meant "invisible" > > The --invisible option (keyword: set invisible) tries to make > fetchmail invisible. Normally, fetchmail behaves like any other MTA > would -- it generates a Received header into each message describing > its place in the chain of transmission, and tells the MTA it forwards > to that the mail came from the machine fetchmail itself is running on. > If the invisible option is on, the Received header is suppressed and > fetchmail tries to spoof the MTA it forwards to into thinking it came > directly from the mailserver host. But that still won't fool MailScanner. MailScanner uses the SMTP client address written into the email's envelope. The MTA takes this from the IP address of the machine talking to it in the SMTP session during which it received the message. So no matter what options you set on fetchmail, that can only ever be the IP address of the system itself, or localhost. So I fail to see how playing with fetchmail configurations can possibly make any difference to this. The only thing that would make a difference is for me to start parsing the first Received: header and pulling the IP addresses out of that. Which I currently only do when 1) you are using Postfix and 2) the Postfix envelope contains no IP address at all. I would have to generalise this code for all the MTAs I support. You would probably still have to tell fetchmail to not add its Received: header even so. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Aug 20 15:22:12 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 20 15:22:33 2008 Subject: MailScanner keeps restarting, mails are kept on hold In-Reply-To: <EMEW-k7JDax36fa624992fb0f5da71b220f3a9c68c4-48AC0E53.9050107@juro.at> References: <EMEW-k7JDax36fa624992fb0f5da71b220f3a9c68c4-48AC0E53.9050107@juro.at> Message-ID: <48AC2894.5080400@ecs.soton.ac.uk> forum wrote: > Hi, > I am using MailScanner on a Ubuntu Dapper server (running, productive > system, therefore older) and everything was working fine before I did > an apt-get upgrade. Now MailScanner keeps restarting with these log > entries: > > timestamp servername MailScanner[##]: Using locktype = flock > timestamp servername MailScanner[##]: MailScanner E-Mail Virus Scanner > version 4.46.2 starting... > timestamp servername MailScanner[##]: Read 676 hostnames from the > phishing whitelist > > Apparently this could result from an unusable bayes database for > SpamAssassin but I have rebuilt that and cleared (just to be sure) it. > I have re-installed MailScanner and also tried to install a newer > version, which failed dismally, as a lot of dependencies are not met > with the standard Dapper packages (and I couldn't backport them). > > How can I resolve this issue without too much trouble/time? By running MailScanner --lint and MailScanner --debug That "--debug" switch will make it run in the foreground, pick up one batch of messages, process them and then quit. You will probably find it spits out some error message or similar, which should point you in the right direction. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Aug 20 15:34:49 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 20 15:35:00 2008 Subject: Fetchmail and MailScanner In-Reply-To: <48AC27F2.8080501@ecs.soton.ac.uk> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc> <48ABE808.3080400@alexb.ch> <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> <48AC27F2.8080501@ecs.soton.ac.uk> Message-ID: <223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> 2008/8/20 Julian Field <MailScanner@ecs.soton.ac.uk>: > > > Alex Broens wrote: >> >> On 8/20/2008 11:46 AM, Alex Broens wrote: >>> >>> On 8/20/2008 11:22 AM, Ismail OZATAY wrote: >>>> >>>> Hi Edward , >>>> >>>> I always read every incoming mail carefully. Also i know that Fabio >>>> Silva 's >>>> problem is still going on because using smtphost setting will never fix >>>> that >>>> problem. Fetchmail is routing all emails to smtp so source seems >>>> interface's >>>> ip which is set before by smtphost. >>>> >>>> Here is my .fetchmailrc file; >>>> >>>> set daemon 20 >>>> set syslog >>>> set postmaster root >>>> set invisible >>>> poll mail.test.net with proto POP3 and options no dns >>>> user 'test' with pass "123456" is 'realuser@internal.net' >>>> keep >>>> norewrite >>>> smtphost 192.168.100.3 >>>> >>>> Here is my incmoing mail header ; >>>> >>>> Received: from mail.test.net (mail.internal.net [192.168.100.3]) >>>> by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 >>>> for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) >>>> >>>> As you see coming source is 192.168.100.3 so mailscanner thinks that it >>>> is >>>> localhost. My question was how can i leave message source untouched ? >>>> >>>> Thanks Edward :) >>>> >>>> Regards, >>>> >>>> ismail >>>> >>>> >>>> ----- Original Message ----- From: "Edward Dekkers" <edward@tdcs.com.au> >>>> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> >>>> Sent: Wednesday, August 20, 2008 10:58 AM >>>> Subject: RE: Fetchmail and MailScanner >>>> >>>> >>>>> Hi all, >>>>> >>>>> I am using fetchmail as a pop connector. It downloads a lot of pop3 >>>>> inbox >>>>> from some isps and it works properly. Today i installed postfix and >>>>> mailscanner for filtering virus and spam mails on the same server but >>>>> there >>>>> is something wrong with mail headers. Because mail header says that >>>>> mail >>>>> coming from localhost 127.0.0.1 which is already whitelisted. So every >>>>> incoming mail is tagged as clean. How can i fix this problem ? Can i >>>>> send >>>>> incoming mails to smtp with the original header? >>> >>> doesn't the fetchmail "silent" switch do that for you? >> >> Sorry.. meant "invisible" >> >> The --invisible option (keyword: set invisible) tries to make fetchmail >> invisible. Normally, fetchmail behaves like any other MTA would -- it >> generates a Received header into each message describing its place in the >> chain of transmission, and tells the MTA it forwards to that the mail came >> from the machine fetchmail itself is running on. If the invisible option is >> on, the Received header is suppressed and fetchmail tries to spoof the MTA >> it forwards to into thinking it came directly from the mailserver host. > > But that still won't fool MailScanner. MailScanner uses the SMTP client > address written into the email's envelope. The MTA takes this from the IP > address of the machine talking to it in the SMTP session during which it > received the message. > > So no matter what options you set on fetchmail, that can only ever be the IP > address of the system itself, or localhost. So I fail to see how playing > with fetchmail configurations can possibly make any difference to this. > > The only thing that would make a difference is for me to start parsing the > first Received: header and pulling the IP addresses out of that. Which I > currently only do when > 1) you are using Postfix > and > 2) the Postfix envelope contains no IP address at all. > I would have to generalise this code for all the MTAs I support. > > You would probably still have to tell fetchmail to not add its Received: > header even so. > > Jules Much simpler to just avoid MailScanner, while releasing from quarantine (and thus not needing the WL of 127.0.0.1)... As per my previous advice... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 20 16:22:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 20 16:22:34 2008 Subject: Fetchmail and MailScanner In-Reply-To: <EMEW-k7JFdh488922239b5caabf07978c06ee435a6a-223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc> <48ABE808.3080400@alexb.ch> <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> <48AC27F2.8080501@ecs.soton.ac.uk> <EMEW-k7JFdh488922239b5caabf07978c06ee435a6a-223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> Message-ID: <48AC36A6.3080801@ecs.soton.ac.uk> Glenn Steen wrote: > 2008/8/20 Julian Field <MailScanner@ecs.soton.ac.uk>: > >> Alex Broens wrote: >> >>> On 8/20/2008 11:46 AM, Alex Broens wrote: >>> >>>> On 8/20/2008 11:22 AM, Ismail OZATAY wrote: >>>> >>>>> Hi Edward , >>>>> >>>>> I always read every incoming mail carefully. Also i know that Fabio >>>>> Silva 's >>>>> problem is still going on because using smtphost setting will never fix >>>>> that >>>>> problem. Fetchmail is routing all emails to smtp so source seems >>>>> interface's >>>>> ip which is set before by smtphost. >>>>> >>>>> Here is my .fetchmailrc file; >>>>> >>>>> set daemon 20 >>>>> set syslog >>>>> set postmaster root >>>>> set invisible >>>>> poll mail.test.net with proto POP3 and options no dns >>>>> user 'test' with pass "123456" is 'realuser@internal.net' >>>>> keep >>>>> norewrite >>>>> smtphost 192.168.100.3 >>>>> >>>>> Here is my incmoing mail header ; >>>>> >>>>> Received: from mail.test.net (mail.internal.net [192.168.100.3]) >>>>> by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 >>>>> for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) >>>>> >>>>> As you see coming source is 192.168.100.3 so mailscanner thinks that it >>>>> is >>>>> localhost. My question was how can i leave message source untouched ? >>>>> >>>>> Thanks Edward :) >>>>> >>>>> Regards, >>>>> >>>>> ismail >>>>> >>>>> >>>>> ----- Original Message ----- From: "Edward Dekkers" <edward@tdcs.com.au> >>>>> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> >>>>> Sent: Wednesday, August 20, 2008 10:58 AM >>>>> Subject: RE: Fetchmail and MailScanner >>>>> >>>>> >>>>> >>>>>> Hi all, >>>>>> >>>>>> I am using fetchmail as a pop connector. It downloads a lot of pop3 >>>>>> inbox >>>>>> from some isps and it works properly. Today i installed postfix and >>>>>> mailscanner for filtering virus and spam mails on the same server but >>>>>> there >>>>>> is something wrong with mail headers. Because mail header says that >>>>>> mail >>>>>> coming from localhost 127.0.0.1 which is already whitelisted. So every >>>>>> incoming mail is tagged as clean. How can i fix this problem ? Can i >>>>>> send >>>>>> incoming mails to smtp with the original header? >>>>>> >>>> doesn't the fetchmail "silent" switch do that for you? >>>> >>> Sorry.. meant "invisible" >>> >>> The --invisible option (keyword: set invisible) tries to make fetchmail >>> invisible. Normally, fetchmail behaves like any other MTA would -- it >>> generates a Received header into each message describing its place in the >>> chain of transmission, and tells the MTA it forwards to that the mail came >>> from the machine fetchmail itself is running on. If the invisible option is >>> on, the Received header is suppressed and fetchmail tries to spoof the MTA >>> it forwards to into thinking it came directly from the mailserver host. >>> >> But that still won't fool MailScanner. MailScanner uses the SMTP client >> address written into the email's envelope. The MTA takes this from the IP >> address of the machine talking to it in the SMTP session during which it >> received the message. >> >> So no matter what options you set on fetchmail, that can only ever be the IP >> address of the system itself, or localhost. So I fail to see how playing >> with fetchmail configurations can possibly make any difference to this. >> >> The only thing that would make a difference is for me to start parsing the >> first Received: header and pulling the IP addresses out of that. Which I >> currently only do when >> 1) you are using Postfix >> and >> 2) the Postfix envelope contains no IP address at all. >> I would have to generalise this code for all the MTAs I support. >> >> You would probably still have to tell fetchmail to not add its Received: >> header even so. >> >> Jules >> > Much simpler to just avoid MailScanner, while releasing from > quarantine (and thus not needing the WL of 127.0.0.1)... As per my > previous advice... > That doesn't solve the generic problem of wanting to use the IP address where the mail came from, not the address of the server which is running fetchmail. So I have added this option, which will be in the next beta release. # When working out from IP address the message was sent from, # no ==> use the SMTP client address, ie. the address of the system talking # to the MailScanner server. This is the normal setting. # yes ==> use the first IP address contained in the first "Received:" header # at the top of the email message's headers. # # This is very useful when you are injecting mail into a MailScanner server # using "fetchmail" as otherwise all mail will appear to be coming from the # the IP address of the system running "fetchmail", and not the address the # mail actually came from. # You need to use this together with the "silent" option in "fetchmail", so # that "fetchmail" does not add its own "Received:" header to the start of # the message. # # This value *cannot* be the filename of a ruleset. Read IP Address From Received Header = no Hopefully that will help people out. It only addresses the problem where fetchmail is running on the localhost, I suspect, but I am sure you will let me know the limitations of this addition. I'll put out a new beta right now with this in it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Aug 20 16:29:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 20 16:29:43 2008 Subject: Fetchmail and MailScanner In-Reply-To: <EMEW-k7JFdh488922239b5caabf07978c06ee435a6a-223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc> <48ABE808.3080400@alexb.ch> <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> <48AC27F2.8080501@ecs.soton.ac.uk> <EMEW-k7JFdh488922239b5caabf07978c06ee435a6a-223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> Message-ID: <48AC3851.4090405@ecs.soton.ac.uk> Glenn Steen wrote: > 2008/8/20 Julian Field <MailScanner@ecs.soton.ac.uk>: > >> Alex Broens wrote: >> >>> On 8/20/2008 11:46 AM, Alex Broens wrote: >>> >>>> On 8/20/2008 11:22 AM, Ismail OZATAY wrote: >>>> >>>>> Hi Edward , >>>>> >>>>> I always read every incoming mail carefully. Also i know that Fabio >>>>> Silva 's >>>>> problem is still going on because using smtphost setting will never fix >>>>> that >>>>> problem. Fetchmail is routing all emails to smtp so source seems >>>>> interface's >>>>> ip which is set before by smtphost. >>>>> >>>>> Here is my .fetchmailrc file; >>>>> >>>>> set daemon 20 >>>>> set syslog >>>>> set postmaster root >>>>> set invisible >>>>> poll mail.test.net with proto POP3 and options no dns >>>>> user 'test' with pass "123456" is 'realuser@internal.net' >>>>> keep >>>>> norewrite >>>>> smtphost 192.168.100.3 >>>>> >>>>> Here is my incmoing mail header ; >>>>> >>>>> Received: from mail.test.net (mail.internal.net [192.168.100.3]) >>>>> by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 >>>>> for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 (EEST) >>>>> >>>>> As you see coming source is 192.168.100.3 so mailscanner thinks that it >>>>> is >>>>> localhost. My question was how can i leave message source untouched ? >>>>> >>>>> Thanks Edward :) >>>>> >>>>> Regards, >>>>> >>>>> ismail >>>>> >>>>> >>>>> ----- Original Message ----- From: "Edward Dekkers" <edward@tdcs.com.au> >>>>> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> >>>>> Sent: Wednesday, August 20, 2008 10:58 AM >>>>> Subject: RE: Fetchmail and MailScanner >>>>> >>>>> >>>>> >>>>>> Hi all, >>>>>> >>>>>> I am using fetchmail as a pop connector. It downloads a lot of pop3 >>>>>> inbox >>>>>> from some isps and it works properly. Today i installed postfix and >>>>>> mailscanner for filtering virus and spam mails on the same server but >>>>>> there >>>>>> is something wrong with mail headers. Because mail header says that >>>>>> mail >>>>>> coming from localhost 127.0.0.1 which is already whitelisted. So every >>>>>> incoming mail is tagged as clean. How can i fix this problem ? Can i >>>>>> send >>>>>> incoming mails to smtp with the original header? >>>>>> >>>> doesn't the fetchmail "silent" switch do that for you? >>>> >>> Sorry.. meant "invisible" >>> >>> The --invisible option (keyword: set invisible) tries to make fetchmail >>> invisible. Normally, fetchmail behaves like any other MTA would -- it >>> generates a Received header into each message describing its place in the >>> chain of transmission, and tells the MTA it forwards to that the mail came >>> from the machine fetchmail itself is running on. If the invisible option is >>> on, the Received header is suppressed and fetchmail tries to spoof the MTA >>> it forwards to into thinking it came directly from the mailserver host. >>> >> But that still won't fool MailScanner. MailScanner uses the SMTP client >> address written into the email's envelope. The MTA takes this from the IP >> address of the machine talking to it in the SMTP session during which it >> received the message. >> >> So no matter what options you set on fetchmail, that can only ever be the IP >> address of the system itself, or localhost. So I fail to see how playing >> with fetchmail configurations can possibly make any difference to this. >> >> The only thing that would make a difference is for me to start parsing the >> first Received: header and pulling the IP addresses out of that. Which I >> currently only do when >> 1) you are using Postfix >> and >> 2) the Postfix envelope contains no IP address at all. >> I would have to generalise this code for all the MTAs I support. >> >> You would probably still have to tell fetchmail to not add its Received: >> header even so. >> >> Jules >> > Much simpler to just avoid MailScanner, while releasing from > quarantine (and thus not needing the WL of 127.0.0.1)... As per my > previous advice... > > Cheers > Okay, the new beta is out. The only thing I can think you might need now is to be able to give a list of IP addresses to ignore when looking for the "real" IP address in the headers. I'll add that if anyone thinks they need it. Shouldn't be too hard to add. Just need to convert a list of IP addresses (v4 and/or v6) into a regexp and check for that when matching the IP addresses found in the Received: headers. Lots of escaping, but nothing too tricky :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Wed Aug 20 20:12:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 20 20:12:23 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <EMEW-k7ILMY37e79201049c67892606fdf85ded2557-5F9EB2B0731E5B4D88FC20780DFD1610432647@DE-SEXB01RZ.intern.seceidos.de> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <48AAB392.5030301@protos.mine.nu><g8esrb$q6g$2@ger.gmane.org><FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> <EMEW-k7ILKg5d936e2c6d9801bb0b218afcd578ad8d-g8f628$cn$1@ger.gmane.org> <EMEW-k7ILMY37e79201049c67892606fdf85ded2557-5F9EB2B0731E5B4D88FC20780DFD1610432647@DE-SEXB01RZ.intern.seceidos.de> Message-ID: <g8hqa1$grr$1@ger.gmane.org> on 8-19-2008 12:22 PM Koopmann, Jan-Peter spake the following: >> I had that problem also when I had timeouts. > > Well I am not seeing timeouts at least none that would explain that amount of tmp files. It looks like SpamAssassin here keeps all tempfiles. Not sure why... > > > > Are you running 3.2.4 or earlier? There is a running bug in spamassassin (5557) that points to this up to 3.2.3. Supposed to be fixed in 3.2.4. SOmething with a SIGPIPE dying too early to clean up. Don't know if it is related to MailScanner since I didn't think it used SIGPIPE to move messages, but maybe some addon is doing it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080820/68d48a4e/signature.bin From jase at sensis.com Wed Aug 20 20:12:29 2008 From: jase at sensis.com (Desai, Jason) Date: Wed Aug 20 20:13:05 2008 Subject: Fetchmail and MailScanner In-Reply-To: <48AC36A6.3080801@ecs.soton.ac.uk> References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc><48ABE808.3080400@alexb.ch> <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> <48AC27F2.8080501@ecs.soton.ac.uk><EMEW-k7JFdh488922239b5caabf07978c06ee435a6a-223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> <48AC36A6.3080801@ecs.soton.ac.uk> Message-ID: <1951DC816E1A9F469307B05FA183F43801359BE0@corpatsmail1.corp.sensis.com> > So I have added this option, which will be in the next beta release. > > # When working out from IP address the message was sent from, > # no ==> use the SMTP client address, ie. the address of the > system talking > # to the MailScanner server. This is the normal setting. > # yes ==> use the first IP address contained in the first > "Received:" header > # at the top of the email message's headers. > # > # This is very useful when you are injecting mail into a > MailScanner server > # using "fetchmail" as otherwise all mail will appear to be > coming from the > # the IP address of the system running "fetchmail", and not > the address the > # mail actually came from. > # You need to use this together with the "silent" option in > "fetchmail", so > # that "fetchmail" does not add its own "Received:" header to > the start of > # the message. > # > # This value *cannot* be the filename of a ruleset. > Read IP Address From Received Header = no > > Hopefully that will help people out. It only addresses the > problem where > fetchmail is running on the localhost, I suspect, but I am > sure you will > let me know the limitations of this addition. Sounds like this might be useful for cases where you have a secondary or perimeter mail server send all mail to your MailScanner box. I had modified the MailWatch custom function to do this for me, so that it would store the real sending MTA's ip address in the database. Now it looks like I may not need to. Thanks! Jase From mgaudreault at reference.qc.ca Wed Aug 20 20:07:44 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Wed Aug 20 20:14:17 2008 Subject: automated response Message-ID: <10808201507.AA40449@reference.qc.ca> Bonjour, Veuillez noter que je serai en vacance du 11 au 22 aout. Je serai de retour le 25 aout. Pour tout urgence vous pouvez contacter Alain Doyon (adoyon@reference.qc.ca) pour le service technique ou Yves Vallieres (yvallieres@reference.qc.ca) pour les ventes. Sinon, je vous r?ponderai ? mon retour de vacance. Merci From ecasarero at gmail.com Wed Aug 20 20:25:15 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Aug 20 20:25:25 2008 Subject: limit to the amount of white/blacklist rules. Message-ID: <7d9b3cf20808201225x4b6987a2kea511721eb7f621b@mail.gmail.com> Hi, does anyone know if there is a theorically limit to the amount of white/blacklist rules that MailScanner can handle? I've searched the archives and there is only 1 email without answer saying that he had 40k of rules and some random problems. I pretend to use them through a CustomFunction (&SQLWhitelist y &SQLBlacklist). Any help would be appreciated :D Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080820/2b9f89cf/attachment.html From campbell at cnpapers.com Wed Aug 20 19:15:05 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Aug 20 21:52:57 2008 Subject: startin, startout, stopms Message-ID: <48AC5F29.80900@cnpapers.com> I'm getting hammered today and my input queue just keeps growing and growing. I'd like to stop the input queue from receiving more mail but still process what's there using MS. What option do I give my /etc/rc.d/init.d/MailScanner command to accomplish this? Thanks for any help. Steve Campbell From hvdkooij at vanderkooij.org Wed Aug 20 23:02:51 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Aug 20 23:03:01 2008 Subject: startin, startout, stopms In-Reply-To: <48AC5F29.80900@cnpapers.com> References: <48AC5F29.80900@cnpapers.com> Message-ID: <48AC948B.5070702@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Campbell wrote: > I'm getting hammered today and my input queue just keeps growing and > growing. I'd like to stop the input queue from receiving more mail but > still process what's there using MS. What option do I give my > /etc/rc.d/init.d/MailScanner command to accomplish this? That highly depends on the mta used. One way would be to block inbound session with iptables and let the other side send it to your backup server(s) That would require no change at all to MailScanner or the MTA of your choice. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIrJSKBvzDRVjxmYERAnFrAJ0VJqM9QbZeJ2A3MrBu4gkkDVub7ACgncYk zZ83G8CWRlzmd4geH3/pH7w= =HR8g -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Aug 20 23:06:01 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Aug 20 23:06:10 2008 Subject: limit to the amount of white/blacklist rules. In-Reply-To: <7d9b3cf20808201225x4b6987a2kea511721eb7f621b@mail.gmail.com> References: <7d9b3cf20808201225x4b6987a2kea511721eb7f621b@mail.gmail.com> Message-ID: <48AC9549.7020308@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Casarero wrote: > Hi, does anyone know if there is a theorically limit to the amount of > white/blacklist rules that MailScanner can handle? I've searched the > archives and there is only 1 email without answer saying that he had 40k > of rules and some random problems. > > I pretend to use them through a CustomFunction (&SQLWhitelist y > &SQLBlacklist). > > Any help would be appreciated :D The theoretical limit will be staggering high. The practical limit is mainly dependent on the speed at which lokups in these tables can be done. (These are tables and not rules in the way most people use rules in plain text files with MailScanner.) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIrJVHBvzDRVjxmYERAhpXAJ4yT3TdVnjpOlLd0sy56fMIYfbtUQCfU0VA /4aWhRgnTkHa63SM4vABNVo= =YiD/ -----END PGP SIGNATURE----- From andrew at gdcon.net Thu Aug 21 00:30:04 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Aug 21 00:30:28 2008 Subject: Spam report addressed to multiple people In-Reply-To: <223f97700808190628m45126809y197720c323462533@mail.gmail.com> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> <48A90805.20000@vanderkooij.org> <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> <4f51e024c094cf5793c3e29c0e5c0b35.squirrel@wm.gdcon.net> <g8cv4u$7pf$1@ger.gmane.org> <48AA11AA.3060000@gdcon.net> <223f97700808190628m45126809y197720c323462533@mail.gmail.com> Message-ID: <48ACA8FC.1010806@gdcon.net> Glenn Steen wrote: > There are other effects, mainly with what you *cannot* do in a ruleset > while employing this setup, but I think those are covered in the > notes. > > Cheers > When a message is addressed to multiple recipients, and some of the recipient domains are not serviced by the MailScanner system, how can I ensure that notification is not sent to them? Does this solution also work for CC and BCC recipients? I'm assuming that PF only rewrites the envelope when it splits the messages - not the to/cc/bcc fields that users see??? Is it possible for MS to apply some cunning when it comes to notifications (i.e. a seperate notification to each user?) I already have a self-service release url at the bottom of the notification which relies on the recipient info supplied by MS, which would work well if MS took notice of CC and BCC lists as well as splitting the lists (currently MS supplies a comma delimited list of only the recipients in the to: field). Sorry to be a pain... -Andy -- This message was scanned by ESVA and is believed to be clean. From ismail at ismailozatay.net Thu Aug 21 08:07:47 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Thu Aug 21 08:08:02 2008 Subject: Fetchmail and MailScanner References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc><48ABE808.3080400@alexb.ch> <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> <48AC27F2.8080501@ecs.soton.ac.uk><EMEW-k7JFdh488922239b5caabf07978c06ee435a6a-223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> <48AC3851.4090405@ecs.soton.ac.uk> Message-ID: <8545846DA3B04F32989B89CCC3023AED@pc> Hi Julian, Thank you so much for this. It was a big problem for me :) . I have just tried it it seems working properly. Today i will test it on the production. Regards ismail ----- Original Message ----- From: "Julian Field" <MailScanner@ecs.soton.ac.uk> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Sent: Wednesday, August 20, 2008 6:29 PM Subject: Re: Fetchmail and MailScanner > > > Glenn Steen wrote: >> 2008/8/20 Julian Field <MailScanner@ecs.soton.ac.uk>: >> >>> Alex Broens wrote: >>> >>>> On 8/20/2008 11:46 AM, Alex Broens wrote: >>>> >>>>> On 8/20/2008 11:22 AM, Ismail OZATAY wrote: >>>>> >>>>>> Hi Edward , >>>>>> >>>>>> I always read every incoming mail carefully. Also i know that Fabio >>>>>> Silva 's >>>>>> problem is still going on because using smtphost setting will never >>>>>> fix >>>>>> that >>>>>> problem. Fetchmail is routing all emails to smtp so source seems >>>>>> interface's >>>>>> ip which is set before by smtphost. >>>>>> >>>>>> Here is my .fetchmailrc file; >>>>>> >>>>>> set daemon 20 >>>>>> set syslog >>>>>> set postmaster root >>>>>> set invisible >>>>>> poll mail.test.net with proto POP3 and options no dns >>>>>> user 'test' with pass "123456" is 'realuser@internal.net' >>>>>> keep >>>>>> norewrite >>>>>> smtphost 192.168.100.3 >>>>>> >>>>>> Here is my incmoing mail header ; >>>>>> >>>>>> Received: from mail.test.net (mail.internal.net [192.168.100.3]) >>>>>> by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 >>>>>> for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 >>>>>> (EEST) >>>>>> >>>>>> As you see coming source is 192.168.100.3 so mailscanner thinks that >>>>>> it >>>>>> is >>>>>> localhost. My question was how can i leave message source untouched ? >>>>>> >>>>>> Thanks Edward :) >>>>>> >>>>>> Regards, >>>>>> >>>>>> ismail >>>>>> >>>>>> >>>>>> ----- Original Message ----- From: "Edward Dekkers" >>>>>> <edward@tdcs.com.au> >>>>>> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> >>>>>> Sent: Wednesday, August 20, 2008 10:58 AM >>>>>> Subject: RE: Fetchmail and MailScanner >>>>>> >>>>>> >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I am using fetchmail as a pop connector. It downloads a lot of pop3 >>>>>>> inbox >>>>>>> from some isps and it works properly. Today i installed postfix and >>>>>>> mailscanner for filtering virus and spam mails on the same server >>>>>>> but >>>>>>> there >>>>>>> is something wrong with mail headers. Because mail header says that >>>>>>> mail >>>>>>> coming from localhost 127.0.0.1 which is already whitelisted. So >>>>>>> every >>>>>>> incoming mail is tagged as clean. How can i fix this problem ? Can i >>>>>>> send >>>>>>> incoming mails to smtp with the original header? >>>>>>> >>>>> doesn't the fetchmail "silent" switch do that for you? >>>>> >>>> Sorry.. meant "invisible" >>>> >>>> The --invisible option (keyword: set invisible) tries to make fetchmail >>>> invisible. Normally, fetchmail behaves like any other MTA would -- it >>>> generates a Received header into each message describing its place in >>>> the >>>> chain of transmission, and tells the MTA it forwards to that the mail >>>> came >>>> from the machine fetchmail itself is running on. If the invisible >>>> option is >>>> on, the Received header is suppressed and fetchmail tries to spoof the >>>> MTA >>>> it forwards to into thinking it came directly from the mailserver host. >>>> >>> But that still won't fool MailScanner. MailScanner uses the SMTP client >>> address written into the email's envelope. The MTA takes this from the >>> IP >>> address of the machine talking to it in the SMTP session during which it >>> received the message. >>> >>> So no matter what options you set on fetchmail, that can only ever be >>> the IP >>> address of the system itself, or localhost. So I fail to see how playing >>> with fetchmail configurations can possibly make any difference to this. >>> >>> The only thing that would make a difference is for me to start parsing >>> the >>> first Received: header and pulling the IP addresses out of that. Which I >>> currently only do when >>> 1) you are using Postfix >>> and >>> 2) the Postfix envelope contains no IP address at all. >>> I would have to generalise this code for all the MTAs I support. >>> >>> You would probably still have to tell fetchmail to not add its Received: >>> header even so. >>> >>> Jules >>> >> Much simpler to just avoid MailScanner, while releasing from >> quarantine (and thus not needing the WL of 127.0.0.1)... As per my >> previous advice... >> >> Cheers >> > Okay, the new beta is out. > > The only thing I can think you might need now is to be able to give a list > of IP addresses to ignore when looking for the "real" IP address in the > headers. I'll add that if anyone thinks they need it. Shouldn't be too > hard to add. Just need to convert a list of IP addresses (v4 and/or v6) > into a regexp and check for that when matching the IP addresses found in > the Received: headers. Lots of escaping, but nothing too tricky :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ismail at ismailozatay.net Thu Aug 21 08:18:59 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Thu Aug 21 08:19:14 2008 Subject: Fetchmail and MailScanner References: <8F46525BFB69480FB6B64BECA9D20B37@pc> <!&!AAAAAAAAAAAYAAAAAAAAAKLd+wmIVIFPp6Cg2gjP/HPCgAAAEAAAAN3aUmNdXkRFkgkTH7Uh49cBAAAAAA==@tdcs.com.au> <0F582428D31647698C2099A2D36690A4@pc><48ABE808.3080400@alexb.ch> <EMEW-k7JCAR040113c7db0a9aa6a55298c2cb26d6b2-48ABFAEB.3050007@alexb.ch> <48AC27F2.8080501@ecs.soton.ac.uk><EMEW-k7JFdh488922239b5caabf07978c06ee435a6a-223f97700808200734w21eb0e6fg48c4ef1e54598c1b@mail.gmail.com> <48AC3851.4090405@ecs.soton.ac.uk> Message-ID: <01B56EBCC58244579B0E392A44474011@pc> Hi Julian , And also i found something about white/blacklist.If we use this option for white/black list too it will be better. Because source ip is different again. Thanks ismail ----- Original Message ----- From: "Julian Field" <MailScanner@ecs.soton.ac.uk> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info> Sent: Wednesday, August 20, 2008 6:29 PM Subject: Re: Fetchmail and MailScanner > > > Glenn Steen wrote: >> 2008/8/20 Julian Field <MailScanner@ecs.soton.ac.uk>: >> >>> Alex Broens wrote: >>> >>>> On 8/20/2008 11:46 AM, Alex Broens wrote: >>>> >>>>> On 8/20/2008 11:22 AM, Ismail OZATAY wrote: >>>>> >>>>>> Hi Edward , >>>>>> >>>>>> I always read every incoming mail carefully. Also i know that Fabio >>>>>> Silva 's >>>>>> problem is still going on because using smtphost setting will never >>>>>> fix >>>>>> that >>>>>> problem. Fetchmail is routing all emails to smtp so source seems >>>>>> interface's >>>>>> ip which is set before by smtphost. >>>>>> >>>>>> Here is my .fetchmailrc file; >>>>>> >>>>>> set daemon 20 >>>>>> set syslog >>>>>> set postmaster root >>>>>> set invisible >>>>>> poll mail.test.net with proto POP3 and options no dns >>>>>> user 'test' with pass "123456" is 'realuser@internal.net' >>>>>> keep >>>>>> norewrite >>>>>> smtphost 192.168.100.3 >>>>>> >>>>>> Here is my incmoing mail header ; >>>>>> >>>>>> Received: from mail.test.net (mail.internal.net [192.168.100.3]) >>>>>> by mail.ismail.net (Postfix) with ESMTP id 99A49E8288 >>>>>> for <realuser@internal.net>; Wed, 20 Aug 2008 09:55:27 +0300 >>>>>> (EEST) >>>>>> >>>>>> As you see coming source is 192.168.100.3 so mailscanner thinks that >>>>>> it >>>>>> is >>>>>> localhost. My question was how can i leave message source untouched ? >>>>>> >>>>>> Thanks Edward :) >>>>>> >>>>>> Regards, >>>>>> >>>>>> ismail >>>>>> >>>>>> >>>>>> ----- Original Message ----- From: "Edward Dekkers" >>>>>> <edward@tdcs.com.au> >>>>>> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info> >>>>>> Sent: Wednesday, August 20, 2008 10:58 AM >>>>>> Subject: RE: Fetchmail and MailScanner >>>>>> >>>>>> >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I am using fetchmail as a pop connector. It downloads a lot of pop3 >>>>>>> inbox >>>>>>> from some isps and it works properly. Today i installed postfix and >>>>>>> mailscanner for filtering virus and spam mails on the same server >>>>>>> but >>>>>>> there >>>>>>> is something wrong with mail headers. Because mail header says that >>>>>>> mail >>>>>>> coming from localhost 127.0.0.1 which is already whitelisted. So >>>>>>> every >>>>>>> incoming mail is tagged as clean. How can i fix this problem ? Can i >>>>>>> send >>>>>>> incoming mails to smtp with the original header? >>>>>>> >>>>> doesn't the fetchmail "silent" switch do that for you? >>>>> >>>> Sorry.. meant "invisible" >>>> >>>> The --invisible option (keyword: set invisible) tries to make fetchmail >>>> invisible. Normally, fetchmail behaves like any other MTA would -- it >>>> generates a Received header into each message describing its place in >>>> the >>>> chain of transmission, and tells the MTA it forwards to that the mail >>>> came >>>> from the machine fetchmail itself is running on. If the invisible >>>> option is >>>> on, the Received header is suppressed and fetchmail tries to spoof the >>>> MTA >>>> it forwards to into thinking it came directly from the mailserver host. >>>> >>> But that still won't fool MailScanner. MailScanner uses the SMTP client >>> address written into the email's envelope. The MTA takes this from the >>> IP >>> address of the machine talking to it in the SMTP session during which it >>> received the message. >>> >>> So no matter what options you set on fetchmail, that can only ever be >>> the IP >>> address of the system itself, or localhost. So I fail to see how playing >>> with fetchmail configurations can possibly make any difference to this. >>> >>> The only thing that would make a difference is for me to start parsing >>> the >>> first Received: header and pulling the IP addresses out of that. Which I >>> currently only do when >>> 1) you are using Postfix >>> and >>> 2) the Postfix envelope contains no IP address at all. >>> I would have to generalise this code for all the MTAs I support. >>> >>> You would probably still have to tell fetchmail to not add its Received: >>> header even so. >>> >>> Jules >>> >> Much simpler to just avoid MailScanner, while releasing from >> quarantine (and thus not needing the WL of 127.0.0.1)... As per my >> previous advice... >> >> Cheers >> > Okay, the new beta is out. > > The only thing I can think you might need now is to be able to give a list > of IP addresses to ignore when looking for the "real" IP address in the > headers. I'll add that if anyone thinks they need it. Shouldn't be too > hard to add. Just need to convert a list of IP addresses (v4 and/or v6) > into a regexp and check for that when matching the IP addresses found in > the Received: headers. Lots of escaping, but nothing too tricky :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From telecaadmin at gmail.com Thu Aug 21 09:18:47 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Thu Aug 21 09:19:59 2008 Subject: startin, startout, stopms In-Reply-To: <48AC948B.5070702@vanderkooij.org> References: <48AC5F29.80900@cnpapers.com> <48AC948B.5070702@vanderkooij.org> Message-ID: <48AD24E7.7060101@gmail.com> >> I'm getting hammered today and my input queue just keeps growing and >> growing. I'd like to stop the input queue from receiving more mail but >> still process what's there using MS. What option do I give my >> /etc/rc.d/init.d/MailScanner command to accomplish this? You'd have to stop the INCOMING SMTP sendmail (there are 2 instances usually). With postfix you cannot do that easily, because postfix both accepts new INCOMING as does it sent already MailScanner-processes mail. But you could shutdown postfix, let MS process the mail, and afterwards restart postfix so all processed mail will be sent in one go. Cheers, Ronny From MailScanner at ecs.soton.ac.uk Thu Aug 21 09:44:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 21 09:44:22 2008 Subject: startin, startout, stopms In-Reply-To: <EMEW-k7JLvoda407b36d66b55c4b8a6f97989fdc121-48AC5F29.80900@cnpapers.com> References: <EMEW-k7JLvoda407b36d66b55c4b8a6f97989fdc121-48AC5F29.80900@cnpapers.com> Message-ID: <48AD2AD0.50600@ecs.soton.ac.uk> Steve Campbell wrote: > I'm getting hammered today and my input queue just keeps growing and > growing. I'd like to stop the input queue from receiving more mail but > still process what's there using MS. What option do I give my > /etc/rc.d/init.d/MailScanner command to accomplish this? If you are using sendmail then service MailScanner stop service MailScanner startms service MailScanner startout should do the trick if my memory serves me right. If you're using Postfix it's harder as there is only 1 Postfix daemon running so you would have to disable the incoming listener (or block it at your firewall). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Aug 21 09:47:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 21 09:47:48 2008 Subject: limit to the amount of white/blacklist rules. In-Reply-To: <EMEW-k7JKW2fce02cda79d7e30f16126830eaf8a8da-7d9b3cf20808201225x4b6987a2kea511721eb7f621b@mail.gmail.com> References: <EMEW-k7JKW2fce02cda79d7e30f16126830eaf8a8da-7d9b3cf20808201225x4b6987a2kea511721eb7f621b@mail.gmail.com> Message-ID: <48AD2BA0.5010103@ecs.soton.ac.uk> Eduardo Casarero wrote: > Hi, does anyone know if there is a theorically limit to the amount of > white/blacklist rules that MailScanner can handle? I've searched the > archives and there is only 1 email without answer saying that he had > 40k of rules and some random problems. > > I pretend to use them through a CustomFunction (&SQLWhitelist y > &SQLBlacklist). If you implement it as a straight text ruleset, I wouldn't advise more than a thousand or so rules, as it has to check them in order and it will just gradually get slower as you add more rules. There is no theoretical limit, however. However, if you use a Custom Function to produce the answer, then you can of course make your logic as complicated as you like, it's your code. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From garyalex at gmail.com Thu Aug 21 09:49:20 2008 From: garyalex at gmail.com (Gary Alexander) Date: Thu Aug 21 09:49:35 2008 Subject: startin, startout, stopms In-Reply-To: <48AC5F29.80900@cnpapers.com> References: <48AC5F29.80900@cnpapers.com> Message-ID: <5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> 2008/8/20 Steve Campbell <campbell@cnpapers.com> > > I'm getting hammered today and my input queue just keeps growing and growing. I'd like to > stop the input queue from receiving more mail but still process what's there using MS. What > option do I give my /etc/rc.d/init.d/MailScanner command to accomplish this? Again if you are using sendmail you can use the rate limiting functions for a pemanent solution. See here for details http://www.technoids.org/dossed.html -- Fax2mail: 086 607 9109 Website: http://blahlinux.blogspot.com Courage is resistance to fear, mastery of fear - not absence of fear. - Mark Twain From campbell at cnpapers.com Thu Aug 21 12:32:47 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Aug 21 12:33:13 2008 Subject: startin, startout, stopms In-Reply-To: <48AD2AD0.50600@ecs.soton.ac.uk> References: <EMEW-k7JLvoda407b36d66b55c4b8a6f97989fdc121-48AC5F29.80900@cnpapers.com> <48AD2AD0.50600@ecs.soton.ac.uk> Message-ID: <48AD525F.2050903@cnpapers.com> Thanks all for the replies. More below: Julian Field wrote: > > > Steve Campbell wrote: >> I'm getting hammered today and my input queue just keeps growing and >> growing. I'd like to stop the input queue from receiving more mail >> but still process what's there using MS. What option do I give my >> /etc/rc.d/init.d/MailScanner command to accomplish this? > If you are using sendmail then > service MailScanner stop > service MailScanner startms > service MailScanner startout > should do the trick if my memory serves me right. If you're using > Postfix it's harder as there is only 1 Postfix daemon running so you > would have to disable the incoming listener (or block it at your > firewall). > > Jules > Julian, I thought I remembered something about the startms command option, but alas, I haven't upgraded for a while and startms wasn't an option, although stopms was. startout has been there a while. It's still not convenient for me to upgrade, but would it be possible to extract the init script only from the latest and use it if I tweak it to match what I'm running now? Steve From glenn.steen at gmail.com Thu Aug 21 12:34:11 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 21 12:34:21 2008 Subject: Spam report addressed to multiple people In-Reply-To: <48ACA8FC.1010806@gdcon.net> References: <6f64aeefdc7f4e8eab785f4755bebb74.squirrel@wm.gdcon.net> <48A90805.20000@vanderkooij.org> <88037b741fad1c25cd75aacd8a204698.squirrel@wm.gdcon.net> <4f51e024c094cf5793c3e29c0e5c0b35.squirrel@wm.gdcon.net> <g8cv4u$7pf$1@ger.gmane.org> <48AA11AA.3060000@gdcon.net> <223f97700808190628m45126809y197720c323462533@mail.gmail.com> <48ACA8FC.1010806@gdcon.net> Message-ID: <223f97700808210434x692ca050uca69f69d873fac4a@mail.gmail.com> 2008/8/21 Andrew MacLachlan <andrew@gdcon.net>: > Glenn Steen wrote: >> >> There are other effects, mainly with what you *cannot* do in a ruleset >> while employing this setup, but I think those are covered in the >> notes. >> >> Cheers >> > > When a message is addressed to multiple recipients, and some of the > recipient domains are not serviced by the MailScanner system, how can I > ensure that notification is not sent to them? Some intelligent rulesets perhaps? > Does this solution also work for CC and BCC recipients? It works on the envelope addresses, regardless if they are "CC" or "BCC"... Those things aren't concepts of the SMTP conversation.... All recipients are "equal"...:-) > I'm assuming that PF only rewrites the envelope when it splits the messages > - not the to/cc/bcc fields that users see??? This will make multi-recipient mails be split into one message/recipient. Any rewriting will only be as per the normal SMTP behavior (Received:-lines added etc)... IIRC (I'm not using this ATM), those headers will be left alone. > Is it possible for MS to apply some cunning when it comes to notifications > (i.e. a seperate notification to each user?) I already have a self-service > release url at the bottom of the notification which relies on the recipient > info supplied by MS, which would work well if MS took notice of CC and BCC > lists as well as splitting the lists (currently MS supplies a comma > delimited list of only the recipients in the to: field). As said, this works on the envelope info, the actual things supplied in the SMTP conversation (RCPT TO:<...>), where the concept of BCC/CC just plain don't exist. > Sorry to be a pain... > -Andy > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From joost at waversveld.nl Thu Aug 21 13:19:38 2008 From: joost at waversveld.nl (Joost Waversveld) Date: Thu Aug 21 13:19:51 2008 Subject: startin, startout, stopms In-Reply-To: <48AD2AD0.50600@ecs.soton.ac.uk> References: <EMEW-k7JLvoda407b36d66b55c4b8a6f97989fdc121-48AC5F29.80900@cnpapers.com> <48AD2AD0.50600@ecs.soton.ac.uk> Message-ID: <48AD5D5A.1070303@waversveld.nl> The method I use (we're using sendmail): through the command "ps -ef | grep accept" we locate the PID of the incoming sendmail-daemon. Then we kill this PID. Mailscanner keeps running and delivering it's messages while the server won't accept any new messages (Those will go to another mailserver through loadbalancing). When the queue's are empty again, we start sendmail again through "service MailScanner startin" and the server starts accepting messages again. Best regards, Joost Waversveld Julian Field wrote: > > > Steve Campbell wrote: >> I'm getting hammered today and my input queue just keeps growing and >> growing. I'd like to stop the input queue from receiving more mail >> but still process what's there using MS. What option do I give my >> /etc/rc.d/init.d/MailScanner command to accomplish this? > If you are using sendmail then > service MailScanner stop > service MailScanner startms > service MailScanner startout > should do the trick if my memory serves me right. If you're using > Postfix it's harder as there is only 1 Postfix daemon running so you > would have to disable the incoming listener (or block it at your > firewall). > > Jules > From prandal at herefordshire.gov.uk Thu Aug 21 13:54:24 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 21 13:54:42 2008 Subject: Latest "Flight Ticket" malware spam Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0475BA94@HC-MBX02.herefordshire.gov.uk> The malware authors can't spell, so we can use that to our advantage: body MY_TROJAN6 /ticket, simply print it on a color printed/ describe MY_TROJAN6 "Airline Ticket" Trojan Dropper score MY_TROJAN6 12 Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK From richard.frovarp at sendit.nodak.edu Thu Aug 21 14:02:46 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Aug 21 14:02:58 2008 Subject: startin, startout, stopms In-Reply-To: <48AD525F.2050903@cnpapers.com> References: <EMEW-k7JLvoda407b36d66b55c4b8a6f97989fdc121-48AC5F29.80900@cnpapers.com> <48AD2AD0.50600@ecs.soton.ac.uk> <48AD525F.2050903@cnpapers.com> Message-ID: <48AD6776.608@sendit.nodak.edu> Steve Campbell wrote: > Thanks all for the replies. > > More below: > > Julian Field wrote: >> >> >> Steve Campbell wrote: >>> I'm getting hammered today and my input queue just keeps growing and >>> growing. I'd like to stop the input queue from receiving more mail >>> but still process what's there using MS. What option do I give my >>> /etc/rc.d/init.d/MailScanner command to accomplish this? >> If you are using sendmail then >> service MailScanner stop >> service MailScanner startms >> service MailScanner startout >> should do the trick if my memory serves me right. If you're using >> Postfix it's harder as there is only 1 Postfix daemon running so you >> would have to disable the incoming listener (or block it at your >> firewall). >> >> Jules >> > > Julian, > > I thought I remembered something about the startms command option, but > alas, I haven't upgraded for a while and startms wasn't an option, > although stopms was. startout has been there a while. It's still not > convenient for me to upgrade, but would it be possible to extract the > init script only from the latest and use it if I tweak it to match > what I'm running now? > > Steve > check_mailscanner will start MS up in place of startms. From campbell at cnpapers.com Thu Aug 21 14:03:15 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Aug 21 14:08:06 2008 Subject: startin, startout, stopms In-Reply-To: <5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> References: <48AC5F29.80900@cnpapers.com> <5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> Message-ID: <48AD6793.8000406@cnpapers.com> Gary Alexander wrote: > 2008/8/20 Steve Campbell <campbell@cnpapers.com> > >> I'm getting hammered today and my input queue just keeps growing and growing. I'd like to >> stop the input queue from receiving more mail but still process what's there using MS. What >> option do I give my /etc/rc.d/init.d/MailScanner command to accomplish this? >> > > Again if you are using sendmail you can use the rate limiting > functions for a pemanent solution. See here for details > http://www.technoids.org/dossed.html > > > -- > Fax2mail: 086 607 9109 > Website: http://blahlinux.blogspot.com > > Courage is resistance to fear, mastery of fear - not absence of fear. > - Mark Twain > Gary, Thanks very much for the link. I see it starting all over again today, so it looks as though I will need to use some of the suggestions from the link. BTW - I am using sendmail. The attack is from differing IPs for almost each message, so blocking the IP in the access file is useless as an immediate deterent. MS/SA is doing it's job properly and very well at not letting almost all of this through. Thanks Steve From prandal at herefordshire.gov.uk Thu Aug 21 14:17:24 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 21 14:17:40 2008 Subject: startin, startout, stopms In-Reply-To: <48AD6793.8000406@cnpapers.com> References: <48AC5F29.80900@cnpapers.com><5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> <48AD6793.8000406@cnpapers.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0475BAB1@HC-MBX02.herefordshire.gov.uk> Steve, Are you using RBLs at the MTA level to reduce the load? Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Campbell Sent: 21 August 2008 14:03 To: MailScanner discussion Subject: Re: startin, startout, stopms Gary Alexander wrote: > 2008/8/20 Steve Campbell <campbell@cnpapers.com> > >> I'm getting hammered today and my input queue just keeps growing and >> growing. I'd like to stop the input queue from receiving more mail >> but still process what's there using MS. What option do I give my /etc/rc.d/init.d/MailScanner command to accomplish this? >> > > Again if you are using sendmail you can use the rate limiting > functions for a pemanent solution. See here for details > http://www.technoids.org/dossed.html > > > -- > Fax2mail: 086 607 9109 > Website: http://blahlinux.blogspot.com > > Courage is resistance to fear, mastery of fear - not absence of fear. > - Mark Twain > Gary, Thanks very much for the link. I see it starting all over again today, so it looks as though I will need to use some of the suggestions from the link. BTW - I am using sendmail. The attack is from differing IPs for almost each message, so blocking the IP in the access file is useless as an immediate deterent. MS/SA is doing it's job properly and very well at not letting almost all of this through. Thanks Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Thu Aug 21 14:46:49 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Aug 21 14:58:51 2008 Subject: startin, startout, stopms In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0475BAB1@HC-MBX02.herefordshire.gov.uk> References: <48AC5F29.80900@cnpapers.com><5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> <48AD6793.8000406@cnpapers.com> <7EF0EE5CB3B263488C8C18823239BEBA0475BAB1@HC-MBX02.herefordshire.gov.uk> Message-ID: <48AD71C9.2080901@cnpapers.com> Randal, Phil wrote: > Steve, > > Are you using RBLs at the MTA level to reduce the load? > > Phil > > -- > Phil Randal > Networks Engineer > Herefordshire Council > Hereford, UK > Phil, No, I'm not. I've gotten so many complaints about mail that might be discarded, that I only use them in SA. It's hard to tell sales staff that they can't have it both ways and to make them understand that. But thanks for the suggestion. If it gets too bad, I may use it. Steve > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Campbell > Sent: 21 August 2008 14:03 > To: MailScanner discussion > Subject: Re: startin, startout, stopms > > > > Gary Alexander wrote: > >> 2008/8/20 Steve Campbell <campbell@cnpapers.com> >> >> >>> I'm getting hammered today and my input queue just keeps growing and >>> growing. I'd like to stop the input queue from receiving more mail >>> but still process what's there using MS. What option do I give my >>> > /etc/rc.d/init.d/MailScanner command to accomplish this? > >>> >>> >> Again if you are using sendmail you can use the rate limiting >> functions for a pemanent solution. See here for details >> http://www.technoids.org/dossed.html >> >> >> -- >> Fax2mail: 086 607 9109 >> Website: http://blahlinux.blogspot.com >> >> Courage is resistance to fear, mastery of fear - not absence of fear. >> - Mark Twain >> >> > > Gary, > > Thanks very much for the link. I see it starting all over again today, > so it looks as though I will need to use some of the suggestions from > the link. > > BTW - > > I am using sendmail. The attack is from differing IPs for almost each > message, so blocking the IP in the access file is useless as an > immediate deterent. MS/SA is doing it's job properly and very well at > not letting almost all of this through. > > Thanks > > Steve > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jan-peter at koopmann.eu Thu Aug 21 15:19:09 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Aug 21 15:19:36 2008 Subject: SpamAssassin Temp Dir running full In-Reply-To: <EMEW-k7JLKp837f66ca31c6ee9f6755431b5f8a576a-g8hqa1$grr$1@ger.gmane.org> References: <EMEW-k7I9YQ0de1e83e1cfc31f4bf7f5cc221993c1c-5F9EB2B0731E5B4D88FC20780DFD16104325A1@DE-SEXB01RZ.intern.seceidos.de> <48AA7D21.2010801@ecs.soton.ac.uk> <48AAB392.5030301@protos.mine.nu><g8esrb$q6g$2@ger.gmane.org><FADD3A3E-C102-47D8-B869-4F3AA8AAEE89@technologytiger.net> <EMEW-k7ILKg5d936e2c6d9801bb0b218afcd578ad8d-g8f628$cn$1@ger.gmane.org><EMEW-k7ILMY37e79201049c67892606fdf85ded2557-5F9EB2B0731E5B4D88FC20780DFD1610432647@DE-SEXB01RZ.intern.seceidos.de> <EMEW-k7JLKp837f66ca31c6ee9f6755431b5f8a576a-g8hqa1$grr$1@ger.gmane.org> Message-ID: <EMEW-k7KGJR56b7f83ef254315ca89e376c794a34f9-5F9EB2B0731E5B4D88FC20780DFD1610432717@DE-SEXB01RZ.intern.seceidos.de> > Are you running 3.2.4 or earlier? 3.2.4 From MailScanner at ecs.soton.ac.uk Thu Aug 21 15:56:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 21 15:56:39 2008 Subject: startin, startout, stopms In-Reply-To: <EMEW-k7KCiIda045124eeed89ee2401b9979d7135f2-48AD525F.2050903@cnpapers.com> References: <EMEW-k7JLvoda407b36d66b55c4b8a6f97989fdc121-48AC5F29.80900@cnpapers.com> <48AD2AD0.50600@ecs.soton.ac.uk> <EMEW-k7KCiIda045124eeed89ee2401b9979d7135f2-48AD525F.2050903@cnpapers.com> Message-ID: <48AD8214.40703@ecs.soton.ac.uk> Steve Campbell wrote: > Thanks all for the replies. > > More below: > > Julian Field wrote: >> >> >> Steve Campbell wrote: >>> I'm getting hammered today and my input queue just keeps growing and >>> growing. I'd like to stop the input queue from receiving more mail >>> but still process what's there using MS. What option do I give my >>> /etc/rc.d/init.d/MailScanner command to accomplish this? >> If you are using sendmail then >> service MailScanner stop >> service MailScanner startms >> service MailScanner startout >> should do the trick if my memory serves me right. If you're using >> Postfix it's harder as there is only 1 Postfix daemon running so you >> would have to disable the incoming listener (or block it at your >> firewall). >> >> Jules >> > > Julian, > > I thought I remembered something about the startms command option, but > alas, I haven't upgraded for a while and startms wasn't an option, > although stopms was. startout has been there a while. It's still not > convenient for me to upgrade, but would it be possible to extract the > init script only from the latest and use it if I tweak it to match > what I'm running now? startms should be the same as just running "check_mailscanner". Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ecasarero at gmail.com Thu Aug 21 17:03:52 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Aug 21 17:04:02 2008 Subject: limit to the amount of white/blacklist rules. In-Reply-To: <48AD2BA0.5010103@ecs.soton.ac.uk> References: <EMEW-k7JKW2fce02cda79d7e30f16126830eaf8a8da-7d9b3cf20808201225x4b6987a2kea511721eb7f621b@mail.gmail.com> <48AD2BA0.5010103@ecs.soton.ac.uk> Message-ID: <7d9b3cf20808210903s396b4052l8044f44f538e8cde@mail.gmail.com> 2008/8/21 Julian Field <MailScanner@ecs.soton.ac.uk> > > > Eduardo Casarero wrote: > >> Hi, does anyone know if there is a theorically limit to the amount of >> white/blacklist rules that MailScanner can handle? I've searched the >> archives and there is only 1 email without answer saying that he had 40k of >> rules and some random problems. >> >> I pretend to use them through a CustomFunction (&SQLWhitelist y >> &SQLBlacklist). >> > If you implement it as a straight text ruleset, I wouldn't advise more than > a thousand or so rules, as it has to check them in order and it will just > gradually get slower as you add more rules. There is no theoretical limit, > however. > > However, if you use a Custom Function to produce the answer, then you can > of course make your logic as complicated as you like, it's your code. Thanks! I'll make some tests. > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080821/7f6aad0d/attachment.html From hvdkooij at vanderkooij.org Thu Aug 21 17:51:13 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Aug 21 17:51:27 2008 Subject: startin, startout, stopms In-Reply-To: <48AD71C9.2080901@cnpapers.com> References: <48AC5F29.80900@cnpapers.com><5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> <48AD6793.8000406@cnpapers.com> <7EF0EE5CB3B263488C8C18823239BEBA0475BAB1@HC-MBX02.herefordshire.gov.uk> <48AD71C9.2080901@cnpapers.com> Message-ID: <48AD9D01.8000404@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Campbell wrote: > > > Randal, Phil wrote: >> Steve, >> >> Are you using RBLs at the MTA level to reduce the load? >> >> Phil >> >> -- >> Phil Randal >> Networks Engineer >> Herefordshire Council >> Hereford, UK >> > > Phil, > > No, I'm not. I've gotten so many complaints about mail that might be > discarded, that I only use them in SA. It's hard to tell sales staff > that they can't have it both ways and to make them understand that. > > But thanks for the suggestion. If it gets too bad, I may use it. You could even considere to use a 4xx type for RBL's in the MTA. Any decent SMTP server will just resend the message a bit later. Or contact your backup server. But most direct spam senders will not retry or go to your backup server so it may be a good trade-off But in my experience one can not tackle this unless you kill a significant part of your spam at the MTA level. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIrZz/BvzDRVjxmYERAtHyAJwM5narfCb4zhMLjMJiV8J2RgucIgCdFytm 27ZDzY64ufDGfJh6mazpMPs= =tc/W -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Thu Aug 21 21:04:46 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 21 22:02:50 2008 Subject: startin, startout, stopms In-Reply-To: <EMEW-k7KHvMbca9f99ab5699d38cc94194db8c8f1cb-48AD9D01.8000404@vanderkooij.org> References: <48AC5F29.80900@cnpapers.com><5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> <48AD6793.8000406@cnpapers.com> <7EF0EE5CB3B263488C8C18823239BEBA0475BAB1@HC-MBX02.herefordshire.gov.uk> <48AD71C9.2080901@cnpapers.com> <EMEW-k7KHvMbca9f99ab5699d38cc94194db8c8f1cb-48AD9D01.8000404@vanderkooij.org> Message-ID: <48ADCA5E.80705@ecs.soton.ac.uk> Hugo van der Kooij wrote: > But in my experience one can not tackle this unless you kill a > significant part of your spam at the MTA level. > <plug type="shameless">At which point you could do a whole lot worse than look at BarricadeMX. It really does work, I have a couple of thousand users who will tell you so!</plug> :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Aug 22 06:36:05 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 22 07:07:00 2008 Subject: [Fwd: You're on Whozat!] Message-ID: <48AE5045.1000405@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Right, Google made it harder to search for email addresses to stop spammers collect addresses. But it seems some other bozo's stepped in and started to serve the spammers community. Being too liberal with email constitutes a wrong attitude towards spam in my view and you may wish to act proactively against these people yourself. Hugo. - -------- Original Message -------- Subject: You're on Whozat! Date: Thu, 21 Aug 2008 17:56:38 -0500 From: The Whozat Team <team@whozat.com> To: hvdkooij@vanderkooij.org You are receiving this email because someone found you when searching for you or for somebody related to you on *Whozat, The People Search Engine.* We wanted to share this information with you and let you know some of what they found! In addition, we are offering you a *free Whozat membership* that allows you to see the complete set of search results for yourself and others, and to perform an *unlimited* number of queries. Please accept your invitation by going to http://www.whozat.com/auth/register/?email=hvdkooij@vanderkooij.org&referra.... Some of the most significant words in the search results were: dejanovic, date, linux, message, securityfocus Some of the web pages that the searcher found were: http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-linux/2001-09/0120.html http://www.securityfocus.com/archive/142/483594/30/120/threaded http://www.securityfocus.com/archive/1/368158 http://www.securityfocus.com/archive/142/483389/30/120/threaded http://planet.linux.hr/ Here are a few more good reasons to use Whozat: - - Whozat outsearched Google 3 to 1 in a blind comparison. - - Whozat tops AltSearchEngines ranking of Search Engines in Stealth. - - Whozat was named one of the hottest start-ups by renowned technology blog TechCrunch. We hope to welcome you to Whozat today! The Whozat Founders (founders@whozat.com) Whozat, Inc. P.O. Box 6332 Altadena, CA 91003-6332 If you would like not to receive any further communication from us, please send email to unsubscribe@whozat.com. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIrlBCBvzDRVjxmYERAvMTAKCVTaNfFaEpKMm64cFPLCcA7ybj1gCfdsEa CM/MJQIs8r89Q843pr5NXkg= =qPIb -----END PGP SIGNATURE----- From prandal at herefordshire.gov.uk Fri Aug 22 08:01:27 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Aug 22 08:01:48 2008 Subject: This morning's Trojan Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CF66@HC-MBX02.herefordshire.gov.uk> Hi folks, The one to catch has a subject line of "Statement of fees 2008/09" SA rule to get it is header MY_TROJAN8 Subject =~ /^Statement of fees 2008\/09$/ describe MY_TROJAN8 Fees trojan score MY_TROJAN8 12 Samples submitted to the usual places. Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/bf9a107e/attachment.html From hafiz at variegate.biz Fri Aug 22 09:03:41 2008 From: hafiz at variegate.biz (Hafiz (Variegate)) Date: Fri Aug 22 09:04:16 2008 Subject: Zip attachments not working in reply to an any e-mail Message-ID: <48AE72DD.6030105@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/b99c6bd0/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: bronze-SHADOW.png Type: image/png Size: 2874 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/b99c6bd0/bronze-SHADOW.png From velda.midanovic at trezor.sr.gov.yu Fri Aug 22 09:50:25 2008 From: velda.midanovic at trezor.sr.gov.yu (Velda Midanovic) Date: Fri Aug 22 09:57:36 2008 Subject: A reports problem In-Reply-To: <200808192252.m7JMqYAr017928@safir.blacknight.ie> References: <200808192252.m7JMqYAr017928@safir.blacknight.ie> Message-ID: <000601c90434$2a717960$7f546c20$@midanovic@trezor.sr.gov.yu> Thank you! It worked like a charm :-)) I extended php.ini timeout. Can you tell me how to restrict the data range? Best Velda -Its taking too long to run. -Either increase the maximum execution time in php.ini or add a filter to the reports to restrict the date range so the report ---doesnt have as much work to do and therefore takes <30 seconds to run. -On Tue, 2008-08-19 at 12:23, Velda Midanovic wrote: > Reports are working fine. > > Except one (and even that one USED to work). And that one is > "SpamAssassin Rule Hits" . It is quite important because I > periodically remove kez words that are no longer "valid". Now it gives > a error message in http log : > > ---- > > PHP Fatal error: Maximum execution time of 30 seconds exceeded in > /var/www/html/mailscanner/rep_sa_rule_hits > > ---- > > I have no idea how to solve this. > > Please help. > > Velda > -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: Wednesday, August 20, 2008 12:53 AM To: mailscanner@lists.mailscanner.info Subject: {Disarmed} MailScanner Digest, Vol 32, Issue 22 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Aug 22 10:10:46 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 22 10:11:08 2008 Subject: Zip attachments not working in reply to an any e-mail In-Reply-To: <EMEW-k7L9CYffb0264875d8c5ac1dbd7010946c7d36-48AE72DD.6030105@variegate.biz> References: <EMEW-k7L9CYffb0264875d8c5ac1dbd7010946c7d36-48AE72DD.6030105@variegate.biz> Message-ID: <48AE8296.8090407@ecs.soton.ac.uk> What mail client are they using when they reply and add attachments? Can you please send me a mail queue spool file which causes this to happen incorrectly? Please send the file to mailscanner@ecs.soton.ac.uk. Hafiz (Variegate) wrote: > Hi list, > > We have integrate MailScanner with Scalix (using Postfix instead) and > everything seems to work fine. > I have enable the auto zip function in MailScanner and below is how > our configuration looks like > > Zip Attachments = yes > Attachments Zip Filename = MessageAttachments.zip > Attachments Min Total Size To Zip = 100k > Attachment Extensions Not To Zip = .zip .rar .gz .tgz .7z > > We notice that the auto-zip function works if we create a new fresh > e-mail with some attachments in it. The mail is sent with > "MessageAttachments.zip" attached to it - works great ! > > But it doesn't happen if we replying to any e-mail and add in some > attachments. The recipient received the mail without the attachment is > being zipped. > > Is this normal or is there anything I miss ? Or might probably a bug ? > > By the way our MailScanner version > > Running on > Linux 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 i686 > i386 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > This is MailScanner version 4.70.7 > > -- > Thanks. > > Mohd Hafiz Ramly > Senior Consultant > *Variegate Systems Sdn Bhd* > Tel : +60 4 2298808 > Fax : +60 4 2295006 > Mobile : +6 013 4812676 > Web : http://www.variegate.biz > Variegate - Openbravo <http://www.variegate.biz/> > <http://www.variegate.biz/> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Fri Aug 22 10:11:39 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Fri Aug 22 10:11:50 2008 Subject: [Fwd: You're on Whozat!] In-Reply-To: <48AE5045.1000405@vanderkooij.org> References: <48AE5045.1000405@vanderkooij.org> Message-ID: <op.uf96hpu253oa6f@ajc5.lan> > Google made it harder to search for email addresses to stop spammers > collect addresses. But it seems some other bozo's stepped in and started > to serve the spammers community. Good news for people selling e-mail scanning services, I suppose. The trouble with trying to keep e-mail addresses secret is that it's pretty-well impossible. You only need one contact to have an infection on their PC and your address is added to the spammers' lists. Once on a list, you're probably there forever. As I'm a freelance web developer I want my e-mail address easily accessible to the world, and it is. Luckily MailScanner means I still see very little spam in my in-box :) Thanks Jules! Anthony -- www.fonant.com - Quality web sites From hafiz at variegate.biz Fri Aug 22 10:47:49 2008 From: hafiz at variegate.biz (Hafiz (Variegate)) Date: Fri Aug 22 10:48:18 2008 Subject: Zip attachments not working in reply to an any e-mail In-Reply-To: <48AE8296.8090407@ecs.soton.ac.uk> References: <EMEW-k7L9CYffb0264875d8c5ac1dbd7010946c7d36-48AE72DD.6030105@variegate.biz> <48AE8296.8090407@ecs.soton.ac.uk> Message-ID: <48AE8B45.2040400@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/45d175e1/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: bronze-SHADOW.png Type: image/png Size: 2874 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/45d175e1/bronze-SHADOW.png From mailadmin at midland-ics.ie Fri Aug 22 11:01:27 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Fri Aug 22 11:01:51 2008 Subject: This morning's Trojan In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CF66@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA03CF66@HC-MBX02.herefordshire.gov.uk> Message-ID: <004801c9043e$0bc7d9a0$23578ce0$@ie> Hi Phil How do you write your own rules in SA? Regards Kevin From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 22 August 2008 08:01 To: mailscanner@lists.mailscanner.info Subject: This morning's Trojan Hi folks, The one to catch has a subject line of "Statement of fees 2008/09" SA rule to get it is header MY_TROJAN8 Subject =~ /^Statement of fees 2008\/09$/ describe MY_TROJAN8 Fees trojan score MY_TROJAN8 12 Samples submitted to the usual places. Phil This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/f2cf994c/attachment-0001.html From prandal at herefordshire.gov.uk Fri Aug 22 11:11:50 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Aug 22 11:12:09 2008 Subject: This morning's Trojan In-Reply-To: <004801c9043e$0bc7d9a0$23578ce0$@ie> References: <7EF0EE5CB3B263488C8C18823239BEBA03CF66@HC-MBX02.herefordshire.gov.uk> <004801c9043e$0bc7d9a0$23578ce0$@ie> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA048EF9E2@HC-MBX02.herefordshire.gov.uk> Just chuck them into a local.cf (or whatever name you choose) in /etc/mail/spamassassin Then reload MailScanner to pick up the changes. ClamAV is now detecting this one as Trojan.Agent-42387 Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mail Admin Sent: 22 August 2008 11:01 To: 'MailScanner discussion' Subject: RE: This morning's Trojan Hi Phil How do you write your own rules in SA? Regards Kevin From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 22 August 2008 08:01 To: mailscanner@lists.mailscanner.info Subject: This morning's Trojan Hi folks, The one to catch has a subject line of "Statement of fees 2008/09" SA rule to get it is header MY_TROJAN8 Subject =~ /^Statement of fees 2008\/09$/ describe MY_TROJAN8 Fees trojan score MY_TROJAN8 12 Samples submitted to the usual places. Phil This message has been scanned for viruses and dangerous content by MailScanner <http://www.mailscanner.info/> , and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although we make every effort to keep our systems free from viruses, you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/5dacd309/attachment.html From mailadmin at midland-ics.ie Fri Aug 22 11:28:15 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Fri Aug 22 11:28:35 2008 Subject: This morning's Trojan In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA048EF9E2@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA03CF66@HC-MBX02.herefordshire.gov.uk> <004801c9043e$0bc7d9a0$23578ce0$@ie> <7EF0EE5CB3B263488C8C18823239BEBA048EF9E2@HC-MBX02.herefordshire.gov.uk> Message-ID: <005901c90441$c9cb77b0$5d626710$@ie> Thank you for this. Much appreciated Kevin From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 22 August 2008 11:12 To: MailScanner discussion Subject: RE: This morning's Trojan Just chuck them into a local.cf (or whatever name you choose) in /etc/mail/spamassassin Then reload MailScanner to pick up the changes. ClamAV is now detecting this one as Trojan.Agent-42387 Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mail Admin Sent: 22 August 2008 11:01 To: 'MailScanner discussion' Subject: RE: This morning's Trojan Hi Phil How do you write your own rules in SA? Regards Kevin From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 22 August 2008 08:01 To: mailscanner@lists.mailscanner.info Subject: This morning's Trojan Hi folks, The one to catch has a subject line of "Statement of fees 2008/09" SA rule to get it is header MY_TROJAN8 Subject =~ /^Statement of fees 2008\/09$/ describe MY_TROJAN8 Fees trojan score MY_TROJAN8 12 Samples submitted to the usual places. Phil This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although we make every effort to keep our systems free from viruses, you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/da3c63ad/attachment.html From christo at it4africa.co.za Fri Aug 22 15:33:04 2008 From: christo at it4africa.co.za (Christo Bezuidenhout) Date: Fri Aug 22 15:30:09 2008 Subject: Upgrade Issues Message-ID: <8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> We currently use MailScanner 4.65.3 We never needed to upgrade to later versions. I see some nice features in the latest versions that we can use. What would be the issues that I need to look out for when upgrading to the latest version. We also use Clam 0.90.2. This I will also have to update with SA. Thx Christo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/62d960c2/attachment.html From MailScanner at ecs.soton.ac.uk Fri Aug 22 15:58:06 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 22 15:58:33 2008 Subject: Upgrade Issues In-Reply-To: <EMEW-k7LFdO0885c2a80119bfc64c0bdb138373a1c7-8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> References: <EMEW-k7LFdO0885c2a80119bfc64c0bdb138373a1c7-8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> Message-ID: <48AED3FE.3010204@ecs.soton.ac.uk> Upgrade Clam and SA, then just install the new MailScanner over the top of your old one, then run upgrade_MailScanner_conf and upgrade_languages_conf and they will tell you how to use them correctly, in order that your settings are all upgraded and the new features added to the MailScanner.conf and languages.conf files. Christo Bezuidenhout wrote: > > We currently use MailScanner 4.65.3 We never needed to upgrade to > later versions. I see some nice features in the latest versions that > we can use. What would be the issues that I need to look out for when > upgrading to the latest version. We also use Clam 0.90.2. This I will > also have to update with SA. > > > > Thx > > Christo > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Aug 22 17:34:03 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 22 17:34:22 2008 Subject: Upgrade Issues In-Reply-To: <8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> References: <8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> Message-ID: <g8mpps$k2n$1@ger.gmane.org> on 8-22-2008 7:33 AM Christo Bezuidenhout spake the following: > We currently use MailScanner 4.65.3 We never needed to upgrade to later > versions. I see some nice features in the latest versions that we can > use. What would be the issues that I need to look out for when upgrading > to the latest version. We also use Clam 0.90.2. This I will also have to > update with SA. > > > > Thx > > Christo > You really shouldn't let clam get that far behind. Usually more than 3 versions back and your updates start missing things that the newer engines would catch. I would really recommend running clamd and using that with a newer version of MailScanner. The speed is slightly faster than the clam perl module, but the memory usage is much less. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080822/a147eb8a/signature.bin From cbarber at techquility.net Fri Aug 22 17:42:19 2008 From: cbarber at techquility.net (Chris Barber) Date: Fri Aug 22 17:43:50 2008 Subject: Blacklist and delete? In-Reply-To: <D1587DCF6294524BAFA2C9944312FCC8C7D690@city-exch-w3e.cbj.local> References: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> <D1587DCF6294524BAFA2C9944312FCC8C7D690@city-exch-w3e.cbj.local> Message-ID: <43F62CA225017044BC84CFAF92B4333B035CDD@sbsserver.Techquility.net> Chris Barber wrote: > I was wondering if this is possible... > > I have a few users who get tons of spam every day. MailScanner > successfully blocks most of these through rules and/or blacklists. The > problem is when users are viewing their quarantine, there are so many > messages that it takes a long time to see if anything legitimate is in > there. On servers running MailWatch with a quarantine report, the > report has 150+ messages in it, again very time consuming to look > through. > > So is it possible to have a blacklist entry that also deletes the > message? This way the quarantine and/or the report email will not be > overloaded? >How have you set your spam action and high scoring spam action. I >quarantine spam, but vaporize high scoring spam. If you're quarantining >both, you could probably cut back on the amount quite a bit if you >delete the high scoring stuff. Assuming you have the luxury of doing >so.. > >How do the users look at the quarantine? Are you using MailWatch? If >so they can sort by spam score and probably ignore the stuff that is >scoring a lot of points... > >...Kevin >-- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Admin., Mail Admin. >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 I am using MailWatch and perhaps this is a MailWatch list question but if I use the high scoring spam to delete messages, will MailWatch still show those messages in the Quarantine Report? Reason being that MailScanner still logs the deleted messages to the mailscanner mysql db as far as I know... which is where the quarantine report pulls from. Or would that not happen? Does the sql query in the report know that the file was deleted and not to display that message in the report? Thanks! From cbarber at techquility.net Fri Aug 22 18:14:07 2008 From: cbarber at techquility.net (Chris Barber) Date: Fri Aug 22 18:15:40 2008 Subject: Blacklist and delete? In-Reply-To: <200808151802.m7FI2HAr007620@mxt.1bigthink.com> References: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net> <200808151802.m7FI2HAr007620@mxt.1bigthink.com> Message-ID: <43F62CA225017044BC84CFAF92B4333B035CE1@sbsserver.Techquility.net> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of dnsadmin 1bigthink.com Sent: Friday, August 15, 2008 2:02 PM To: MailScanner discussion Subject: Re: Blacklist and delete? At 01:27 PM 8/15/2008, you wrote: >I was wondering if this is possible... > >I have a few users who get tons of spam every day. MailScanner >successfully blocks most of these through rules and/or blacklists. The >problem is when users are viewing their quarantine, there are so many >messages that it takes a long time to see if anything legitimate is in >there. On servers running MailWatch with a quarantine report, the report >has 150+ messages in it, again very time consuming to look through. > >So is it possible to have a blacklist entry that also deletes the >message? This way the quarantine and/or the report email will not be >overloaded? > >Thanks, >Chris >Slightly OT, but what I did to solve my volume problem was rbldnsd >(http://www.corpit.ru/mjt/rbldnsd.html); my own RBL. I've never >trusted any of the RBL's entirely, except maybe Zen, but then we >started doing major loads of International email and still wasn't >sure about them. > >The point being, I not only took a load out of my user's inbox, but >also off my MTA, because I use my own RBL to block at MTA. I compile >my RBL list from MailWatch database of spammers and of all infected Zombies. > >It really helped me! > >Cheers, >Glenn Glenn, This sounds very interesting indeed! I understand the concept and want to do this, but I don't know much about how to parse the db for this info. Is there any info out there that could help me? Thanks! Chris From Kevin_Miller at ci.juneau.ak.us Fri Aug 22 18:40:19 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 22 18:40:31 2008 Subject: Blacklist and delete? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035CDD@sbsserver.Techquility.net> References: <43F62CA225017044BC84CFAF92B4333B035C93@sbsserver.Techquility.net><D1587DCF6294524BAFA2C9944312FCC8C7D690@city-exch-w3e.cbj.local> <43F62CA225017044BC84CFAF92B4333B035CDD@sbsserver.Techquility.net> Message-ID: <D1587DCF6294524BAFA2C9944312FCC8C7D6C6@city-exch-w3e.cbj.local> Chris Barber wrote: > > I am using MailWatch and perhaps this is a MailWatch list question but > if I use the high scoring spam to delete messages, will MailWatch > still show those messages in the Quarantine Report? Reason being that > MailScanner still logs the deleted messages to the mailscanner mysql > db as far as I know... which is where the quarantine report pulls > from. > > Or would that not happen? Does the sql query in the report know that > the file was deleted and not to display that message in the report? No. Since they're not quarantined, it won't show them. It will show them if you go to the reports section and click on message listing. You can see the headers & such (the stuff in the database), but the message itself won't be accessable/recoverable since it was deleted. S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From campbell at cnpapers.com Fri Aug 22 19:14:54 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Aug 22 19:20:41 2008 Subject: startin, startout, stopms In-Reply-To: <48AD9D01.8000404@vanderkooij.org> References: <48AC5F29.80900@cnpapers.com><5489f9700808210149q1ea6bf66o407dfa89facb6b92@mail.gmail.com> <48AD6793.8000406@cnpapers.com> <7EF0EE5CB3B263488C8C18823239BEBA0475BAB1@HC-MBX02.herefordshire.gov.uk> <48AD71C9.2080901@cnpapers.com> <48AD9D01.8000404@vanderkooij.org> Message-ID: <48AF021E.2030505@cnpapers.com> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Steve Campbell wrote: > >> Randal, Phil wrote: >> >>> Steve, >>> >>> Are you using RBLs at the MTA level to reduce the load? >>> >>> Phil >>> >>> -- >>> Phil Randal >>> Networks Engineer >>> Herefordshire Council >>> Hereford, UK >>> >>> >> Phil, >> >> No, I'm not. I've gotten so many complaints about mail that might be >> discarded, that I only use them in SA. It's hard to tell sales staff >> that they can't have it both ways and to make them understand that. >> >> But thanks for the suggestion. If it gets too bad, I may use it. >> > > You could even considere to use a 4xx type for RBL's in the MTA. Any > decent SMTP server will just resend the message a bit later. Or contact > your backup server. But most direct spam senders will not retry or go to > your backup server so it may be a good trade-off > > But in my experience one can not tackle this unless you kill a > significant part of your spam at the MTA level. > > Hugo. > > > Hugo, Up until the last few days, I had not used a dnsbl, but as the problems I was having spread to other mail servers, and not having a convenient ruleset or rule in access to stop them, I finally added sbl-xbl.spamhaus.org to sendmail. I was amazed at the amount it caught. I ran a MW report before adding it just to make sure it was going to be relatively false-positive free. Thanks for your (and everyone else's) suggestion and insistance on this thread. Steve From hvdkooij at vanderkooij.org Fri Aug 22 20:01:46 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 22 20:01:58 2008 Subject: Upgrade Issues In-Reply-To: <8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> References: <8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> Message-ID: <48AF0D1A.3010308@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christo Bezuidenhout wrote: > We currently use MailScanner 4.65.3 We never needed to upgrade to later > versions. I see some nice features in the latest versions that we can > use. What would be the issues that I need to look out for when upgrading > to the latest version. We also use Clam 0.90.2. This I will also have to > update with SA. You need more perl modules. To the best of my knowledge you will need to add at least: perl-OLE-Storage_Lite Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIrw0YBvzDRVjxmYERAltCAJ9V7I+/gUC5STtM2s1JDd7jYJi5fACgpEyR KR77E0FY8rhhgg+5SD1G8q8= =0f9N -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Fri Aug 22 20:15:59 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 22 20:16:15 2008 Subject: Upgrade Issues In-Reply-To: <EMEW-k7LKAD18fb720ac5abcd4316b0fd37dbaffa16-48AF0D1A.3010308@vanderkooij.org> References: <8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> <EMEW-k7LKAD18fb720ac5abcd4316b0fd37dbaffa16-48AF0D1A.3010308@vanderkooij.org> Message-ID: <48AF106F.8070308@ecs.soton.ac.uk> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Christo Bezuidenhout wrote: > >> We currently use MailScanner 4.65.3 We never needed to upgrade to later >> versions. I see some nice features in the latest versions that we can >> use. What would be the issues that I need to look out for when upgrading >> to the latest version. We also use Clam 0.90.2. This I will also have to >> update with SA. >> > > You need more perl modules. To the best of my knowledge you will need to > add at least: perl-OLE-Storage_Lite > Just run the ./install.sh installation script in the new version and it will update and install any additional new dependencies. Don't bother trying to update them all yourself. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Aug 22 20:32:53 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 22 20:33:02 2008 Subject: Upgrade Issues In-Reply-To: <48AF106F.8070308@ecs.soton.ac.uk> References: <8A7CA7FAD210714FB5FB35ED2E25941B1B338F@it4aproj.agi.co.za> <EMEW-k7LKAD18fb720ac5abcd4316b0fd37dbaffa16-48AF0D1A.3010308@vanderkooij.org> <48AF106F.8070308@ecs.soton.ac.uk> Message-ID: <48AF1465.7060002@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > > > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Christo Bezuidenhout wrote: >> >>> We currently use MailScanner 4.65.3 We never needed to upgrade to later >>> versions. I see some nice features in the latest versions that we can >>> use. What would be the issues that I need to look out for when upgrading >>> to the latest version. We also use Clam 0.90.2. This I will also have to >>> update with SA. >>> >> >> You need more perl modules. To the best of my knowledge you will need to >> add at least: perl-OLE-Storage_Lite >> > Just run the ./install.sh installation script in the new version and it > will update and install any additional new dependencies. Don't bother > trying to update them all yourself. Well. Unfortunaly I am bothering myself to do just that. But it is part of the wrapper package so it shouldn't bother yum users either. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIrxRiBvzDRVjxmYERAjNkAJ0bjjkhwo/05GnnDcYfyy9+W5qA+gCfcW9g 14M234A+4NvESPiFzShUcOw= =uB9B -----END PGP SIGNATURE----- From paul.hutchings at mira.co.uk Fri Aug 22 21:32:26 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Fri Aug 22 21:32:39 2008 Subject: Most Cost Effective Antivirus Licensing? Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0DA0@mail03.mira.co.uk> I'm running Postfix + MailScanner with ClamAV. I'd like to get another engine and I'd like to know if anyone has looked into what the most cost effective product is in terms of obeying the licensing agreements? For example each vendor makes a linux "server protection" product which is usually prices at flat rate and is cheaper than a "linux mail server protection" product which is usually priced per mailbox - per mailbox where, on the linux server, on an internal Exchange server behind a DMZ MailScanner box.. if you see what I mean? Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From ram at netcore.co.in Sat Aug 23 08:43:17 2008 From: ram at netcore.co.in (ram) Date: Sat Aug 23 08:43:33 2008 Subject: clamavmodule CL_SCAN_PHISHING_DOMAINLIST error Message-ID: <1219477397.25503.23.camel@darkstar.netcore.co.in> I have Mail::ClamAV version 0.22 and clamav 0.93 When I use clamavmodule in MailScanner this gives me an error Commercial virus checker failed with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/Mail/ClamAV.pm line 120. What is wrong ? Thanks Ram From cazahenha at hotmail.com Sat Aug 23 11:46:03 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Sat Aug 23 11:46:17 2008 Subject: Infinite Loop Message-ID: <BAY133-W544A07DCC859D843C398BCBC650@phx.gbl> Hi Everyone, This is my first post to the group so please excuse me is I haven't included anything salient. I am setting up a new spam gateway using postfix and MailScanner/Mail Watch on Ubuntu and I belived to have everything set up correctly. However we mail is sent to the server it just goes through the following endlessly until I kill MailScanner (for debugging I set Use Spamassassin = no and Virus Scanner = none) : ....Aug 23 02:37:09 smtp MailScanner[5129]: SpamAssassin temporary working directory is /var/spoolncoming/SpamAssassin-TempAug 23 02:35:54 smtp MailScanner[5073]: Using locktype = flockAug 23 02:35:55 smtp MailScanner[5073]: New Batch: Scanning 1 messages, 1841 bytesAug 23 02:35:56 smtp MailScanner[5077]: MailScanner E-Mail Virus Scanner version 4.68.8 starting...Aug 23 02:35:56 smtp MailScanner[5077]: Read 817 hostnames from the phishing whitelistAug 23 02:35:57 smtp MailScanner[5077]: Read 5141 hostnames from the phishing blacklistAug 23 02:35:57 smtp MailScanner[5077]: Config: calling custom init function SQLBlacklistAug 23 02:35:57 smtp MailScanner[5077]: Starting up SQL BlacklistAug 23 02:35:58 smtp MailScanner[5077]: Read 0 blacklist entriesAug 23 02:35:58 smtp MailScanner[5077]: Config: calling custom init function MailWatchLoggingAug 23 02:35:58 smtp MailScanner[5077]: Started SQL Logging childAug 23 02:35:58 smtp MailScanner[5077]: Config: calling custom init function SQLWhitelistAug 23 02:35:59 smtp MailScanner[5077]: Starting up SQL WhitelistAug 23 02:35:59 smtp MailScanner[5077]: Read 0 whitelist entriesAug 23 02:35:59 smtp MailScanner[5077]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-TempAug 23 02:44:09 smtp MailScanner[5250]: lock.pl sees Config LockType = flock... I set the 'debug = yes" and I get the following output: In Debugging mode, not forking...Trying to setlogsock(unix)SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-TempBuilding a message batch to scan...Have a batch of 1 message.Can't use an undefined value as a symbol reference at /usr/share/MailScanner//MailScanner/Message.pm line 1979.I checked out line 1979 and it relates to the following code: if (MailScanner::Config::Value('mta') =~ /sendmail|exim|postfix|zmailer/i) { # # This is for sendmail and Exim systems # $handle = IO::File->new_tmpfile; binmode($handle); # Line 1979 $this->{store}->ReadMessageHandle($this, $handle) or return; ## Do the actual parsing my $maxparts = MailScanner::Config::Value('maxparts', $this) || 200; MIME::Entity::ResetMailScannerCounter($maxparts); # Inform MIME::Parser about our maximum $parser->max_parts($maxparts * 3); $entity = eval { $parser->parse($handle) }; # close and delete tmpfile close($handle);Is the above error messsage causing the loop or is it something else I belive I have all the perl modules installed and I am using the mailscanner_4.68.8-1_all.deb and followed the instructions here: http://www.mailscanner.info/ubuntu.htmland http://howtoforge.org/the-perfect-spamsnake-ubuntu-8.04 Regards, Caza Find out how to make Messenger your very own TV! Try it Now! _________________________________________________________________ Win New York holidays with Kellogg?s & Live Search http://clk.atdmt.com/UKM/go/107571440/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080823/c2e3936b/attachment.html From hvdkooij at vanderkooij.org Sat Aug 23 12:04:27 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Aug 23 12:04:37 2008 Subject: [Fwd: You're on Whozat!] In-Reply-To: <op.uf96hpu253oa6f@ajc5.lan> References: <48AE5045.1000405@vanderkooij.org> <op.uf96hpu253oa6f@ajc5.lan> Message-ID: <48AFEEBB.5020605@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Cartmell wrote: >> Google made it harder to search for email addresses to stop spammers >> collect addresses. But it seems some other bozo's stepped in and started >> to serve the spammers community. > > Good news for people selling e-mail scanning services, I suppose. > > The trouble with trying to keep e-mail addresses secret is that it's > pretty-well impossible. You only need one contact to have an infection > on their PC and your address is added to the spammers' lists. Once on a > list, you're probably there forever. > > As I'm a freelance web developer I want my e-mail address easily > accessible to the world, and it is. Luckily MailScanner means I still > see very little spam in my in-box :) Keeping addresses a secret is not the best way to fight of spam. There is no disgreement there. But there is a limit as far as one should help spammers collect usefull lists of addresses. This party has crossed over to the dark side in my view. I am already part of some honeypot projects and am planning on starting a simple project myself with the simple purpose of generating pseudo random email addresses for my domain if people visit the wrong page (one not visably linked). Recording the client information of visitors and linking them to the pseudo addresses will allow me to track how certain addresses were obtained. And it will polute the spammers address lists even further. In a similar fashion I use unique addresses for webforms and such. I tend to slip in slight typo's so I can see how the address is being (ab)used. That way I found out that Verisign is not trustworthy at all. They sold my accounting details to others. These accounting details were the only bit one could not obtain with a whois query. But they ended up by magazine publishers. At least one magazine publisher using that address told me they just sold the addresses for their advertising campaign. So Verisign is flirting with the dark side. And this was before they started hijacking the internet by redirecting non-existing domains. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIr+65BvzDRVjxmYERArTyAJ9sjdfg/WswlQYj0rU2sGS5fNn3UACffzzt Id5xlNJNShUma1pYx5KpL9U= =H4bj -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Aug 23 12:31:26 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Aug 23 12:31:36 2008 Subject: Infinite Loop In-Reply-To: <BAY133-W544A07DCC859D843C398BCBC650@phx.gbl> References: <BAY133-W544A07DCC859D843C398BCBC650@phx.gbl> Message-ID: <48AFF50E.9050800@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Caza Henha wrote: > This is my first post to the group so please excuse me is I haven't > included anything salient. I am setting up a new spam gateway using > postfix and MailScanner/Mail Watch on Ubuntu and I belived to have > everything set up correctly. However we mail is sent to the server it > just goes through the following endlessly until I kill MailScanner (for > debugging I set Use Spamassassin = no and Virus Scanner = none) : Please show your config changes by including the output of: MailScanner -c Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIr/UMBvzDRVjxmYERAiDiAJ0ZMBl6jeB6HyQPoHY1f8dORe1GIwCgumgu mSdsfZdsYlxn32mJVPcp1hk= =+jA9 -----END PGP SIGNATURE----- From cazahenha at hotmail.com Sat Aug 23 12:55:14 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Sat Aug 23 12:55:26 2008 Subject: Infinite Loop In-Reply-To: <48AFF50E.9050800@vanderkooij.org> References: <BAY133-W544A07DCC859D843C398BCBC650@phx.gbl> <48AFF50E.9050800@vanderkooij.org> Message-ID: <BAY133-W23C7A9E01F07671096CC03BC650@phx.gbl> Hello, The output of MailScanner -c is as follows: Option Name Default Current Value===============================================================================alwayslookeduplast no FUNCTION:MailWatchLoggingattachmentextensionsnottozip .zip .rar .gz .tgz .mpg .mpe .mpeg .mp3 .rpm .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .emlattachmentwarningfilename VirusWarning.txt Test-Attachment-Warning.txtclamavfullmessagescan no yesclamdlockfile /var/run/clamav/clamd.pidclamdsocket 127.0.0.1 /var/run/clamav/clamd.ctlcustomfunctionsdir /usr/lib/MailScanner/MailScanner/CustomFunctions /etc/MailScanner/CustomFunctionsdebug no yesenablespambounce no RULESET:Default=noenvelopefromheader X-MailScanner-Envelope-From: X-Test-MailScanner-From:envelopetoheader X-MailScanner-Envelope-To: X-Test-MailScanner-To:filenamerules /etc/MailScanner/filename.rules.conffiletyperules /etc/MailScanner/filetype.rules.conffirstcheck mcp spamhighscoringspamactions deliver header "X-Spam-Status: Yes" deliver header "X-Spam-Status: Yes" storehostname the MailScanner the Test () MailScannerignoredwebbugfilenames spacer pixel.gif pixel.png gap shimincomingqueuedir /var/spool/mqueue.in /var/spool/postfix/holdincomingworkgroup clamavincomingworkpermissions 0600 0640isdefinitelynotspam no FUNCTION:SQLWhitelistisdefinitelyspam no FUNCTION:SQLBlacklistknownwebbugservers msgtag.comlanguagestrings /etc/MailScanner/reports/en/languages.conflockfiledir /var/lock/subsys/MailScanner/ /var/lock/subsys/MailScannermailheader X-MailScanner: X-Test-MailScanner:mailscannerversionnumber 1.0.0 4.68.8maxchildren 5 1maximummessagesize 0 RULESET:Default=0maxspamassassinsize 30000 200kmaxspamchecksize 150000 200000mcpheader X-MailScanner-MCPCheck: X-Test-MailScanner-MCPCheck:mcpmaxspamassassinsize 100000 100kmonitorsforclamavupdates /usr/local/share/clamav/*.cvd /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvdmonitorsforsophosupdates /usr/local/Sophos/ide/*.zip /opt/sophos-av/lib/sav/*.idemta sendmail postfixnonspamactions deliver header "X-Spam-Status: No" deliver header "X-Spam-Status: No" storenotifysenders yes nooutgoingqueuedir /var/spool/mqueue /var/spool/postfix/incomingpidfile /var/run/MailScanner.pid /var/run/MailScanner/MailScanner.pidquarantinegroup www-dataquarantineuser rootquarantinewholemessage no yesrejectionreport /etc/MailScanner/reports/en/message.rejection.report.txt /etc/MailScanner/reports/en/rejection.report.txtrestartevery 14400 7200runasgroup 0 www-datarunasuser 0 postfixsendnotices yes nosignatureimagefilename /etc/MailScanner/reports/en/sig.jpgsignatureimageimgfilename signature.jpgsophosidedir /opt/sophos-av/lib/savsophoslibdir /opt/sophos-av/libspamactions deliver header "X-Spam-Status: Yes" deliver header "X-Spam-Status: Yes" storespamassassinsiterulesdir /etc/mail/spamassassinspamassassinuserstatedir /var/spool/MailScanner/spamassassinspamheader X-MailScanner-SpamCheck: X-Test-MailScanner-SpamCheck:spamlist spamcop.net SBL+XBLspamscoreheader X-MailScanner-SpamScore: X-Test-MailScanner-SpamScore:spamsubjecttext {Spam?} {Spam - _STARS_ }treatinvalidwatermarkswithnosenderasspam spam nothingusespamassassin yes nousewatermarking yes novirusscanners auto clamdwatermarkheader MailScanner-NULL-Check: X-Test-MailScanner-Watermark:watermarksecret Watermark-secret Test-Secretwebbugreplacement http://www.mailscanner.info/images/1x1spacer.gif http://www.mailscanner.tv/1x1spacer.gif _________________________________________________________________ Win New York holidays with Kellogg?s & Live Search http://clk.atdmt.com/UKM/go/107571440/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080823/1a09e2af/attachment.html From jon.bates at summitinvestment.com.au Sat Aug 23 13:27:36 2008 From: jon.bates at summitinvestment.com.au (Jon Bates) Date: Sat Aug 23 13:27:55 2008 Subject: EXE Files Slipping Through Message-ID: <001e01c9051b$a0951330$e1bf3990$@bates@summitinvestment.com.au> Im hoping someone can help me here. By using filename and filetype exceptions I've allowed myself to send and receive .exe files. I've banned this for all other addresses though. The reason for this is that it catches a huge amount of malware that slips through Clamav/Sophos - at the moment its hundreds of "Fedex tracking number" emails with a zipped exe attachment that aren't being detected! My problem is when malware emails arrive which are addressed to me AS WELL as other people - This means the infected email is actually delivered to the other people on the email! Is this normal behaviour? I'm smart enough not to open these emails, but other people are not! Is there any way to stop this behaviour without me losing my ability to send/receive EXE files? Cheers! From mbneto at gmail.com Sat Aug 23 13:32:01 2008 From: mbneto at gmail.com (mbneto) Date: Sat Aug 23 13:32:10 2008 Subject: Restricting message size per recipient Message-ID: <5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> Hi, I'd like to limit the size of the message sent/received by users based on the email address of that user. I can do this at MTA level but for all users. Can I do this from MailScanner? I'd like to set the maximum in my MTA and lower that limit for the rest of users. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080823/7a83b0c9/attachment.html From martinh at solidstatelogic.com Sat Aug 23 13:36:49 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Sat Aug 23 13:34:22 2008 Subject: Infinite Loop Message-ID: <auto-001219494853@solidstatelogic.com> Hi, I'd double check what you did to install, as the mailwatch isn't being called for a start.. "Always looked up last" is no when is should have been altered. -- martin -----Original Message----- From: Caza Henha <cazahenha@hotmail.com> Sent: Saturday, August 23, 2008 12:59 PM To: MailScanner discussion <mailscanner@lists.mailscanner.info> Subject: RE: Infinite Loop Hello, The output of MailScanner -c is as follows: Option Name Default Current Value===============================================================================alwayslookeduplast no FUNCTION:MailWatchLoggingattachmentextensionsnottozip .zip .rar .gz .tgz .mpg .mpe .mpeg .mp3 .rpm .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .emlattachmentwarningfilename VirusWarning.txt Test-Attachment-Warning.txtclamavfullmessagescan no yesclamdlockfile /var/run/clamav/clamd.pidclamdsocket 127.0.0.1 /var/run/clamav/clamd.ctlcustomfunctionsdir /usr/lib/MailScanner/MailScanner/CustomFunctions /etc/MailScanner/CustomFunctionsdebug no yesenablespambounce no RULESET:Default=noenvelopefromheader X-MailScanner-Envelope-From: X-Test-MailScanner-From:envelopetoheader X-MailScanner-Envelope-To: X-Test-MailScanner-To:filenamerules /etc/MailScanner/filename.rules.conffiletyperules /etc/MailScanner/filetype.rules.conffirstcheck mcp spamhighscoringspamactions deliver header "X-Spam-Status: Yes" deliver header "X-Spam-Status: Yes" storehostname the MailScanner the Test () MailScannerignoredwebbugfilenames spacer pixel.gif pixel.png gap shimincomingqueuedir /var/spool/mqueue.in /var/spool/postfix/holdincomingworkgroup clamavincomingworkpermissions 0600 0640isdefinitelynotspam no FUNCTION:SQLWhitelistisdefinitelyspam no FUNCTION:SQLBlacklistknownwebbugservers msgtag.comlanguagestrings /etc/MailScanner/reports/en/languages.conflockfile dir /var/lock/subsys/MailScanner/ /var/lock/subsys/MailScannermailheader X-MailScanner: X-Test-MailScanner:mailscannerversionnumber 1.0.0 4.68.8maxchildren 5 1maximummessagesize 0 RULESET:Default=0maxspamassassinsize 30000 200kmaxspamchecksize 150000 200000mcpheader X-MailScanner-MCPCheck: X-Test-MailScanner-MCPCheck:mcpmaxspamassassinsize 100000 100kmonitorsforclamavupdates /usr/local/share/clamav/*.cvd /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvdmonitorsforsophosupdates /usr/local/Sophos/ide/*.zip /opt/sophos-av/lib/sav/*.idemta sendmail postfixnonspamactions deliver header "X-Spam-Status: No" deliver header "X-Spam-Status: No" storenotifysenders yes nooutgoingqueuedir /var/spool/mqueue /var/spool/postfix/incomingpidfile /var/run/MailScanner.pid /var/run/MailScanner/MailScanner.pidquarantinegroup www-dataquarantineuser rootquarantinewholemessage no yesrejectionreport /etc/MailScanner/reports/en/message.rejection.report.txt /etc/MailScanner/reports/en/rejection.report.txtrestartevery 14400 7200runasgroup 0 www-datarunasuser 0 postfixsendnotices yes nosignatureimagefilename /etc/MailScanner/reports/en/sig.jpgsignatureimageimgfilename signature.jpgsophosidedir /opt/sophos-av/lib/savsophoslibdir /opt/sophos-av/libspamactions deliver header "X-Spam-Status: Yes" deliver header "X-Spam-Status: Yes" storespamassassinsiterulesdir /etc/mail/spamassassinspamassassinuserstatedir /var/spool/MailScanner/spamassassinspamheader X-MailScanner-SpamCheck: X-Test-MailScanner-SpamCheck:spamlist spamcop.net SBL+XBLspamscoreheader X-MailScanner-SpamScore: X-Test-MailScanner-SpamScore:spamsubjecttext {Spam?} {Spam - _STARS_ }treatinvalidwatermarkswithnosenderasspam spam nothingusespamassassin yes nousewatermarking yes novirusscanners auto clamdwatermarkheader MailScanner-NULL-Check: X-Test-MailScanner-Watermark:watermarksecret Watermark-secret Test-Secretwebbugreplacement http://www.mailscanner.info/images/1x1spacer.gif http://www.mailscanner.tv/1x1spacer.gif _________________________________________________________________ Win New York holidays with Kellogg?s & Live Search http://clk.atdmt.com/UKM/go/107571440/direct/01/ ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From shuttlebox at gmail.com Sat Aug 23 13:39:51 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Aug 23 13:40:01 2008 Subject: EXE Files Slipping Through In-Reply-To: <-8769665372960671445@unknownmsgid> References: <-8769665372960671445@unknownmsgid> Message-ID: <625385e30808230539v294ea865pdbb1910a1139b91a@mail.gmail.com> On Sat, Aug 23, 2008 at 2:27 PM, Jon Bates <jon.bates@summitinvestment.com.au> wrote: > Is there any way to stop this behaviour without me losing my ability to > send/receive EXE files? Look at "Use Default Rules With Multiple Recipients" but the real solution is to split your recipients into separate messages. The latter is described in the wiki. -- /peter From martinh at solidstatelogic.com Sat Aug 23 13:43:45 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Sat Aug 23 13:41:18 2008 Subject: EXE Files Slipping Through Message-ID: <auto-001219495268@solidstatelogic.com> Yes Mailscanner treats the envelope-to as the recipient as user to run the 'to' rules over. Otherwise if one user has 'yes' and another 'no' which should it obey? If you're going to get around this you need to split the emails into individual recipients. There's 'how-to's for sendmail, postfix and exim in the wiki. -- martin -----Original Message----- From: Jon Bates <jon.bates@summitinvestment.com.au> Sent: Saturday, August 23, 2008 1:31 PM To: mailscanner@lists.mailscanner.info Subject: EXE Files Slipping Through Im hoping someone can help me here. By using filename and filetype exceptions I've allowed myself to send and receive .exe files. I've banned this for all other addresses though. The reason for this is that it catches a huge amount of malware that slips through Clamav/Sophos - at the moment its hundreds of "Fedex tracking number" emails with a zipped exe attachment that aren't being detected! My problem is when malware emails arrive which are addressed to me AS WELL as other people - This means the infected email is actually delivered to the other people on the email! Is this normal behaviour? I'm smart enough not to open these emails, but other people are not! Is there any way to stop this behaviour without me losing my ability to send/receive EXE files? Cheers! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From cazahenha at hotmail.com Sat Aug 23 13:44:46 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Sat Aug 23 13:44:57 2008 Subject: Infinite Loop In-Reply-To: <BAY133-W23C7A9E01F07671096CC03BC650@phx.gbl> References: <BAY133-W544A07DCC859D843C398BCBC650@phx.gbl> <48AFF50E.9050800@vanderkooij.org> <BAY133-W23C7A9E01F07671096CC03BC650@phx.gbl> Message-ID: <BAY133-W5354C107095474A373C2EABC650@phx.gbl> Hi Everyone, I seemed to have solved the problem with my own bit of perl debugging. I changed the line of code to $handle = IO::File->new_tmpfile or die "Unable to make new temporary file: $!"; I'm not sure why the code is not like this in the first place as it seems to stall the progam, however it return "Invalid Argument". I checked the permissions on Unbuntu JeOS's tmp directory and it was only writable by root so I changed it by: sudo chmod o+w /tmp/and this line now completes without any problem however I now get the following issue: commit ineffective with AutoCommit enabled at /etc/MailScanner/CustomFunctions/MailWatch.pm line 93, <CLIENT> line 30. but I think that is an entirely diffeent issue. Regards, Caza _________________________________________________________________ Get Hotmail on your mobile from Vodafone http://clk.atdmt.com/UKM/go/107571435/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080823/c67c236c/attachment.html From prandal at herefordshire.gov.uk Sat Aug 23 14:24:11 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sat Aug 23 14:24:28 2008 Subject: EXE Files Slipping Through In-Reply-To: <001e01c9051b$a0951330$e1bf3990$@bates@summitinvestment.com.au> References: <001e01c9051b$a0951330$e1bf3990$@bates@summitinvestment.com.au> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CF69@HC-MBX02.herefordshire.gov.uk> But those are so easily caught by SpamAssassin! Which is what I resorted to doing. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jon Bates Sent: 23 August 2008 13:28 To: mailscanner@lists.mailscanner.info Subject: EXE Files Slipping Through Im hoping someone can help me here. By using filename and filetype exceptions I've allowed myself to send and receive .exe files. I've banned this for all other addresses though. The reason for this is that it catches a huge amount of malware that slips through Clamav/Sophos - at the moment its hundreds of "Fedex tracking number" emails with a zipped exe attachment that aren't being detected! My problem is when malware emails arrive which are addressed to me AS WELL as other people - This means the infected email is actually delivered to the other people on the email! Is this normal behaviour? I'm smart enough not to open these emails, but other people are not! Is there any way to stop this behaviour without me losing my ability to send/receive EXE files? Cheers! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From email at ace.net.au Sat Aug 23 18:34:18 2008 From: email at ace.net.au (Peter Nitschke) Date: Sat Aug 23 18:34:49 2008 Subject: EXE Files Slipping Through In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CF69@HC-MBX02.herefordshire.gov.uk> References: <001e01c9051b$a0951330$e1bf3990$@bates@summitinvestment.com.au> <7EF0EE5CB3B263488C8C18823239BEBA03CF69@HC-MBX02.herefordshire.gov.uk> Message-ID: <200808240304180730.09A2E5F0@web.ace.net.au> I was catching them with SA too, but I just did a fresh PC install with MS, SA and everything using the Yum system, and it's catching them with clamav where my older but updated server isn't. Something with the way Clam is being used by the looks, but I don't have time to mess around to find out why. Peter *********** REPLY SEPARATOR *********** On 23/08/2008 at 2:24 PM Randal, Phil wrote: >But those are so easily caught by SpamAssassin! > >Which is what I resorted to doing. > >Cheers, > >Phil > >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jon >Bates >Sent: 23 August 2008 13:28 >To: mailscanner@lists.mailscanner.info >Subject: EXE Files Slipping Through > >Im hoping someone can help me here. > >By using filename and filetype exceptions I've allowed myself to send >and receive .exe files. I've banned this for all other addresses though. >The reason for this is that it catches a huge amount of malware that >slips through Clamav/Sophos - at the moment its hundreds of "Fedex >tracking number" emails with a zipped exe attachment that aren't being >detected! > >My problem is when malware emails arrive which are addressed to me AS >WELL as other people - This means the infected email is actually >delivered to the other people on the email! Is this normal behaviour? >I'm smart enough not to open these emails, but other people are not! > >Is there any way to stop this behaviour without me losing my ability to >send/receive EXE files? > >Cheers! > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From mark at msapiro.net Sat Aug 23 19:46:03 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Aug 23 19:46:18 2008 Subject: Message body lost when zip file quarantined In-Reply-To: <486D47F2.6050104@ecs.soton.ac.uk> References: <EMEW-k62M7R83824f738772de166a052e9e61740012-PC18702008070314030600150912edd5@msapiro> <486D47F2.6050104@ecs.soton.ac.uk> Message-ID: <48B05AEB.6090504@msapiro.net> On July 3, 2008, Julian Field wrote: > > > Mark Sapiro wrote: >> Julian Field wrote:> >> >>> Mark Sapiro wrote: >>> >>>>> MailScanner is scanning a message with an attached .zip archive which >>>>> contains a number of .bat and .bat.bak files, other files and even >>>>> another zip archive which contains a single .bat file. >>>>> >>>>> Mailscanner detects all the .bat and .bat.bak files in the zip files, >>>>> sends a notice appropriately, and delivers the message with the >>>>> attachment removed. All well and good. The problems are: >>>>> >>>>> 1) not only the original .zip is quarantined, but so also are the >>>>> individual .bat, .bat.bak and .zip files extracted from the original >>>>> .zip (other files in the .zip with OK names are not). This is not a >>>>> major issue, but makes looking in the quarantine difficult as one >>>>> doesn't know what files were separately attached and what files were >>>>> just in the .zip. >>>>> >>>>> 2) The more serious issue is the original message body is also removed >>>>> from the delivered message, and it is not stored anywhere. >>>>> >>>> So, is there some misconfiguration on my part that is causing the >>>> loss of the message body, or is this and the redundant files in >>>> quarantine the expected behavior? >>>> >>>> >>> Number 2 is the one that interests me. Please can you send me a >>> concrete example, preferably lifted straight out of a sendmail queue. >>> >> >> >> I use Postfix, not sendmail. >> >> Here's what I have: >> >> -The Postfix queue entry. >> -The raw message received via bcc without passing through MailScanner >> -The {Filename?} message delivered to the recipient after MailScanner >> -The notice sent as a result of 'Send Notices = yes' >> >> Which of these would you like (and may I send it/them off list)? >> > All of the above please. Send them zipped up to > mailscanner@ecs.soton.ac.uk. The files were sent on July 3 as requested. Has there been anything discovered or done about this? -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sat Aug 23 20:02:00 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Aug 23 20:02:10 2008 Subject: DSNs from bigfoot.com are quarantined Message-ID: <48B05EA8.3000508@msapiro.net> DSN's from bigfoot.com have the following structure ---------------------------------------------- Received: ... Date: ... From: ... Message-Id: ... To: ... MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="200808230226058" Subject: Returned mail: Requested action not taken: mailbox unavailable Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --200808230226058 text description of failure --200808230226058 Content-Type: message/delivery-status delivery status report --200808230226058 Content-Type: message/partial headers of original message --200808230226058-- ---------------------------------------------- When this message is scanned, Mailscanner reports The following e-mails were found to have: Other Bad Content Detected Sender: <> IP Address: 211.115.216.225 Recipient: listname-bounces@example.com Subject: Returned mail: Requested action not taken: mailbox unavailable MessageID: 8ADB76900BB.E507A Quarantine: /var/spool/MailScanner/quarantine/20080823/8ADB76900BB.E507A Report: MailScanner: Fragmented messages cannot be scanned and are removed and the message delivered to the recipient has "the entire message" removed and replaced with the attachment warning. If only the Content-Type: message/partial part were removed, it would still be possible for automated bounce recognition software to recognize the DSN. Is there some reason why the entire message needs to be removed and not just the message/partial part? -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From hvdkooij at vanderkooij.org Sat Aug 23 20:34:06 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Aug 23 20:34:20 2008 Subject: Restricting message size per recipient In-Reply-To: <5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> References: <5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> Message-ID: <48B0662E.4030301@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mbneto wrote: > I'd like to limit the size of the message sent/received by users based > on the email address of that user. I can do this at MTA level but for > all users. > > Can I do this from MailScanner? I'd like to set the maximum in my MTA > and lower that limit for the rest of users. Just create a ruleset to define limits you want to impose. Call it from MailScaner like this: Maximum Message Size = %rules-dir%/max.message.size.rules Then define the limits per user as you see fit: #To: *@domain1.com 10M #To: *@domain2.com 20M #From: user@domain3.com 5M #From: *@domain3.com 500K Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsGYsBvzDRVjxmYERAii5AJ43UX+uljk8am2Ur6NBcFMCpI+wJwCguUFU DRAFjRmKGNQHXmibFDFJZgA= =PARA -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Aug 23 20:39:44 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Aug 23 20:39:53 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <48B05EA8.3000508@msapiro.net> References: <48B05EA8.3000508@msapiro.net> Message-ID: <48B06780.5010604@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > DSN's from bigfoot.com have the following structure I never liked bigfoot anyway. But this is a rather stupid way of sending DSN messages. May you should tackle the problem by addressing bigfoot about this ackward behaviour. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsGdJBvzDRVjxmYERAhp4AJ48MMTtKZThDFYoZ6gYeLQRYZjjtACfbLzt 8xj9Jn7sVwrz0iHf4c3Ggp0= =QNJw -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Aug 24 11:22:03 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 11:22:20 2008 Subject: Infinite Loop In-Reply-To: <EMEW-k7MDmg48b33155e0499985783654808187e23e-BAY133-W5354C107095474A373C2EABC650@phx.gbl> References: <BAY133-W544A07DCC859D843C398BCBC650@phx.gbl> <48AFF50E.9050800@vanderkooij.org> <BAY133-W23C7A9E01F07671096CC03BC650@phx.gbl> <EMEW-k7MDmg48b33155e0499985783654808187e23e-BAY133-W5354C107095474A373C2EABC650@phx.gbl> Message-ID: <48B1364B.7010205@ecs.soton.ac.uk> Caza Henha wrote: > Hi Everyone, > > I seemed to have solved the problem with my own bit of perl debugging. > I changed the line of code to > > $handle = IO::File->new_tmpfile or die "Unable to make new temporary > file: $!"; > > I'm not sure why the code is not like this in the first place as it > seems to stall the progam, however it return "Invalid Argument". I > checked the permissions on Unbuntu JeOS's tmp directory and it was > only writable by root so I changed it by: > > sudo chmod o+w /tmp/ Your /tmp should be set to chmod 1777 /tmp The call to new_tmpfile should never fail unless there is something wrong with your system, as was the case for you. I'm not wholly convinced saying "Invalid Argument" is going to help anyone fix anything, it's a pretty useless error message. But I could add the "or die" I guess. The only difference is the error message that gets printed, I guess I will write a rather better error message than yours. How about this instead: $handle = IO::File->new_tmpfile or die "Your /tmp needs to be set to \"chmod 1755 /tmp\""; That would actually print something useful. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Aug 24 11:23:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 11:23:12 2008 Subject: Restricting message size per recipient In-Reply-To: <EMEW-k7MDZi32f2c3f92c467ca92be4cbd372b4d313-5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> References: <EMEW-k7MDZi32f2c3f92c467ca92be4cbd372b4d313-5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> Message-ID: <48B13684.80901@ecs.soton.ac.uk> Read about rulesets in any of the MailScanner documentation. You can use a ruleset to set the value of the maximum message size configuration setting. mbneto wrote: > Hi, > > I'd like to limit the size of the message sent/received by users based > on the email address of that user. I can do this at MTA level but > for all users. > > Can I do this from MailScanner? I'd like to set the maximum in my MTA > and lower that limit for the rest of users. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul.hutchings at mira.co.uk Sun Aug 24 13:07:44 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Aug 24 13:08:01 2008 Subject: vba32 problem with MailScanner --lint Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> Just trialling a few virus scanners, bitdefender, clamd, avg and vba32 are installed. Vba32 appears to be working if I test the wrapper: /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe +---------------------------------------------------+ | VirusBlokAda (Console scanner) | | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | | Copyright (c) 1993-2008 by VBA Ltd. | +---------------------------------------------------+ User: VBA32 Testlizenz License #000000324 Valid till 31.10.2008 Command line options: -af+ -ha+ -rw+ Ctrl-C will terminate program execution /tmp/malware/29.exe /tmp/malware/29.exe : infected Trojan-GameThief.Win32.OnLineGames.shie Directories : 0 Files in archives: Files on disks: Archives: - total : 0 - total : 1 - scanned : 0 - scanned : 0 - scanned : 1 - contain viruses : 0 - infected : 0 - infected : 1 - deleted : 0 - suspicious : 0 - suspicious : 0 Startup : 13:05:01 24-08-2008 End : 13:05:01 24-08-2008 Total time : 00:00:00 Yes when I run a lint with MailScanner it doesn't appear to output a string that MailScanner can take as meaning an infection has been found: MailScanner --lint Trying to setlogsock(unix) Read 850 hostnames from the phishing whitelist Read 5259 hostnames from the phishing blacklist Checking version numbers... Version installed (4.70.7) does not match version stated in MailScanner.conf file (4.70.6), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" Found these virus scanners installed: bitdefender, clamd, vba32, avg ======================================================================== === Virus and Content Scanning: Starting Avg: Virus identified EICAR_Test in eicar.com Virus Scanning: Avg found 1 infections 1/eicar.com:infected: EICAR-Test-File (not a virus) Virus Scanning: Bitdefender found 1 infections ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections Virus Scanning: vba32 found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses ======================================================================== === Virus Scanner test reports: Avg said "Found virus EICAR_Test in file eicar.com" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (bitdefender,clamd,vba32,avg) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Any suggestions please? -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From hvdkooij at vanderkooij.org Sun Aug 24 13:14:20 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 13:14:30 2008 Subject: Development info? Message-ID: <48B1509C.8050409@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The only bit I found on writing custom functions is http://blog.fupps.com/2007/03/29/mailscanner-custom-functions-a-small-tutorial/ And the few bits in the MailScanner/CustomFunctions directory. My aim is to write a custom function to detect links to executables and such and mark then with some points. Then take it one level up and pickup the samples for further analyses before they are taken offline again. The first bit can be done with just few lines in SA just as well. It is the second part that will help me get malware samples as soon as possible that can not be done in SA. Is there any addititional information about writing MailScanner custom functions? The return() part is a bit unclear to me. Because I think it may vary on how you call upon the custom function. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsVCZBvzDRVjxmYERAqB2AJ4uQJn24/+WK1eXJetnEGAJc8saggCeIemO v+cfFSrkVQQTbcZdgOwlYDE= =z2j/ -----END PGP SIGNATURE----- From jkf at ecs.soton.ac.uk Sun Aug 24 16:44:01 2008 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 16:47:10 2008 Subject: Message body lost when zip file quarantined In-Reply-To: <EMEW-k7MJp20064aba633de257a719d5b696aa247b8-48B05AEB.6090504@msapiro.net> References: <EMEW-k62M7R83824f738772de166a052e9e61740012-PC18702008070314030600150912edd5@msapiro> <486D47F2.6050104@ecs.soton.ac.uk> <EMEW-k7MJp20064aba633de257a719d5b696aa247b8-48B05AEB.6090504@msapiro.net> Message-ID: <57A410B1-046D-40E9-813F-B3D11A3927EB@ecs.soton.ac.uk> You shouldn't have left it that long! :-) Send them to me again, and I'll try to look at them this time. Sorry :-) -- Jules On 23 Aug 2008, at 19:46, Mark Sapiro <mark@msapiro.net> wrote: > On July 3, 2008, Julian Field wrote: >> >> >> Mark Sapiro wrote: >>> Julian Field wrote:> >>> >>>> Mark Sapiro wrote: >>>> >>>>>> MailScanner is scanning a message with an attached .zip archive >>>>>> which >>>>>> contains a number of .bat and .bat.bak files, other files and >>>>>> even >>>>>> another zip archive which contains a single .bat file. >>>>>> >>>>>> Mailscanner detects all the .bat and .bat.bak files in the zip >>>>>> files, >>>>>> sends a notice appropriately, and delivers the message with the >>>>>> attachment removed. All well and good. The problems are: >>>>>> >>>>>> 1) not only the original .zip is quarantined, but so also are the >>>>>> individual .bat, .bat.bak and .zip files extracted from the >>>>>> original >>>>>> .zip (other files in the .zip with OK names are not). This is >>>>>> not a >>>>>> major issue, but makes looking in the quarantine difficult as one >>>>>> doesn't know what files were separately attached and what files >>>>>> were >>>>>> just in the .zip. >>>>>> >>>>>> 2) The more serious issue is the original message body is also >>>>>> removed >>>>>> from the delivered message, and it is not stored anywhere. >>>>>> >>>>> So, is there some misconfiguration on my part that is causing the >>>>> loss of the message body, or is this and the redundant files in >>>>> quarantine the expected behavior? >>>>> >>>>> >>>> Number 2 is the one that interests me. Please can you send me a >>>> concrete example, preferably lifted straight out of a sendmail >>>> queue. >>>> >>> >>> >>> I use Postfix, not sendmail. >>> >>> Here's what I have: >>> >>> -The Postfix queue entry. >>> -The raw message received via bcc without passing through >>> MailScanner >>> -The {Filename?} message delivered to the recipient after >>> MailScanner >>> -The notice sent as a result of 'Send Notices = yes' >>> >>> Which of these would you like (and may I send it/them off list)? >>> >> All of the above please. Send them zipped up to >> mailscanner@ecs.soton.ac.uk. > > > The files were sent on July 3 as requested. Has there been anything > discovered or done about this? > > -- > Mark Sapiro <mark@msapiro.net> The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jkf at ecs.soton.ac.uk Sun Aug 24 16:55:55 2008 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 16:56:02 2008 Subject: Development info? In-Reply-To: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> Message-ID: <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> A Custom Function is used to calculate the value of a configuration setting for any particular message. The return value from the function is just the value you want to use as the value of the configuration setting. So if you used a custom function to work out the value of Spam Actions, then a valid return value might be "store deliver" for example. It is usually a string, except for settings that have a yes or no value. No = 0 and yes = 1. That's about all there is to it. -- Jules On 24 Aug 2008, at 13:14, Hugo van der Kooij <hvdkooij@vanderkooij.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > The only bit I found on writing custom functions is > http://blog.fupps.com/2007/03/29/mailscanner-custom-functions-a-small-tutorial/ > > And the few bits in the MailScanner/CustomFunctions directory. > > My aim is to write a custom function to detect links to executables > and > such and mark then with some points. Then take it one level up and > pickup the samples for further analyses before they are taken > offline again. > > The first bit can be done with just few lines in SA just as well. > It is > the second part that will help me get malware samples as soon as > possible that can not be done in SA. > > Is there any addititional information about writing MailScanner custom > functions? The return() part is a bit unclear to me. Because I think > it > may vary on how you call upon the custom function. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIsVCZBvzDRVjxmYERAqB2AJ4uQJn24/+WK1eXJetnEGAJc8saggCeIemO > v+cfFSrkVQQTbcZdgOwlYDE= > =z2j/ > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Sun Aug 24 18:03:46 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Sun Aug 24 18:03:57 2008 Subject: Development info? In-Reply-To: <48B1509C.8050409@vanderkooij.org> References: <48B1509C.8050409@vanderkooij.org> Message-ID: <48B19472.8010906@fsl.com> Hi Hugo, Hugo van der Kooij wrote: > My aim is to write a custom function to detect links to executables and > such and mark then with some points. Then take it one level up and > pickup the samples for further analyses before they are taken offline again. > > The first bit can be done with just few lines in SA just as well. It is > the second part that will help me get malware samples as soon as > possible that can not be done in SA. I don't think you'd need a CustomFunction for either part of this - you can do it all within SA and the latest version of MailScanner. uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/ score TRAP_LINK_EXEC 0.01 describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr Then use the new 'SpamAssassin Rule Actions' feature in MailScanner: SpamAssassin Rule Actions = TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence Cheers, Steve. From hvdkooij at vanderkooij.org Sun Aug 24 20:44:11 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 20:44:24 2008 Subject: Development info? In-Reply-To: <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> Message-ID: <48B1BA0B.5030007@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > A Custom Function is used to calculate the value of a configuration > setting for any particular message. The return value from the function > is just the value you want to use as the value of the configuration > setting. So if you used a custom function to work out the value of Spam > Actions, then a valid return value might be "store deliver" for example. > It is usually a string, except for settings that have a yes or no value. > No = 0 and yes = 1. > > That's about all there is to it. The odd thing is that I am looking into the GenericSpamScanner sample. If I call the function from MailScanner like this: Use Custom Spam Scanner = &SearchMalware I was expecting it to behave differently from other functions. The specific behaviour seems to be reserved for the actual function called GenericSpamScanner. Another issue is error reporting. The only error you get at startup is about the last line tht might be missing. But just about any mistake will show that message. Can the error report be made more specific? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsboFBvzDRVjxmYERAqYJAKCxktAzVBXTT01xX+1SetISMq6XGgCbBVR2 6IczgLlMM+9QDaS0AIT99Wc= =916b -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Aug 24 20:47:23 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 20:47:32 2008 Subject: Development info? In-Reply-To: <48B19472.8010906@fsl.com> References: <48B1509C.8050409@vanderkooij.org> <48B19472.8010906@fsl.com> Message-ID: <48B1BACB.7050301@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Hi Hugo, > > Hugo van der Kooij wrote: >> My aim is to write a custom function to detect links to executables and >> such and mark then with some points. Then take it one level up and >> pickup the samples for further analyses before they are taken offline >> again. >> >> The first bit can be done with just few lines in SA just as well. It is >> the second part that will help me get malware samples as soon as >> possible that can not be done in SA. > > I don't think you'd need a CustomFunction for either part of this - you > can do it all within SA and the latest version of MailScanner. > > uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/ > score TRAP_LINK_EXEC 0.01 > describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr > > Then use the new 'SpamAssassin Rule Actions' feature in MailScanner: > > SpamAssassin Rule Actions = > TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence That will store the URL but by the time I can look at that URL to fetch the file the infected system might be cleaned out allready. So I need to automate this a bit further. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsbrJBvzDRVjxmYERAu2vAKCQnd/JdZuhgeSmNB3MDgtb5K5LpQCdGOVI v817/3nTBD4A5kVZx6/RdL0= =hlfH -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Aug 24 21:01:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 21:01:57 2008 Subject: Development info? In-Reply-To: <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> Message-ID: <48B1BE20.20406@ecs.soton.ac.uk> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > >> A Custom Function is used to calculate the value of a configuration >> setting for any particular message. The return value from the function >> is just the value you want to use as the value of the configuration >> setting. So if you used a custom function to work out the value of Spam >> Actions, then a valid return value might be "store deliver" for example. >> It is usually a string, except for settings that have a yes or no value. >> No = 0 and yes = 1. >> >> That's about all there is to it. >> > > The odd thing is that I am looking into the GenericSpamScanner sample. > > If I call the function from MailScanner like this: > Use Custom Spam Scanner = &SearchMalware > No, that's not how it works. Read the docs for "Use Custom Spam Scanner" in MailScanner.conf, it tells you exactly how to implement it. This option "Use Custom Spam Scanner" is a simple yes/no result function, you want to set it to "yes" if you want to implement this feature. It's documented there, and explains exactly what to call the Custom Spam Scanner function, where to put it, what parameters it is passed and what it should return. There is even a complete example implementation for you. So please RTM :-) > I was expecting it to behave differently from other functions. The > specific behaviour seems to be reserved for the actual function called > GenericSpamScanner. > No, it's just a yes/no setting, as explained in MailScanner.conf. > Another issue is error reporting. The only error you get at startup is > about the last line tht might be missing. But just about any mistake > will show that message. Can the error report be made more specific? > I'm not sure I get much else passed back, but I will try to take a look at this to see if it can be improved. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Aug 24 21:12:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 21:12:40 2008 Subject: Development info? In-Reply-To: <EMEW-k7NL4Z42185ed12d263b5fb288c79c3a244fba-48B1BACB.7050301@vanderkooij.org> References: <48B1509C.8050409@vanderkooij.org> <48B19472.8010906@fsl.com> <EMEW-k7NL4Z42185ed12d263b5fb288c79c3a244fba-48B1BACB.7050301@vanderkooij.org> Message-ID: <48B1C0A0.6040107@ecs.soton.ac.uk> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Steve Freegard wrote: > >> Hi Hugo, >> >> Hugo van der Kooij wrote: >> >>> My aim is to write a custom function to detect links to executables and >>> such and mark then with some points. Then take it one level up and >>> pickup the samples for further analyses before they are taken offline >>> again. >>> >>> The first bit can be done with just few lines in SA just as well. It is >>> the second part that will help me get malware samples as soon as >>> possible that can not be done in SA. >>> >> I don't think you'd need a CustomFunction for either part of this - you >> can do it all within SA and the latest version of MailScanner. >> >> uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/ >> score TRAP_LINK_EXEC 0.01 >> describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr >> >> Then use the new 'SpamAssassin Rule Actions' feature in MailScanner: >> >> SpamAssassin Rule Actions = >> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence >> > > That will store the URL but by the time I can look at that URL to fetch > the file the infected system might be cleaned out allready. So I need to > automate this a bit further. > How about a cron job that runs every few minutes, which does something like this: #!/bin/sh if [ \! -f /tmp/MS.last.checked ]; then :> /tmp/MS.last.checked fi find /var/spool/MailScanner/evidence -type f -cnewer /tmp/MS.last.checked -print | xargs echo "New files are" touch /tmp/MS.last.checked This will print out "New files are" every time any new files are found under the evidence directory structure, which you could change to mail you an alert about them, for example, or do something like pull out information from Received: headers to see where the files came from, or whatever. Run this script every few minutes, and it will send you mail every time something new is generated. Just a starting point, but hopefully you get the idea. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Aug 24 21:27:40 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 21:27:48 2008 Subject: Development info? In-Reply-To: <48B1BE20.20406@ecs.soton.ac.uk> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> <48B1BE20.20406@ecs.soton.ac.uk> Message-ID: <48B1C43C.2030007@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > > > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Julian Field wrote: >> >>> A Custom Function is used to calculate the value of a configuration >>> setting for any particular message. The return value from the function >>> is just the value you want to use as the value of the configuration >>> setting. So if you used a custom function to work out the value of Spam >>> Actions, then a valid return value might be "store deliver" for example. >>> It is usually a string, except for settings that have a yes or no value. >>> No = 0 and yes = 1. >>> >>> That's about all there is to it. >>> >> >> The odd thing is that I am looking into the GenericSpamScanner sample. >> >> If I call the function from MailScanner like this: >> Use Custom Spam Scanner = &SearchMalware >> > No, that's not how it works. Read the docs for "Use Custom Spam Scanner" > in MailScanner.conf, it tells you exactly how to implement it. This > option "Use Custom Spam Scanner" is a simple yes/no result function, you > want to set it to "yes" if you want to implement this feature. It's > documented there, and explains exactly what to call the Custom Spam > Scanner function, where to put it, what parameters it is passed and what > it should return. There is even a complete example implementation for you. > > So please RTM :-) The point is that the function is static in it's name. And there is allready a sample there. So if I want to write one myself what will happen with an upgrade? If I add a file I am sure it will be safe. But what if I decide to exchange it for my own? Will I loose it on the next upgrade of MailScanner. That is the bit that conviced me I should be looking for another function. MyExample.pm is almost fully comments only. But GenericSpamScanner.pm is not. That would mean if I write my custom function in my own file that I would get back a default (and conflicting) one back with an upgrade. Last time I checked the GenericSpamScanner.pm file is not marked as document so it will be overwritten with an upgrade. Perhaps it would be feasable to name the function anyway I like it with a new config option. Then the conflict would not be there. Or you ship one fully commented out so there will be no conflicts by defining GenericSpamScanner twice. Either of these two solutions will do to prevent the upgrade nightmare. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIscQ6BvzDRVjxmYERAjZ9AJ4zxdgzJucs1HxBt4FrH4zmVUc2oQCfaMck gXic0tmkDnQghRwyT4e6YNg= =wYvp -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Aug 24 21:28:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 21:28:44 2008 Subject: Development info? In-Reply-To: <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> Message-ID: <48B1C463.1000509@ecs.soton.ac.uk> Hugo van der Kooij wrote: > > Another issue is error reporting. The only error you get at startup is > about the last line tht might be missing. But just about any mistake > will show that message. Can the error report be made more specific? > If you run MailScanner --lint you will get plenty of extra error reporting about your Custom Functions and why they won't compile. Take a look at this snippet of output I just tried, when I put a syntax error into MyExample.pm [root@alegria CustomFunctions]# perl -c MyExample.pm Number found where operator expected at MyExample.pm line 104, near "1" (Missing semicolon on previous line?) syntax error at MyExample.pm line 104, near "1" MyExample.pm had compilation errors. [root@alegria CustomFunctions]# MailScanner --lint Currently you are using no virus scanners. This is probably not what you want. In your /etc/MailScanner/MailScanner.conf file, set Virus Scanners = clamav Then download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.gz Unpack it, "cd" into the directory and run ./install.sh Trying to setlogsock(unix) Skipping Custom Function file Internet.dk.pm.verold as its name does not end in .pm or .pl Number found where operator expected at /usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm line 104, near "1" (Missing semicolon on previous line?) Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it could not be "require"d. Make sure the last line of the file says "1;" at /usr/lib/MailScanner/MailScanner/Config.pm line 624 So as you see it prints out the Perl errors just above the "Could not use Custom Function code" line near the bottom. What more do you want me to add? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Aug 24 21:40:14 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 21:40:23 2008 Subject: Development info? In-Reply-To: <48B1C0A0.6040107@ecs.soton.ac.uk> References: <48B1509C.8050409@vanderkooij.org> <48B19472.8010906@fsl.com> <EMEW-k7NL4Z42185ed12d263b5fb288c79c3a244fba-48B1BACB.7050301@vanderkooij.org> <48B1C0A0.6040107@ecs.soton.ac.uk> Message-ID: <48B1C72E.3080008@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > > > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Steve Freegard wrote: >> >>> Hi Hugo, >>> >>> Hugo van der Kooij wrote: >>> >>>> My aim is to write a custom function to detect links to executables and >>>> such and mark then with some points. Then take it one level up and >>>> pickup the samples for further analyses before they are taken offline >>>> again. >>>> >>>> The first bit can be done with just few lines in SA just as well. >>>> It is >>>> the second part that will help me get malware samples as soon as >>>> possible that can not be done in SA. >>>> >>> I don't think you'd need a CustomFunction for either part of this - you >>> can do it all within SA and the latest version of MailScanner. >>> >>> uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/ >>> score TRAP_LINK_EXEC 0.01 >>> describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr >>> >>> Then use the new 'SpamAssassin Rule Actions' feature in MailScanner: >>> >>> SpamAssassin Rule Actions = >>> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence >>> >> >> That will store the URL but by the time I can look at that URL to fetch >> the file the infected system might be cleaned out allready. So I need to >> automate this a bit further. >> > > How about a cron job that runs every few minutes, which does something > like this: > > #!/bin/sh > if [ \! -f /tmp/MS.last.checked ]; then > :> /tmp/MS.last.checked > fi > find /var/spool/MailScanner/evidence -type f -cnewer > /tmp/MS.last.checked -print | xargs echo "New files are" > touch /tmp/MS.last.checked > > This will print out "New files are" every time any new files are found > under the evidence directory structure, which you could change to mail > you an alert about them, for example, or do something like pull out > information from Received: headers to see where the files came from, or > whatever. > > Run this script every few minutes, and it will send you mail every time > something new is generated. > > Just a starting point, but hopefully you get the idea. I get the idea. But the point is the message contains just something like: <BODY bgColor=3D#ffffff> <DIV align=3Dcenter><IMG alt=3D"" hspace=3D0=20 src=3D"http://img295.imageshack.us/img295/89/parishiltonvd4.jpg" = align=3Dbaseline=20 border=3D0></DIV><DIV><FONT face=3DArial = size=3D2></FONT> </DIV><DIV=20 align=3Dcenter><FONT face=3DArial size=3D5><A=20 href=3D"http://rdering.com/video_4.exe">Obtain = Video</A></FONT></DIV></BODY></HTML> However the exe file actually linked here will be there for only a short while in most cases. And I am not working 24/7 just to get a few samples if I can automate it. I have seen the missing in less then 5 minutes. The main reason I want to get this in MailScanner and not in SA is because things will change. And I might want to employ other tricks in there to stop spam which may require tricks one can not do in SA. Mind you that they are allready playing with using partial encoding of normal ascii characters. Once the upgrade nightmare has a solution the use of the GenericSpamScanner is something I will explore further. After all it was intended to include other methods of spam checking besides SA. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsccsBvzDRVjxmYERAnfgAKCS+3ocRQ3WSUeOZlduJQBIbQr5igCeOLpV LmrO3HMgZNi/dbK07G+ZvKg= =oi6o -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Aug 24 21:50:48 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 21:50:57 2008 Subject: Development info? In-Reply-To: <48B1C463.1000509@ecs.soton.ac.uk> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> <48B1C463.1000509@ecs.soton.ac.uk> Message-ID: <48B1C9A8.1070906@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > /usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it could > not be "require"d. Make sure the last line of the file says "1;" at > /usr/lib/MailScanner/MailScanner/Config.pm line 624 Without the debugging this is all you get. The error could be anything but this line points in a rather specific direction al the time. Rewording this line to be more generic would push me sooner to looking at another section instead of that one line. Now I spend some time thinking wether or not an empty line could be the problem. While it was in fact a missing " somewhere else. With fingers not always doing exactly what I want them to do I am used to finding typo's in every line I write. But when an error points to something specific I start looking for the indicated error. Rephrasing it in the next version will prevent such misunderstandings. Hugo. PS: I spotted and fixed 15 finger mismatches in this simple message before I did send it. Just curious how many I still missed. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIscmmBvzDRVjxmYERAtG/AKCMoXDZQfK0otNnVY9XoI7P738rBwCgr8fC tDyJbFSNxwtj4VxwQqgYmjU= =9Aue -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Aug 24 21:51:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 21:51:30 2008 Subject: Development info? In-Reply-To: <EMEW-k7NLYj94014c9f38121b328736cc2d1f20296c-48B1C43C.2030007@vanderkooij.org> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> <48B1BE20.20406@ecs.soton.ac.uk> <EMEW-k7NLYj94014c9f38121b328736cc2d1f20296c-48B1C43C.2030007@vanderkooij.org> Message-ID: <48B1C9BF.8060107@ecs.soton.ac.uk> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > >> Hugo van der Kooij wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Julian Field wrote: >>> >>> >>>> A Custom Function is used to calculate the value of a configuration >>>> setting for any particular message. The return value from the function >>>> is just the value you want to use as the value of the configuration >>>> setting. So if you used a custom function to work out the value of Spam >>>> Actions, then a valid return value might be "store deliver" for example. >>>> It is usually a string, except for settings that have a yes or no value. >>>> No = 0 and yes = 1. >>>> >>>> That's about all there is to it. >>>> >>>> >>> The odd thing is that I am looking into the GenericSpamScanner sample. >>> >>> If I call the function from MailScanner like this: >>> Use Custom Spam Scanner = &SearchMalware >>> >>> >> No, that's not how it works. Read the docs for "Use Custom Spam Scanner" >> in MailScanner.conf, it tells you exactly how to implement it. This >> option "Use Custom Spam Scanner" is a simple yes/no result function, you >> want to set it to "yes" if you want to implement this feature. It's >> documented there, and explains exactly what to call the Custom Spam >> Scanner function, where to put it, what parameters it is passed and what >> it should return. There is even a complete example implementation for you. >> >> So please RTM :-) >> > > The point is that the function is static in it's name. And there is > allready a sample there. So if I want to write one myself what will > happen with an upgrade? If I add a file I am sure it will be safe. But > what if I decide to exchange it for my own? Will I loose it on the next > upgrade of MailScanner. > No, you won't lose it. I thought of that :-) It's treated just as if it were a configuration file, so it is not replaced or modified if it has been changed at all by the user (you). > That is the bit that conviced me I should be looking for another function. > > MyExample.pm is almost fully comments only. But GenericSpamScanner.pm is > not. That would mean if I write my custom function in my own file that I > would get back a default (and conflicting) one back with an upgrade. > Not if you modify the GenericSpamScanner.pm file (by commenting out or deleting the example that's there now). > Last time I checked the GenericSpamScanner.pm file is not marked as > document so it will be overwritten with an upgrade. > Wrong. From the spec file: %config(noreplace) /usr/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm > Perhaps it would be feasable to name the function anyway I like it with > a new config option. Then the conflict would not be there. Or you ship > one fully commented out so there will be no conflicts by defining > GenericSpamScanner twice. > No need, as explained above. > Either of these two solutions will do to prevent the upgrade nightmare. > See above. Have faith :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Sun Aug 24 22:07:45 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Aug 24 22:07:59 2008 Subject: Development info? In-Reply-To: <48B1BACB.7050301@vanderkooij.org> References: <48B1509C.8050409@vanderkooij.org> <48B19472.8010906@fsl.com> <48B1BACB.7050301@vanderkooij.org> Message-ID: <48B1CDA1.7020909@alexb.ch> On 8/24/2008 9:47 PM, Hugo van der Kooij wrote: >> SpamAssassin Rule Actions = >> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence > > That will store the URL but by the time I can look at that URL to fetch > the file the infected system might be cleaned out allready. So I need to > automate this a bit further. Seems to me you want to do too much within MailScanner... I'd forward the msg with the malware URI to a separate account, process that account with procmail/ripmime/snersoft's "URI" tool/GET and bingo you have the malware to do whatever you want with it and you're very flexible. Alex From paul.hutchings at mira.co.uk Sun Aug 24 22:13:52 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Aug 24 22:14:11 2008 Subject: vba32 problem with MailScanner --lint References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk> Hmm something I noticed: When I first install Vba32 and run "MailScanner --lint" it's happy - "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is with Vba32 Linux 3.12.6.1. After the first update via "vbacl --update" the issue starts with MailScanner not picking up the output from vba32. At this point though, Vba32 has updated itself to Vba32 Linux 3.12.8.4. I guess something has changed in the Vba32 output with the later version that MailScanner isn't aware of? Any ideas if this is something I can change or if it's something Julian needs to change in the mailscanner code? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings Sent: 24 August 2008 13:08 To: MailScanner discussion Subject: vba32 problem with MailScanner --lint Just trialling a few virus scanners, bitdefender, clamd, avg and vba32 are installed. Vba32 appears to be working if I test the wrapper: /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe +---------------------------------------------------+ | VirusBlokAda (Console scanner) | | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | | Copyright (c) 1993-2008 by VBA Ltd. | +---------------------------------------------------+ User: VBA32 Testlizenz License #000000324 Valid till 31.10.2008 Command line options: -af+ -ha+ -rw+ Ctrl-C will terminate program execution /tmp/malware/29.exe /tmp/malware/29.exe : infected Trojan-GameThief.Win32.OnLineGames.shie Directories : 0 Files in archives: Files on disks: Archives: - total : 0 - total : 1 - scanned : 0 - scanned : 0 - scanned : 1 - contain viruses : 0 - infected : 0 - infected : 1 - deleted : 0 - suspicious : 0 - suspicious : 0 Startup : 13:05:01 24-08-2008 End : 13:05:01 24-08-2008 Total time : 00:00:00 Yes when I run a lint with MailScanner it doesn't appear to output a string that MailScanner can take as meaning an infection has been found: MailScanner --lint Trying to setlogsock(unix) Read 850 hostnames from the phishing whitelist Read 5259 hostnames from the phishing blacklist Checking version numbers... Version installed (4.70.7) does not match version stated in MailScanner.conf file (4.70.6), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" Found these virus scanners installed: bitdefender, clamd, vba32, avg ======================================================================== === Virus and Content Scanning: Starting Avg: Virus identified EICAR_Test in eicar.com Virus Scanning: Avg found 1 infections 1/eicar.com:infected: EICAR-Test-File (not a virus) Virus Scanning: Bitdefender found 1 infections ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections Virus Scanning: vba32 found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses ======================================================================== === Virus Scanner test reports: Avg said "Found virus EICAR_Test in file eicar.com" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (bitdefender,clamd,vba32,avg) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Any suggestions please? -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Sun Aug 24 22:15:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 22:15:22 2008 Subject: Development info? In-Reply-To: <EMEW-k7NLxM127b92643464a68c10a5aee65d88c687-48B1C9A8.1070906@vanderkooij.org> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> <48B1C463.1000509@ecs.soton.ac.uk> <EMEW-k7NLxM127b92643464a68c10a5aee65d88c687-48B1C9A8.1070906@vanderkooij.org> Message-ID: <48B1CF56.3060008@ecs.soton.ac.uk> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > > >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it could >> not be "require"d. Make sure the last line of the file says "1;" at >> /usr/lib/MailScanner/MailScanner/Config.pm line 624 >> > > Without the debugging this is all you get. The error could be anything > but this line points in a rather specific direction al the time. > > Rewording this line to be more generic would push me sooner to looking > at another section instead of that one line. Now I spend some time > thinking wether or not an empty line could be the problem. While it was > in fact a missing " somewhere else. > I think requiring you to do a "MailScanner --lint" to check the syntax of your Custom Functions is okay. > With fingers not always doing exactly what I want them to do I am used > to finding typo's in every line I write. But when an error points to > something specific I start looking for the indicated error. > > Rephrasing it in the next version will prevent such misunderstandings. > Suggested wording? > Hugo. > > PS: I spotted and fixed 15 finger mismatches in this simple message > before I did send it. Just curious how many I still missed. > Learn to type more accurately? :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Aug 24 22:30:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 22:30:20 2008 Subject: vba32 problem with MailScanner --lint In-Reply-To: <EMEW-k7NMNQ74d933a1939230307e4d6c8ae3fac15a-FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk> References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> <EMEW-k7NMNQ74d933a1939230307e4d6c8ae3fac15a-FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk> Message-ID: <48B1D2D8.702@ecs.soton.ac.uk> Aha, thanks for that, it will help me diagnose the problem. It's really something I need to take a look at. Could you put a copy of eicar.com in /tmp and run something like this cd /tmp /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . And show me the output both before and after the "vbacl --update" has changed the version of vba32 you have installed. I need to handle both the old and the new outputs. Thanks. Paul Hutchings wrote: > Hmm something I noticed: > > When I first install Vba32 and run "MailScanner --lint" it's happy - > "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is with > Vba32 Linux 3.12.6.1. > > After the first update via "vbacl --update" the issue starts with > MailScanner not picking up the output from vba32. > > At this point though, Vba32 has updated itself to Vba32 Linux 3.12.8.4. > > I guess something has changed in the Vba32 output with the later version > that MailScanner isn't aware of? > > Any ideas if this is something I can change or if it's something Julian > needs to change in the mailscanner code? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul > Hutchings > Sent: 24 August 2008 13:08 > To: MailScanner discussion > Subject: vba32 problem with MailScanner --lint > > Just trialling a few virus scanners, bitdefender, clamd, avg and vba32 > are installed. > > Vba32 appears to be working if I test the wrapper: > > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe > +---------------------------------------------------+ > | VirusBlokAda (Console scanner) | > | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | > | Copyright (c) 1993-2008 by VBA Ltd. | > +---------------------------------------------------+ > User: VBA32 Testlizenz > License #000000324 Valid till 31.10.2008 > Command line options: > -af+ -ha+ -rw+ > Ctrl-C will terminate program execution > > /tmp/malware/29.exe > /tmp/malware/29.exe : infected Trojan-GameThief.Win32.OnLineGames.shie > > Directories : 0 Files in archives: Files on disks: > Archives: - total : 0 - total : 1 > - scanned : 0 - scanned : 0 - scanned : 1 > - contain viruses : 0 - infected : 0 - infected : 1 > - deleted : 0 - suspicious : 0 - suspicious : 0 > > Startup : 13:05:01 24-08-2008 > End : 13:05:01 24-08-2008 > Total time : 00:00:00 > > Yes when I run a lint with MailScanner it doesn't appear to output a > string that MailScanner can take as meaning an infection has been found: > > MailScanner --lint > Trying to setlogsock(unix) > Read 850 hostnames from the phishing whitelist > Read 5259 hostnames from the phishing blacklist > Checking version numbers... > Version installed (4.70.7) does not match version stated in > MailScanner.conf file (4.70.6), you may want to run > upgrade_MailScanner_conf > to ensure your MailScanner.conf file contains all the latest settings. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" > Found these virus scanners installed: bitdefender, clamd, vba32, avg > ======================================================================== > === > Virus and Content Scanning: Starting > Avg: Virus identified EICAR_Test in eicar.com > Virus Scanning: Avg found 1 infections > 1/eicar.com:infected: EICAR-Test-File (not a virus) > Virus Scanning: Bitdefender found 1 infections > ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Virus Scanning: vba32 found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > ======================================================================== > === > Virus Scanner test reports: > Avg said "Found virus EICAR_Test in file eicar.com" > Bitdefender said "Found virus EICAR-Test-File (not a virus) in file > eicar.com" > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > If any of your virus scanners (bitdefender,clamd,vba32,avg) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Any suggestions please? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From j2 at mupp.net Sun Aug 24 22:30:28 2008 From: j2 at mupp.net (Jan Johansson) Date: Sun Aug 24 22:31:21 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". Message-ID: <9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> (forry for any re-post, but I have been having som issues. Thanks Julian for helping me out!) I have some mails being rejected as "other infection" and I cannot for the life of me see why that is. Nothing in the logs suggests the REAL problem to me. Is it possible to disable this check, and simply NOT trigger on "other infection"? -- Meddelandet har kontrollerats mot virus samt skadligt innehåll av MailScanner och förmodas vara säkert. From jkf at ecs.soton.ac.uk Sun Aug 24 22:46:11 2008 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 24 22:46:17 2008 Subject: vba32 problem with MailScanner --lint In-Reply-To: <EMEW-k7NMeG8b70d182a5f3bfee9a02ce635720d7e1-48B1D2D8.702@ecs.soton.ac.uk> References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> <EMEW-k7NMNQ74d933a1939230307e4d6c8ae3fac15a-FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk> <EMEW-k7NMeG8b70d182a5f3bfee9a02ce635720d7e1-48B1D2D8.702@ecs.soton.ac.uk> Message-ID: <8D26BA77-1C47-4F65-8EBA-3B31D26CB578@ecs.soton.ac.uk> On 24 Aug 2008, at 22:30, Julian Field <MailScanner@ecs.soton.ac.uk> wrote: > Aha, thanks for that, it will help me diagnose the problem. > It's really something I need to take a look at. > > Could you put a copy of eicar.com in /tmp and run something like this > cd /tmp > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . Don't forget the " ." on the end of that command! > > > And show me the output both before and after the "vbacl --update" > has changed the version of vba32 you have installed. I need to > handle both the old and the new outputs. > > Thanks. > > Paul Hutchings wrote: >> Hmm something I noticed: >> >> When I first install Vba32 and run "MailScanner --lint" it's happy - >> "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is >> with >> Vba32 Linux 3.12.6.1. >> >> After the first update via "vbacl --update" the issue starts with >> MailScanner not picking up the output from vba32. >> >> At this point though, Vba32 has updated itself to Vba32 Linux >> 3.12.8.4. >> >> I guess something has changed in the Vba32 output with the later >> version >> that MailScanner isn't aware of? >> >> Any ideas if this is something I can change or if it's something >> Julian >> needs to change in the mailscanner code? >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul >> Hutchings >> Sent: 24 August 2008 13:08 >> To: MailScanner discussion >> Subject: vba32 problem with MailScanner --lint >> >> Just trialling a few virus scanners, bitdefender, clamd, avg and >> vba32 >> are installed. >> >> Vba32 appears to be working if I test the wrapper: >> >> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe >> +---------------------------------------------------+ >> | VirusBlokAda (Console scanner) | >> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | >> | Copyright (c) 1993-2008 by VBA Ltd. | >> +---------------------------------------------------+ >> User: VBA32 Testlizenz >> License #000000324 Valid till 31.10.2008 >> Command line options: >> -af+ -ha+ -rw+ >> Ctrl-C will terminate program execution >> >> /tmp/malware/29.exe >> /tmp/malware/29.exe : infected Trojan- >> GameThief.Win32.OnLineGames.shie >> >> Directories : 0 Files in archives: Files on disks: >> Archives: - total : 0 - total : 1 >> - scanned : 0 - scanned : 0 - scanned : 1 >> - contain viruses : 0 - infected : 0 - infected : 1 >> - deleted : 0 - suspicious : 0 - suspicious : 0 >> >> Startup : 13:05:01 24-08-2008 >> End : 13:05:01 24-08-2008 >> Total time : 00:00:00 >> >> Yes when I run a lint with MailScanner it doesn't appear to output a >> string that MailScanner can take as meaning an infection has been >> found: >> >> MailScanner --lint >> Trying to setlogsock(unix) >> Read 850 hostnames from the phishing whitelist >> Read 5259 hostnames from the phishing blacklist >> Checking version numbers... >> Version installed (4.70.7) does not match version stated in >> MailScanner.conf file (4.70.6), you may want to run >> upgrade_MailScanner_conf >> to ensure your MailScanner.conf file contains all the latest >> settings. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" >> Found these virus scanners installed: bitdefender, clamd, vba32, avg >> === >> ===================================================================== >> === >> Virus and Content Scanning: Starting >> Avg: Virus identified EICAR_Test in eicar.com >> Virus Scanning: Avg found 1 infections >> 1/eicar.com:infected: EICAR-Test-File (not a virus) >> Virus Scanning: Bitdefender found 1 infections >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Virus Scanning: vba32 found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> === >> ===================================================================== >> === >> Virus Scanner test reports: >> Avg said "Found virus EICAR_Test in file eicar.com" >> Bitdefender said "Found virus EICAR-Test-File (not a virus) in file >> eicar.com" >> Clamd said "eicar.com was infected: Eicar-Test-Signature" >> >> If any of your virus scanners (bitdefender,clamd,vba32,avg) >> are not listed there, you should check that they are installed >> correctly >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Any suggestions please? >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul.hutchings at mira.co.uk Sun Aug 24 23:04:51 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Aug 24 23:05:07 2008 Subject: vba32 problem with MailScanner --lint References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk><EMEW-k7NMNQ74d933a1939230307e4d6c8ae3fac15a-FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk> <48B1D2D8.702@ecs.soton.ac.uk> Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0DA7@mail03.mira.co.uk> Sure, the output *looks* the same though. FWIW it can be downloaded and run without a trial license key from the vba32 forum. Before: /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/eicar.com +---------------------------------------------------+ | VirusBlokAda (Console scanner) | | Vba32 Linux 3.12.6.1 / 2008.02.15 12:56 (Vba32.L) | | Copyright (c) 1993-2008 by VBA Ltd. | +---------------------------------------------------+ Key file not found Demo mode Command line options: -af+ -ha+ -rw+ Ctrl-C will terminate program execution /tmp/eicar.com /tmp/eicar.com : infected EICAR-Test-File Directories : 0 Files in archives: Files on disks: Archives: - total : 0 - total : 1 - scanned : 0 - scanned : 0 - scanned : 1 - contain viruses : 0 - infected : 0 - infected : 1 - deleted : 0 - suspicious : 0 - suspicious : 0 Startup : 22:59:41 24-08-2008 End : 22:59:41 24-08-2008 Total time : 00:00:00 And after: /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/eicar.com +---------------------------------------------------+ | VirusBlokAda (Console scanner) | | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | | Copyright (c) 1993-2008 by VBA Ltd. | +---------------------------------------------------+ Key file not found Demo mode Command line options: -af+ -ha+ -rw+ Ctrl-C will terminate program execution /tmp/eicar.com /tmp/eicar.com : infected EICAR-Test-File Directories : 0 Files in archives: Files on disks: Archives: - total : 0 - total : 1 - scanned : 0 - scanned : 0 - scanned : 1 - contain viruses : 0 - infected : 0 - infected : 1 - deleted : 0 - suspicious : 0 - suspicious : 0 Startup : 23:01:35 24-08-2008 End : 23:01:36 24-08-2008 Total time : 00:00:01 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 24 August 2008 22:30 To: MailScanner discussion Subject: Re: vba32 problem with MailScanner --lint Aha, thanks for that, it will help me diagnose the problem. It's really something I need to take a look at. Could you put a copy of eicar.com in /tmp and run something like this cd /tmp /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . And show me the output both before and after the "vbacl --update" has changed the version of vba32 you have installed. I need to handle both the old and the new outputs. Thanks. Paul Hutchings wrote: > Hmm something I noticed: > > When I first install Vba32 and run "MailScanner --lint" it's happy - > "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is with > Vba32 Linux 3.12.6.1. > > After the first update via "vbacl --update" the issue starts with > MailScanner not picking up the output from vba32. > > At this point though, Vba32 has updated itself to Vba32 Linux 3.12.8.4. > > I guess something has changed in the Vba32 output with the later version > that MailScanner isn't aware of? > > Any ideas if this is something I can change or if it's something Julian > needs to change in the mailscanner code? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul > Hutchings > Sent: 24 August 2008 13:08 > To: MailScanner discussion > Subject: vba32 problem with MailScanner --lint > > Just trialling a few virus scanners, bitdefender, clamd, avg and vba32 > are installed. > > Vba32 appears to be working if I test the wrapper: > > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe > +---------------------------------------------------+ > | VirusBlokAda (Console scanner) | > | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | > | Copyright (c) 1993-2008 by VBA Ltd. | > +---------------------------------------------------+ > User: VBA32 Testlizenz > License #000000324 Valid till 31.10.2008 > Command line options: > -af+ -ha+ -rw+ > Ctrl-C will terminate program execution > > /tmp/malware/29.exe > /tmp/malware/29.exe : infected Trojan-GameThief.Win32.OnLineGames.shie > > Directories : 0 Files in archives: Files on disks: > Archives: - total : 0 - total : 1 > - scanned : 0 - scanned : 0 - scanned : 1 > - contain viruses : 0 - infected : 0 - infected : 1 > - deleted : 0 - suspicious : 0 - suspicious : 0 > > Startup : 13:05:01 24-08-2008 > End : 13:05:01 24-08-2008 > Total time : 00:00:00 > > Yes when I run a lint with MailScanner it doesn't appear to output a > string that MailScanner can take as meaning an infection has been found: > > MailScanner --lint > Trying to setlogsock(unix) > Read 850 hostnames from the phishing whitelist > Read 5259 hostnames from the phishing blacklist > Checking version numbers... > Version installed (4.70.7) does not match version stated in > MailScanner.conf file (4.70.6), you may want to run > upgrade_MailScanner_conf > to ensure your MailScanner.conf file contains all the latest settings. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" > Found these virus scanners installed: bitdefender, clamd, vba32, avg > ======================================================================== > === > Virus and Content Scanning: Starting > Avg: Virus identified EICAR_Test in eicar.com > Virus Scanning: Avg found 1 infections > 1/eicar.com:infected: EICAR-Test-File (not a virus) > Virus Scanning: Bitdefender found 1 infections > ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Virus Scanning: vba32 found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > ======================================================================== > === > Virus Scanner test reports: > Avg said "Found virus EICAR_Test in file eicar.com" > Bitdefender said "Found virus EICAR-Test-File (not a virus) in file > eicar.com" > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > If any of your virus scanners (bitdefender,clamd,vba32,avg) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Any suggestions please? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From paul.hutchings at mira.co.uk Sun Aug 24 23:08:43 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Aug 24 23:09:03 2008 Subject: vba32 problem with MailScanner --lint References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk><EMEW-k7NMNQ74d933a1939230307e4d6c8ae3fac15a-FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk><EMEW-k7NMeG8b70d182a5f3bfee9a02ce635720d7e1-48B1D2D8.702@ecs.soton.ac.uk> <8D26BA77-1C47-4F65-8EBA-3B31D26CB578@ecs.soton.ac.uk> Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0DA8@mail03.mira.co.uk> Just realised I ran a different thing to what you asked. Looks like it all comes down to a "." Without update: +---------------------------------------------------+ | VirusBlokAda (Console scanner) | | Vba32 Linux 3.12.6.1 / 2008.02.15 12:56 (Vba32.L) | | Copyright (c) 1993-2008 by VBA Ltd. | +---------------------------------------------------+ Key file not found Demo mode Command line options: -af+ -ha+ -rw+ Ctrl-C will terminate program execution . ./eicar.com : infected EICAR-Test-File Directories : 1 Files in archives: Files on disks: Archives: - total : 0 - total : 1 - scanned : 0 - scanned : 0 - scanned : 1 - contain viruses : 0 - infected : 0 - infected : 1 - deleted : 0 - suspicious : 0 - suspicious : 0 Startup : 23:07:40 24-08-2008 End : 23:07:41 24-08-2008 Total time : 00:00:01 With update: /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . +---------------------------------------------------+ | VirusBlokAda (Console scanner) | | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | | Copyright (c) 1993-2008 by VBA Ltd. | +---------------------------------------------------+ Key file not found Demo mode Command line options: -af+ -ha+ -rw+ Ctrl-C will terminate program execution . /tmp/eicar/eicar.com : infected EICAR-Test-File Directories : 1 Files in archives: Files on disks: Archives: - total : 0 - total : 1 - scanned : 0 - scanned : 0 - scanned : 1 - contain viruses : 0 - infected : 0 - infected : 1 - deleted : 0 - suspicious : 0 - suspicious : 0 Startup : 23:06:00 24-08-2008 End : 23:06:00 24-08-2008 Total time : 00:00:00 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 24 August 2008 22:46 To: MailScanner discussion Subject: Re: vba32 problem with MailScanner --lint On 24 Aug 2008, at 22:30, Julian Field <MailScanner@ecs.soton.ac.uk> wrote: > Aha, thanks for that, it will help me diagnose the problem. > It's really something I need to take a look at. > > Could you put a copy of eicar.com in /tmp and run something like this > cd /tmp > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . Don't forget the " ." on the end of that command! > > > And show me the output both before and after the "vbacl --update" > has changed the version of vba32 you have installed. I need to > handle both the old and the new outputs. > > Thanks. > > Paul Hutchings wrote: >> Hmm something I noticed: >> >> When I first install Vba32 and run "MailScanner --lint" it's happy - >> "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is >> with >> Vba32 Linux 3.12.6.1. >> >> After the first update via "vbacl --update" the issue starts with >> MailScanner not picking up the output from vba32. >> >> At this point though, Vba32 has updated itself to Vba32 Linux >> 3.12.8.4. >> >> I guess something has changed in the Vba32 output with the later >> version >> that MailScanner isn't aware of? >> >> Any ideas if this is something I can change or if it's something >> Julian >> needs to change in the mailscanner code? >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul >> Hutchings >> Sent: 24 August 2008 13:08 >> To: MailScanner discussion >> Subject: vba32 problem with MailScanner --lint >> >> Just trialling a few virus scanners, bitdefender, clamd, avg and >> vba32 >> are installed. >> >> Vba32 appears to be working if I test the wrapper: >> >> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe >> +---------------------------------------------------+ >> | VirusBlokAda (Console scanner) | >> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | >> | Copyright (c) 1993-2008 by VBA Ltd. | >> +---------------------------------------------------+ >> User: VBA32 Testlizenz >> License #000000324 Valid till 31.10.2008 >> Command line options: >> -af+ -ha+ -rw+ >> Ctrl-C will terminate program execution >> >> /tmp/malware/29.exe >> /tmp/malware/29.exe : infected Trojan- >> GameThief.Win32.OnLineGames.shie >> >> Directories : 0 Files in archives: Files on disks: >> Archives: - total : 0 - total : 1 >> - scanned : 0 - scanned : 0 - scanned : 1 >> - contain viruses : 0 - infected : 0 - infected : 1 >> - deleted : 0 - suspicious : 0 - suspicious : 0 >> >> Startup : 13:05:01 24-08-2008 >> End : 13:05:01 24-08-2008 >> Total time : 00:00:00 >> >> Yes when I run a lint with MailScanner it doesn't appear to output a >> string that MailScanner can take as meaning an infection has been >> found: >> >> MailScanner --lint >> Trying to setlogsock(unix) >> Read 850 hostnames from the phishing whitelist >> Read 5259 hostnames from the phishing blacklist >> Checking version numbers... >> Version installed (4.70.7) does not match version stated in >> MailScanner.conf file (4.70.6), you may want to run >> upgrade_MailScanner_conf >> to ensure your MailScanner.conf file contains all the latest >> settings. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" >> Found these virus scanners installed: bitdefender, clamd, vba32, avg >> === >> ===================================================================== >> === >> Virus and Content Scanning: Starting >> Avg: Virus identified EICAR_Test in eicar.com >> Virus Scanning: Avg found 1 infections >> 1/eicar.com:infected: EICAR-Test-File (not a virus) >> Virus Scanning: Bitdefender found 1 infections >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Virus Scanning: vba32 found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> === >> ===================================================================== >> === >> Virus Scanner test reports: >> Avg said "Found virus EICAR_Test in file eicar.com" >> Bitdefender said "Found virus EICAR-Test-File (not a virus) in file >> eicar.com" >> Clamd said "eicar.com was infected: Eicar-Test-Signature" >> >> If any of your virus scanners (bitdefender,clamd,vba32,avg) >> are not listed there, you should check that they are installed >> correctly >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Any suggestions please? >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From nwp at nz.lemon-computing.com Sun Aug 24 23:09:28 2008 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Sun Aug 24 23:09:43 2008 Subject: vba32 problem with MailScanner --lint In-Reply-To: <FF689DC51C3C1640BE668A0E31182AD004DB0DA7@mail03.mira.co.uk> References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk><EMEW-k7NMNQ74d933a1939230307e4d6c8ae3fac15a-FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk> <48B1D2D8.702@ecs.soton.ac.uk> <FF689DC51C3C1640BE668A0E31182AD004DB0DA7@mail03.mira.co.uk> Message-ID: <16B14C61-2546-444F-844A-F50C42A50105@nz.lemon-computing.com> Try piping the output through od. Might be different control characters in there. Cheers, Nick On 25/08/2008, at 10:04 AM, Paul Hutchings wrote: > Sure, the output *looks* the same though. FWIW it can be downloaded > and > run without a trial license key from the vba32 forum. > > Before: > > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/eicar.com > +---------------------------------------------------+ > | VirusBlokAda (Console scanner) | > | Vba32 Linux 3.12.6.1 / 2008.02.15 12:56 (Vba32.L) | > | Copyright (c) 1993-2008 by VBA Ltd. | > +---------------------------------------------------+ > Key file not found > Demo mode > Command line options: > -af+ -ha+ -rw+ > Ctrl-C will terminate program execution > > /tmp/eicar.com > /tmp/eicar.com : infected EICAR-Test-File > > Directories : 0 Files in archives: Files on disks: > Archives: - total : 0 - total : 1 > - scanned : 0 - scanned : 0 - scanned : 1 > - contain viruses : 0 - infected : 0 - infected : 1 > - deleted : 0 - suspicious : 0 - suspicious : 0 > > Startup : 22:59:41 24-08-2008 > End : 22:59:41 24-08-2008 > Total time : 00:00:00 > > And after: > > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/eicar.com > +---------------------------------------------------+ > | VirusBlokAda (Console scanner) | > | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | > | Copyright (c) 1993-2008 by VBA Ltd. | > +---------------------------------------------------+ > Key file not found > Demo mode > Command line options: > -af+ -ha+ -rw+ > Ctrl-C will terminate program execution > > /tmp/eicar.com > /tmp/eicar.com : infected EICAR-Test-File > > Directories : 0 Files in archives: Files on disks: > Archives: - total : 0 - total : 1 > - scanned : 0 - scanned : 0 - scanned : 1 > - contain viruses : 0 - infected : 0 - infected : 1 > - deleted : 0 - suspicious : 0 - suspicious : 0 > > Startup : 23:01:35 24-08-2008 > End : 23:01:36 24-08-2008 > Total time : 00:00:01 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Julian > Field > Sent: 24 August 2008 22:30 > To: MailScanner discussion > Subject: Re: vba32 problem with MailScanner --lint > > Aha, thanks for that, it will help me diagnose the problem. > It's really something I need to take a look at. > > Could you put a copy of eicar.com in /tmp and run something like this > cd /tmp > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . > > And show me the output both before and after the "vbacl --update" has > changed the version of vba32 you have installed. I need to handle both > the old and the new outputs. > > Thanks. > > Paul Hutchings wrote: >> Hmm something I noticed: >> >> When I first install Vba32 and run "MailScanner --lint" it's happy - >> "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is > with >> Vba32 Linux 3.12.6.1. >> >> After the first update via "vbacl --update" the issue starts with >> MailScanner not picking up the output from vba32. >> >> At this point though, Vba32 has updated itself to Vba32 Linux > 3.12.8.4. >> >> I guess something has changed in the Vba32 output with the later > version >> that MailScanner isn't aware of? >> >> Any ideas if this is something I can change or if it's something > Julian >> needs to change in the mailscanner code? >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul >> Hutchings >> Sent: 24 August 2008 13:08 >> To: MailScanner discussion >> Subject: vba32 problem with MailScanner --lint >> >> Just trialling a few virus scanners, bitdefender, clamd, avg and >> vba32 >> are installed. >> >> Vba32 appears to be working if I test the wrapper: >> >> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe >> +---------------------------------------------------+ >> | VirusBlokAda (Console scanner) | >> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | >> | Copyright (c) 1993-2008 by VBA Ltd. | >> +---------------------------------------------------+ >> User: VBA32 Testlizenz >> License #000000324 Valid till 31.10.2008 >> Command line options: >> -af+ -ha+ -rw+ >> Ctrl-C will terminate program execution >> >> /tmp/malware/29.exe >> /tmp/malware/29.exe : infected Trojan- >> GameThief.Win32.OnLineGames.shie >> >> Directories : 0 Files in archives: Files on disks: >> Archives: - total : 0 - total : 1 >> - scanned : 0 - scanned : 0 - scanned : 1 >> - contain viruses : 0 - infected : 0 - infected : 1 >> - deleted : 0 - suspicious : 0 - suspicious : 0 >> >> Startup : 13:05:01 24-08-2008 >> End : 13:05:01 24-08-2008 >> Total time : 00:00:00 >> >> Yes when I run a lint with MailScanner it doesn't appear to output a >> string that MailScanner can take as meaning an infection has been > found: >> >> MailScanner --lint >> Trying to setlogsock(unix) >> Read 850 hostnames from the phishing whitelist >> Read 5259 hostnames from the phishing blacklist >> Checking version numbers... >> Version installed (4.70.7) does not match version stated in >> MailScanner.conf file (4.70.6), you may want to run >> upgrade_MailScanner_conf >> to ensure your MailScanner.conf file contains all the latest >> settings. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" >> Found these virus scanners installed: bitdefender, clamd, vba32, avg >> > = > = > ====================================================================== >> === >> Virus and Content Scanning: Starting >> Avg: Virus identified EICAR_Test in eicar.com >> Virus Scanning: Avg found 1 infections >> 1/eicar.com:infected: EICAR-Test-File (not a virus) >> Virus Scanning: Bitdefender found 1 infections >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Virus Scanning: vba32 found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> > = > = > ====================================================================== >> === >> Virus Scanner test reports: >> Avg said "Found virus EICAR_Test in file eicar.com" >> Bitdefender said "Found virus EICAR-Test-File (not a virus) in file >> eicar.com" >> Clamd said "eicar.com was infected: Eicar-Test-Signature" >> >> If any of your virus scanners (bitdefender,clamd,vba32,avg) >> are not listed there, you should check that they are installed > correctly >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Any suggestions please? >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MIRA Ltd > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England and Wales No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the > use of the intended recipient. > If you receive this e-mail in error, please delete it and notify us > either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of > the e-mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sun Aug 24 23:17:05 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 23:17:14 2008 Subject: Development info? In-Reply-To: <48B1CF56.3060008@ecs.soton.ac.uk> References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> <5F0B9B03-2B51-4FB4-BEBB-ED577CEFCCE8@ecs.soton.ac.uk> <EMEW-k7NKy2997ec42b127ac18bd371a9430af784b0-48B1BA0B.5030007@vanderkooij.org> <48B1C463.1000509@ecs.soton.ac.uk> <EMEW-k7NLxM127b92643464a68c10a5aee65d88c687-48B1C9A8.1070906@vanderkooij.org> <48B1CF56.3060008@ecs.soton.ac.uk> Message-ID: <48B1DDE1.3050008@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > > > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Julian Field wrote: >> >> >>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it could >>> not be "require"d. Make sure the last line of the file says "1;" at >>> /usr/lib/MailScanner/MailScanner/Config.pm line 624 >>> >> >> Without the debugging this is all you get. The error could be anything >> but this line points in a rather specific direction al the time. >> >> Rewording this line to be more generic would push me sooner to looking >> at another section instead of that one line. Now I spend some time >> thinking wether or not an empty line could be the problem. While it was >> in fact a missing " somewhere else. >> > I think requiring you to do a "MailScanner --lint" to check the syntax > of your Custom Functions is okay. > >> With fingers not always doing exactly what I want them to do I am used >> to finding typo's in every line I write. But when an error points to >> something specific I start looking for the indicated error. >> >> Rephrasing it in the next version will prevent such misunderstandings. >> > Suggested wording? Just remove the pointer to a specific problem. Someting like: /usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it could not be "require"d at /usr/lib/MailScanner/MailScanner/Config.pm line 624 >> PS: I spotted and fixed 15 finger mismatches in this simple message >> before I did send it. Just curious how many I still missed. >> > Learn to type more accurately? :-) To bad it is a wiring problem. The fingers will simply not always do exactly what I order them. Or not in the specific order if I want to go at any speed. It is a minor nuisance I learned to live with. I watch out for the common RSI causes to minimize the risk of it getting any worse. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsd3fBvzDRVjxmYERAqO+AKCoxXku9dyPVdW3qdnFhmn5esy6FgCfe1g8 d+d29FP3gZ8lKtZEh7Gs7nA= =znjx -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Aug 24 23:22:06 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 23:22:16 2008 Subject: vba32 problem with MailScanner --lint In-Reply-To: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> Message-ID: <48B1DF0E.7010304@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Hutchings wrote: > Just trialling a few virus scanners, bitdefender, clamd, avg and vba32 > are installed. Just out of curiosity. Are you running on top of Centos 5? I have been having some issues with vba on Centos 5 where it just generates a segfault and dies. Your findings so far seem to indicate there is something going on with how relative paths are handled. That might share some light on the matter. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsd8NBvzDRVjxmYERAj6SAJ9x4IHZ254JfezUw8b2yqLQpNE8cQCdFhkO pKdbeAoMrRWpSqzAlWZwP/g= =BBpl -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Aug 24 23:33:25 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 24 23:33:34 2008 Subject: Development info? In-Reply-To: <48B1CDA1.7020909@alexb.ch> References: <48B1509C.8050409@vanderkooij.org> <48B19472.8010906@fsl.com> <48B1BACB.7050301@vanderkooij.org> <48B1CDA1.7020909@alexb.ch> Message-ID: <48B1E1B5.2060902@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 8/24/2008 9:47 PM, Hugo van der Kooij wrote: >>> SpamAssassin Rule Actions = >>> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence >> >> That will store the URL but by the time I can look at that URL to fetch >> the file the infected system might be cleaned out allready. So I need to >> automate this a bit further. > > Seems to me you want to do too much within MailScanner... > > I'd forward the msg with the malware URI to a separate account, process > that account with procmail/ripmime/snersoft's "URI" tool/GET and bingo > you have the malware to do whatever you want with it and you're very > flexible. Sounds nice. But most message never make it as far as procmail. Most are shot down by significant amount of SA points. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIseGzBvzDRVjxmYERAnQWAJ9fLvVjkRJO7Ly6lyD8aeaRfOekHwCfdhb6 5wZrH6PrEJNEwj3PkGXhrhs= =Yfkq -----END PGP SIGNATURE----- From mark at msapiro.net Sun Aug 24 23:36:04 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Aug 24 23:36:14 2008 Subject: Message body lost when zip file quarantined In-Reply-To: <57A410B1-046D-40E9-813F-B3D11A3927EB@ecs.soton.ac.uk> References: <EMEW-k62M7R83824f738772de166a052e9e61740012-PC18702008070314030600150912edd5@msapiro> <486D47F2.6050104@ecs.soton.ac.uk> <EMEW-k7MJp20064aba633de257a719d5b696aa247b8-48B05AEB.6090504@msapiro.net> <57A410B1-046D-40E9-813F-B3D11A3927EB@ecs.soton.ac.uk> Message-ID: <20080824223604.GA1076@msapiro> On Sun, Aug 24, 2008 at 04:44:01PM +0100, Julian Field wrote: > You shouldn't have left it that long! :-) > Send them to me again, and I'll try to look at them this time. Sorry :-) > > -- > Jules OK. I've resent them. Thanks. /Mark > On 23 Aug 2008, at 19:46, Mark Sapiro <mark@msapiro.net> wrote: > > >On July 3, 2008, Julian Field wrote: > >> > >> > >>Mark Sapiro wrote: > >>>Julian Field wrote:> > >>> > >>>>Mark Sapiro wrote: > >>>> > >>>>>>MailScanner is scanning a message with an attached .zip archive > >>>>>>which > >>>>>>contains a number of .bat and .bat.bak files, other files and > >>>>>>even > >>>>>>another zip archive which contains a single .bat file. > >>>>>> > >>>>>>Mailscanner detects all the .bat and .bat.bak files in the zip > >>>>>>files, > >>>>>>sends a notice appropriately, and delivers the message with the > >>>>>>attachment removed. All well and good. The problems are: > >>>>>> > >>>>>>1) not only the original .zip is quarantined, but so also are the > >>>>>>individual .bat, .bat.bak and .zip files extracted from the > >>>>>>original > >>>>>>.zip (other files in the .zip with OK names are not). This is > >>>>>>not a > >>>>>>major issue, but makes looking in the quarantine difficult as one > >>>>>>doesn't know what files were separately attached and what files > >>>>>>were > >>>>>>just in the .zip. > >>>>>> > >>>>>>2) The more serious issue is the original message body is also > >>>>>>removed > >>>>>>from the delivered message, and it is not stored anywhere. > >>>>>> > >>>>>So, is there some misconfiguration on my part that is causing the > >>>>>loss of the message body, or is this and the redundant files in > >>>>>quarantine the expected behavior? > >>>>> > >>>>> > >>>>Number 2 is the one that interests me. Please can you send me a > >>>>concrete example, preferably lifted straight out of a sendmail > >>>>queue. > >>>> > >>> > >>> > >>>I use Postfix, not sendmail. > >>> > >>>Here's what I have: > >>> > >>>-The Postfix queue entry. > >>>-The raw message received via bcc without passing through > >>>MailScanner > >>>-The {Filename?} message delivered to the recipient after > >>>MailScanner > >>>-The notice sent as a result of 'Send Notices = yes' > >>> > >>>Which of these would you like (and may I send it/them off list)? > >>> > >>All of the above please. Send them zipped up to > >>mailscanner@ecs.soton.ac.uk. > > > > > >The files were sent on July 3 as requested. Has there been anything > >discovered or done about this? > > > >-- > >Mark Sapiro <mark@msapiro.net> The highway is for gamblers, > >San Francisco Bay Area, California better use your sense - B. Dylan > > > >-- > >MailScanner mailing list > >mailscanner@lists.mailscanner.info > >http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > >Before posting, read http://wiki.mailscanner.info/posting > > > >Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jon.bates at summitinvestment.com.au Mon Aug 25 02:41:48 2008 From: jon.bates at summitinvestment.com.au (Jon Bates) Date: Mon Aug 25 02:42:11 2008 Subject: EXE Files Slipping Through In-Reply-To: <auto-001219495268@solidstatelogic.com> References: <auto-001219495268@solidstatelogic.com> Message-ID: <00bd01c90653$bdb07480$39115d80$@bates@summitinvestment.com.au> Thanks for the responses guys! I've set the MTA split up, but I'm getting an error message. I'll start a new topic about it though Cheers! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: Saturday, 23 August 2008 10:44 PM To: MailScanner discussion Subject: RE: EXE Files Slipping Through Yes Mailscanner treats the envelope-to as the recipient as user to run the 'to' rules over. Otherwise if one user has 'yes' and another 'no' which should it obey? If you're going to get around this you need to split the emails into individual recipients. There's 'how-to's for sendmail, postfix and exim in the wiki. -- martin -----Original Message----- From: Jon Bates <jon.bates@summitinvestment.com.au> Sent: Saturday, August 23, 2008 1:31 PM To: mailscanner@lists.mailscanner.info Subject: EXE Files Slipping Through Im hoping someone can help me here. By using filename and filetype exceptions I've allowed myself to send and receive .exe files. I've banned this for all other addresses though. The reason for this is that it catches a huge amount of malware that slips through Clamav/Sophos - at the moment its hundreds of "Fedex tracking number" emails with a zipped exe attachment that aren't being detected! My problem is when malware emails arrive which are addressed to me AS WELL as other people - This means the infected email is actually delivered to the other people on the email! Is this normal behaviour? I'm smart enough not to open these emails, but other people are not! Is there any way to stop this behaviour without me losing my ability to send/receive EXE files? Cheers! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jon.bates at summitinvestment.com.au Mon Aug 25 02:48:36 2008 From: jon.bates at summitinvestment.com.au (Jon Bates) Date: Mon Aug 25 02:48:54 2008 Subject: Split Per Recipient - Sendmail Issue Message-ID: <00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> I've followed these instructions to set up the per-recipient split from Sendmail: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sen dmail:how_to:split_mails_per_recipient -- Upon starting MailScanner I get the following error message: Starting MailScanner daemons: incoming sendmail: /etc/init.d/MailScanner: line 139: -C/etc/mail/sendmail-in.cf: No such file or directory -- Checked permissions on /etc/mail/sendmail-in.cf... they appear correct. -rw-r--r-- 1 root root 59423 Aug 25 11:36 sendmail-in.cf Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080825/2546d4b1/attachment.html From mark at msapiro.net Mon Aug 25 05:35:19 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Aug 25 05:35:35 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading Message-ID: <PC1870200808242135190078d9acb021@msapiro> I notice a few frequent posters on this list, including Jules since late May, appear to receive list posts with Message-IDs munged with EMEW watermarks. Thus their replies to list posts have In-Reply-To: with the munged Message-ID which breaks threading in the pipermail archive at <http://lists.mailscanner.info/pipermail/mailscanner/> (every time Jules replies to a post, a new thread is started). I am a Mailman developer and am concerned about what, if anything, I should do about this for the near term. My specific concerns are 1. how wide spread is the use of EMEW likely to become. 2. How do I recognize the added data in the Message-Id? It looks like the regexp 'EMEW-[0-9A-Za-z]{6}[0-9a-f]{32}-' will work and removing the match will restore the original Message-ID (or at least the immediately prior Message-ID). Is that a good regexp, or is there a better one? 3. Are there products other than BarricadeMX that are munging Message-IDs in other ways for similar reasons. I haven't been able to find much on the web about this. I would appreciate any advice or additional information anyone can point me to. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From hvdkooij at vanderkooij.org Mon Aug 25 06:38:06 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Aug 25 06:38:17 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <PC1870200808242135190078d9acb021@msapiro> References: <PC1870200808242135190078d9acb021@msapiro> Message-ID: <48B2453E.8000506@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > I notice a few frequent posters on this list, including Jules since > late May, appear to receive list posts with Message-IDs munged with > EMEW watermarks. Thus their replies to list posts have In-Reply-To: > with the munged Message-ID which breaks threading in the pipermail > archive at <http://lists.mailscanner.info/pipermail/mailscanner/> > (every time Jules replies to a post, a new thread is started). I was wondering why Jules replies always end up in the wrong place in a thread. > I am a Mailman developer and am concerned about what, if anything, I > should do about this for the near term. My specific concerns are > > 1. how wide spread is the use of EMEW likely to become. > > 2. How do I recognize the added data in the Message-Id? It looks like > the regexp 'EMEW-[0-9A-Za-z]{6}[0-9a-f]{32}-' will work and removing > the match will restore the original Message-ID (or at least the > immediately prior Message-ID). Is that a good regexp, or is there a > better one? > > 3. Are there products other than BarricadeMX that are munging > Message-IDs in other ways for similar reasons. > > I haven't been able to find much on the web about this. I would > appreciate any advice or additional information anyone can point me to. In my view anything that starts playing with message identifiers should do so in manner that they do not break things. BarricadeMX should in fact restore these message identifiers again on the outbound traffic. Whatever changes are done on inbound traffic should be undone on outbound traffic. RFC 2822 in fact makes this mandatory in section 3.6.4 So at this point anything mocking about and changing Message-ID's is not RFC compliant and should be removed from the internet. So there is no need to fix mailman. There is a mandatory need to fix Barricade-MX and any other solution that breaks the RFC. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIskU8BvzDRVjxmYERArDiAKCsZHI0JTTXvml+ItHpxdujx5cWhACgqvFl XicFeVvUy4/PNGsHcTR4eOQ= =3mdQ -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Aug 25 06:49:07 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Aug 25 06:49:18 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <PC1870200808242135190078d9acb021@msapiro> References: <PC1870200808242135190078d9acb021@msapiro> Message-ID: <48B247D3.6070602@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > I notice a few frequent posters on this list, including Jules since > late May, appear to receive list posts with Message-IDs munged with > EMEW watermarks. Thus their replies to list posts have In-Reply-To: > with the munged Message-ID which breaks threading in the pipermail > archive at <http://lists.mailscanner.info/pipermail/mailscanner/> > (every time Jules replies to a post, a new thread is started). Simply put. If I detect headers like: In-Reply-To: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> Or: References: <EMEW-k7NDHP5cf949af6a11121e8aeab488ab3371ce-48B1509C.8050409@vanderkooij.org> It is safe to assume someone has been tampering with my message Identifiers. And I am entitled to block those as RFC violations. That should not be to hard to build into postfix. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIskfRBvzDRVjxmYERAmClAJ9C40J8KyadINm+WBf47JyCk1LSNwCgiXym w3LBRSxwM6YobBNfkXQsqfk= =ehPv -----END PGP SIGNATURE----- From ms-list at alexb.ch Mon Aug 25 08:02:22 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Aug 25 08:02:36 2008 Subject: Development info? In-Reply-To: <48B1E1B5.2060902@vanderkooij.org> References: <48B1509C.8050409@vanderkooij.org> <48B19472.8010906@fsl.com> <48B1BACB.7050301@vanderkooij.org> <48B1CDA1.7020909@alexb.ch> <48B1E1B5.2060902@vanderkooij.org> Message-ID: <48B258FE.7060606@alexb.ch> On 8/25/2008 12:33 AM, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alex Broens wrote: >> On 8/24/2008 9:47 PM, Hugo van der Kooij wrote: >>>> SpamAssassin Rule Actions = >>>> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence >>> That will store the URL but by the time I can look at that URL to fetch >>> the file the infected system might be cleaned out allready. So I need to >>> automate this a bit further. >> Seems to me you want to do too much within MailScanner... >> >> I'd forward the msg with the malware URI to a separate account, process >> that account with procmail/ripmime/snersoft's "URI" tool/GET and bingo >> you have the malware to do whatever you want with it and you're very >> flexible. > > Sounds nice. But most message never make it as far as procmail. Most are > shot down by significant amount of SA points. I assume this could be avoided if you use a SA rule to catch the executables, shortcircuit that - to save on SA processing, and set an MS action to forward those msgs to you processing account, procmail will see them. Would that work? Alex From paul.hutchings at mira.co.uk Mon Aug 25 10:31:20 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Aug 25 10:31:37 2008 Subject: vba32 problem with MailScanner --lint References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> <48B1DF0E.7010304@vanderkooij.org> Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0DA9@mail03.mira.co.uk> Yes Centos 5.2, it started off as 5.0 and a month or so back I did the "yum upgrade" to 5.2. Can I confirm something - if I have multiple engines, MailScanner runs all attachments through *all* engines even if it finds a virus with the first engine it uses? I ask as I want to test engines for a couple of weeks to find which deals best with a lot of the zero day stuff that we're seeing lately. Noticed a similar thing with drweb which also isn't working with MailScanner: MailScanner --lint Trying to setlogsock(unix) Read 850 hostnames from the phishing whitelist Read 5265 hostnames from the phishing blacklist Checking version numbers... Version installed (4.70.7) does not match version stated in MailScanner.conf file (4.70.6), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = drweb" Found these virus scanners installed: bitdefender, clamd, drweb, avg, antivir ======================================================================== === Virus and Content Scanning: Starting ======================================================================== === If any of your virus scanners (bitdefender,clamd,drweb,avg,antivir) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. /usr/lib/MailScanner/drweb-wrapper /opt/drweb . exec /opt/drweb/drweb -path=. Dr.Web (R) Scanner for Linux v4.44.0 (4.44.0.0710180) Copyright (c) Igor Daniloff, 1992-2007 Doctor Web, Ltd., Moscow, Russia Support service: http://support.drweb.com To purchase: http://buy.drweb.com Shell version: 4.44.0.10180 <API:2.2> Engine version: 4.44.0.9170 <API:2.2> Loading /var/drweb/bases/drwtoday.vdb - skipped Loading /var/drweb/bases/drw44454.vdb - Ok, virus records: 1556 Loading /var/drweb/bases/drw44453.vdb - Ok, virus records: 1885 Loading /var/drweb/bases/drw44452.vdb - Ok, virus records: 2094 Loading /var/drweb/bases/drw44451.vdb - Ok, virus records: 1696 Loading /var/drweb/bases/drw44450.vdb - Ok, virus records: 3067 Loading /var/drweb/bases/drw44449.vdb - Ok, virus records: 3544 Loading /var/drweb/bases/drw44448.vdb - Ok, virus records: 1752 Loading /var/drweb/bases/drw44447.vdb - Ok, virus records: 1310 Loading /var/drweb/bases/drw44446.vdb - Ok, virus records: 4653 Loading /var/drweb/bases/drw44445.vdb - Ok, virus records: 7112 Loading /var/drweb/bases/drw44444.vdb - Ok, virus records: 2300 Loading /var/drweb/bases/drw44443.vdb - Ok, virus records: 2532 Loading /var/drweb/bases/drw44442.vdb - Ok, virus records: 2410 Loading /var/drweb/bases/drw44441.vdb - Ok, virus records: 4202 Loading /var/drweb/bases/drw44440.vdb - Ok, virus records: 5939 Loading /var/drweb/bases/drw44439.vdb - Ok, virus records: 1088 Loading /var/drweb/bases/drw44438.vdb - Ok, virus records: 1646 Loading /var/drweb/bases/drw44437.vdb - Ok, virus records: 3563 Loading /var/drweb/bases/drw44436.vdb - Ok, virus records: 5179 Loading /var/drweb/bases/drw44435.vdb - Ok, virus records: 2885 Loading /var/drweb/bases/drw44434.vdb - Ok, virus records: 5080 Loading /var/drweb/bases/drw44433.vdb - Ok, virus records: 16365 Loading /var/drweb/bases/drw44432.vdb - Ok, virus records: 13612 Loading /var/drweb/bases/drw44431.vdb - Ok, virus records: 1725 Loading /var/drweb/bases/drw44430.vdb - Ok, virus records: 4099 Loading /var/drweb/bases/drw44429.vdb - Ok, virus records: 1319 Loading /var/drweb/bases/drw44428.vdb - Ok, virus records: 3709 Loading /var/drweb/bases/drw44427.vdb - Ok, virus records: 6097 Loading /var/drweb/bases/drw44426.vdb - Ok, virus records: 1097 Loading /var/drweb/bases/drw44425.vdb - Ok, virus records: 3605 Loading /var/drweb/bases/drw44424.vdb - Ok, virus records: 7770 Loading /var/drweb/bases/drw44423.vdb - Ok, virus records: 4210 Loading /var/drweb/bases/drw44422.vdb - Ok, virus records: 1010 Loading /var/drweb/bases/drw44421.vdb - Ok, virus records: 421 Loading /var/drweb/bases/drw44420.vdb - Ok, virus records: 1306 Loading /var/drweb/bases/drw44419.vdb - Ok, virus records: 1234 Loading /var/drweb/bases/drw44418.vdb - Ok, virus records: 1238 Loading /var/drweb/bases/drw44417.vdb - Ok, virus records: 4406 Loading /var/drweb/bases/drw44416.vdb - Ok, virus records: 7847 Loading /var/drweb/bases/drw44415.vdb - Ok, virus records: 6014 Loading /var/drweb/bases/drw44414.vdb - Ok, virus records: 804 Loading /var/drweb/bases/drw44413.vdb - Ok, virus records: 5020 Loading /var/drweb/bases/drw44412.vdb - Ok, virus records: 1565 Loading /var/drweb/bases/drw44411.vdb - Ok, virus records: 1582 Loading /var/drweb/bases/drw44410.vdb - Ok, virus records: 1129 Loading /var/drweb/bases/drw44409.vdb - Ok, virus records: 2302 Loading /var/drweb/bases/drw44408.vdb - Ok, virus records: 3904 Loading /var/drweb/bases/drw44407.vdb - Ok, virus records: 2456 Loading /var/drweb/bases/drw44406.vdb - Ok, virus records: 4411 Loading /var/drweb/bases/drw44405.vdb - Ok, virus records: 1311 Loading /var/drweb/bases/drw44404.vdb - Ok, virus records: 2486 Loading /var/drweb/bases/drw44403.vdb - Ok, virus records: 4462 Loading /var/drweb/bases/drw44402.vdb - Ok, virus records: 94 Loading /var/drweb/bases/drw44401.vdb - Ok, virus records: 557 Loading /var/drweb/bases/drw44400.vdb - Ok, virus records: 945 Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 209466 Loading /var/drweb/bases/dwrtoday.vdb - Ok, virus records: 269 Loading /var/drweb/bases/dwr44401.vdb - Ok, virus records: 679 Loading /var/drweb/bases/dwntoday.vdb - Ok, virus records: 282 Loading /var/drweb/bases/dwn44405.vdb - Ok, virus records: 718 Loading /var/drweb/bases/dwn44404.vdb - Ok, virus records: 999 Loading /var/drweb/bases/dwn44403.vdb - Ok, virus records: 1211 Loading /var/drweb/bases/dwn44402.vdb - Ok, virus records: 814 Loading /var/drweb/bases/dwn44401.vdb - Ok, virus records: 698 Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 2747 Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 13534 Total virus records: 417022 Key file: /opt/drweb/drweb32.key License key number: 0010365091 License key activates: 2008-08-25 License key expires: 2008-09-25 /tmp/eicar/eicar.com infected with EICAR Test File (NOT a Virus!) Scan report for "/tmp/eicar": Scanned: 1 Cured: 0 Infected: 1 Deleted: 0 Modifications: 0 Renamed: 0 Suspicious: 0 Moved: 0 Adware: 0 Ignored: 0 Dialer: 0 Joke: 0 Scan time: 0:00:00 Riskware: 0 Scan speed: 1 Kb/s Hacktool: 0 Scan speed: 1 Kb/s -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 24 August 2008 23:22 To: MailScanner discussion Subject: Re: vba32 problem with MailScanner --lint -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Hutchings wrote: > Just trialling a few virus scanners, bitdefender, clamd, avg and vba32 > are installed. Just out of curiosity. Are you running on top of Centos 5? I have been having some issues with vba on Centos 5 where it just generates a segfault and dies. Your findings so far seem to indicate there is something going on with how relative paths are handled. That might share some light on the matter. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsd8NBvzDRVjxmYERAj6SAJ9x4IHZ254JfezUw8b2yqLQpNE8cQCdFhkO pKdbeAoMrRWpSqzAlWZwP/g= =BBpl -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From steve.freegard at fsl.com Mon Aug 25 10:36:49 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Aug 25 10:37:00 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <PC1870200808242135190078d9acb021@msapiro> References: <PC1870200808242135190078d9acb021@msapiro> Message-ID: <48B27D31.50803@fsl.com> Hi Mark, Mark Sapiro wrote: > I notice a few frequent posters on this list, including Jules since > late May, appear to receive list posts with Message-IDs munged with > EMEW watermarks. Thus their replies to list posts have In-Reply-To: > with the munged Message-ID which breaks threading in the pipermail > archive at <http://lists.mailscanner.info/pipermail/mailscanner/> > (every time Jules replies to a post, a new thread is started). > > I am a Mailman developer and am concerned about what, if anything, I > should do about this for the near term. My specific concerns are > > 1. how wide spread is the use of EMEW likely to become. Anyone using BarricadeMX can switch this on at any time. > 2. How do I recognize the added data in the Message-Id? It looks like > the regexp 'EMEW-[0-9A-Za-z]{6}[0-9a-f]{32}-' will work and removing > the match will restore the original Message-ID (or at least the > immediately prior Message-ID). Is that a good regexp, or is there a > better one? That regexp should work just fine. However - you shouldn't modify Mailman in any way - there's obviously a bug that we need to fix. We've simply not noticed it as I read the list using the GMane gateway and it threads just fine in Thunderbird. > 3. Are there products other than BarricadeMX that are munging > Message-IDs in other ways for similar reasons. No to my knowledge. > I haven't been able to find much on the web about this. I would > appreciate any advice or additional information anyone can point me to. We'll take this off-line and I'll contact you later once I've had a chance to speak to one of my colleagues. We can then work out a fix and push it out to all the BarricadeMX users via yum. Cheers, Steve. From steve.freegard at fsl.com Mon Aug 25 12:11:03 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Aug 25 12:11:14 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48B247D3.6070602@vanderkooij.org> References: <PC1870200808242135190078d9acb021@msapiro> <48B247D3.6070602@vanderkooij.org> Message-ID: <48B29347.6000801@fsl.com> Hugo van der Kooij wrote: > It is safe to assume someone has been tampering with my message > Identifiers. And I am entitled to block those as RFC violations. This is a bug, not a RFC violation; show me where in any of the e-mail RFCs it says that a Message-ID cannot be modified. Cheers, Steve. From campbell at cnpapers.com Mon Aug 25 14:22:53 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Aug 25 14:23:47 2008 Subject: Help with a regexp Message-ID: <48B2B22D.5050405@cnpapers.com> One of our domain names is cnpapers.com and another is cnpapers.net. The SA rule URI_CHINA_ADJ catches a lot of our mail, and although it is a relatively low scoring rule, it does contribute. The rule is defined as follows: /^(?:https?:\/\/)?.*\.cn.*/i Can anyone see how it's catching us and how I might change this? I guess I need to contact the SA people after I see how it's really failing on our names. Sorry, but I'm useless with regexp for now. Thanks. Steve Campbell From steve.freegard at fsl.com Mon Aug 25 15:41:21 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Aug 25 15:41:32 2008 Subject: Help with a regexp In-Reply-To: <48B2B22D.5050405@cnpapers.com> References: <48B2B22D.5050405@cnpapers.com> Message-ID: <48B2C491.2080302@fsl.com> Steve Campbell wrote: > One of our domain names is cnpapers.com and another is cnpapers.net. The > SA rule URI_CHINA_ADJ catches a lot of our mail, and although it is a > relatively low scoring rule, it does contribute. > > The rule is defined as follows: > > /^(?:https?:\/\/)?.*\.cn.*/i > > Can anyone see how it's catching us and how I might change this? I guess > I need to contact the SA people after I see how it's really failing on > our names. Sorry, but I'm useless with regexp for now. > How about: /^(?:https?:\/\/)?.*\.cn(?:\/.*)*$/i That would seem to keep the intent of the rule without misfiring on cnpapers.com. Cheers, Steve. From dominik.schramm at businessmart.de Mon Aug 25 15:44:31 2008 From: dominik.schramm at businessmart.de (Schramm, Dominik) Date: Mon Aug 25 15:44:41 2008 Subject: Help with a regexp References: <48B2B22D.5050405@cnpapers.com> Message-ID: <11C7B302EF6C334C9A7DDD638E09B661298E2E@103mx.businessmart.de> Hi Steve, Steve Campbell wrote on Monday, August 25, 2008 3:23 PM: > One of our domain names is cnpapers.com and another is cnpapers.net. > The SA rule URI_CHINA_ADJ catches a lot of our mail, and although > it is a relatively low scoring rule, it does contribute. > > The rule is defined as follows: > > /^(?:https?:\/\/)?.*\.cn.*/i The regex says: an optional protocol prefix ("http://" or "https://"), followed by an arbitrary amount of arbitrary characters (which may be omitted altogether), followed by ".cn", followed by an arbitrary amount of arbitrary characters (which may be omitted altogether). So ".cn" is the only obligatory character string and sufficient for the regex to match; the scanner probably finds somethings like mailhost.cnpapers.com in the headers or http://www.cnpapers.com in the footer. What it should catch IMHO is: an optional protocol prefix ("http://" or "https://"), followed by an arbitrary amount of arbitrary characters (which may be omitted altogether), followed by ".cn", either followed by a slash or followed by whitespace, followed by an arbitrary amount of arbitrary characters (which may be omitted altogether). And that would translate back into a regex like this: /^(?:https?:\/\/)?.*\.cn(?:\/|\s).*/i However, I find the expression rather vague, even like this. It should restrict the characters between the optional http(s) and ".cn" to those allowed in domain names. Hope this helps, Dominik From jra at baylink.com Mon Aug 25 17:24:03 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Aug 25 17:24:14 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <PC1870200808242135190078d9acb021@msapiro> References: <PC1870200808242135190078d9acb021@msapiro> Message-ID: <20080825162403.GE26571@cgi.jachomes.com> On Sun, Aug 24, 2008 at 09:35:19PM -0700, Mark Sapiro wrote: > I notice a few frequent posters on this list, including Jules since > late May, appear to receive list posts with Message-IDs munged with > EMEW watermarks. Thus their replies to list posts have In-Reply-To: > with the munged Message-ID which breaks threading in the pipermail > archive at <http://lists.mailscanner.info/pipermail/mailscanner/> > (every time Jules replies to a post, a new thread is started). > > I am a Mailman developer and am concerned about what, if anything, I > should do about this for the near term. My specific concerns are You should rip Barracuda a new one: munging the IRT header's message-id violates RFC 28222 ss 3.6.4. I would not at all recommend 'enabling' them by working around this: make sure that it's very clear to everyone exactly what's breaking and why, and whom they should contact at Barracuda to get them to stop. "Enhanced". Did they get bought out by Microsoft? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From hvdkooij at vanderkooij.org Mon Aug 25 17:46:48 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Aug 25 17:47:00 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48B29347.6000801@fsl.com> References: <PC1870200808242135190078d9acb021@msapiro> <48B247D3.6070602@vanderkooij.org> <48B29347.6000801@fsl.com> Message-ID: <48B2E1F8.8000707@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Hugo van der Kooij wrote: > >> It is safe to assume someone has been tampering with my message >> Identifiers. And I am entitled to block those as RFC violations. > > This is a bug, not a RFC violation; show me where in any of the e-mail > RFCs it says that a Message-ID cannot be modified. The second paragraph clearly indicates this particular case: The "Message-ID:" field provides a unique message identifier that refers to a particular version of a particular message. The uniqueness of the message identifier is guaranteed by the host that generates it (see below). This message identifier is intended to be machine readable and not necessarily meaningful to humans. A message identifier pertains to exactly one instantiation of a particular message; subsequent revisions to the message each receive new message identifiers. Note: There are many instances when messages are "changed", but those changes do not constitute a new instantiation of that message, and therefore the message would not get a new message identifier. For example, when messages are introduced into the transport system, they are often prepended with additional header fields such as trace fields (described in section 3.6.7) and resent fields (described in section 3.6.6). The addition of such header fields does not change the identity of the message and therefore the original "Message-ID:" field is retained. In all cases, it is the meaning that the sender of the message wishes to convey (i.e., whether this is the same message or a different message) that determines whether or not the "Message-ID:" field changes, not any particular syntactic difference that appears (or does not appear) in the message. So the Message-ID is mine when I set it and not of someone else to mangle with in the way it is now mangled. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsuHyBvzDRVjxmYERAiJ6AJ9L3kd7Duzmkl/NKk+BPQMFB7VpKwCdHGo9 cT+Ri60GkVbgZsB5SwcNh8g= =/isO -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Aug 25 17:51:34 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Aug 25 17:51:44 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <20080825162403.GE26571@cgi.jachomes.com> References: <PC1870200808242135190078d9acb021@msapiro> <20080825162403.GE26571@cgi.jachomes.com> Message-ID: <48B2E316.803@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay R. Ashworth wrote: > On Sun, Aug 24, 2008 at 09:35:19PM -0700, Mark Sapiro wrote: >> I notice a few frequent posters on this list, including Jules since >> late May, appear to receive list posts with Message-IDs munged with >> EMEW watermarks. Thus their replies to list posts have In-Reply-To: >> with the munged Message-ID which breaks threading in the pipermail >> archive at <http://lists.mailscanner.info/pipermail/mailscanner/> >> (every time Jules replies to a post, a new thread is started). >> >> I am a Mailman developer and am concerned about what, if anything, I >> should do about this for the near term. My specific concerns are > > You should rip Barracuda a new one: munging the IRT header's message-id > violates RFC 28222 ss 3.6.4. > > I would not at all recommend 'enabling' them by working around this: > make sure that it's very clear to everyone exactly what's breaking and > why, and whom they should contact at Barracuda to get them to stop. > > "Enhanced". Did they get bought out by Microsoft? Jay. Just in case you did not notice: Barracuda != BaricadeMX just like postfix != sendmail Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIsuMVBvzDRVjxmYERAvyCAJ9YKYiqihir9hDpU59/gUUhguYvegCgsK5/ fDPidoHewsL2qegcSMIdnd8= =HYF8 -----END PGP SIGNATURE----- From jra at baylink.com Mon Aug 25 17:52:43 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Aug 25 17:52:52 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48B29347.6000801@fsl.com> References: <PC1870200808242135190078d9acb021@msapiro> <48B247D3.6070602@vanderkooij.org> <48B29347.6000801@fsl.com> Message-ID: <20080825165243.GF26571@cgi.jachomes.com> On Mon, Aug 25, 2008 at 12:11:03PM +0100, Steve Freegard wrote: > >It is safe to assume someone has been tampering with my message > >Identifiers. And I am entitled to block those as RFC violations. > > This is a bug, not a RFC violation; show me where in any of the e-mail > RFCs it says that a Message-ID cannot be modified. It was already cited: RFC 2822, 3.6.4. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From jra at baylink.com Mon Aug 25 18:00:39 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Aug 25 18:00:50 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48B2E316.803@vanderkooij.org> References: <PC1870200808242135190078d9acb021@msapiro> <20080825162403.GE26571@cgi.jachomes.com> <48B2E316.803@vanderkooij.org> Message-ID: <20080825170039.GG26571@cgi.jachomes.com> On Mon, Aug 25, 2008 at 06:51:34PM +0200, Hugo van der Kooij wrote: > > I would not at all recommend 'enabling' them by working around this: > > make sure that it's very clear to everyone exactly what's breaking and > > why, and whom they should contact at Barracuda to get them to stop. > > > > "Enhanced". Did they get bought out by Microsoft? > > Jay. Just in case you did not notice: > > Barracuda != BaricadeMX just like postfix != sendmail Sorry. Fingerfart. And I see that what appears to be a Barricade guy has replied, so I retract "give them a new..." :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From MailScanner at ecs.soton.ac.uk Mon Aug 25 20:38:03 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 25 20:38:23 2008 Subject: vba32 problem with MailScanner --lint In-Reply-To: <EMEW-k7NNJba3e7fd2c4c4c8971fe105b07be601878-FF689DC51C3C1640BE668A0E31182AD004DB0DA8@mail03.mira.co.uk> References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk><EMEW-k7NMNQ74d933a1939230307e4d6c8ae3fac15a-FF689DC51C3C1640BE668A0E31182AD004DB0DA6@mail03.mira.co.uk><EMEW-k7NMeG8b70d182a5f3bfee9a02ce635720d7e1-48B1D2D8.702@ecs.soton.ac.uk> <8D26BA77-1C47-4F65-8EBA-3B31D26CB578@ecs.soton.ac.uk> <EMEW-k7NNJba3e7fd2c4c4c8971fe105b07be601878-FF689DC51C3C1640BE668A0E31182AD004DB0DA8@mail03.mira.co.uk> Message-ID: <48B30A1B.3000403@ecs.soton.ac.uk> Look in SweepViruses.pm (/usr/lib/MailScanner/MailScanner/SweepViruses.pm) and you will find a "sub Processvba32Output" function. Change it to this: sub Processvba32Output { my($line, $infections, $types, $BaseDir, $Name) = @_; my($report, $infected, $dot, $id, $part, @rest); my($logout); chomp $line; $logout = $line; $logout =~ s/%/%%/g; $logout =~ s/\s{20,}/ /g; #MailScanner::Log::WarnLog($logout) # if $line =~ /^\..*( infected | is suspected of )/i; $line =~ s/^$BaseDir/./; # Newer versions put BaseDir instead of . if ($line =~ /^(\..*) : (infected|is suspected of) (.*)$/i) { my($fileentry, $virusname) = ($1,$3); MailScanner::Log::InfoLog($logout); #$fileentry =~ s/^$BaseDir//; ($dot, $id, $part, @rest) = split(/\//, $fileentry); $part =~ s/:\<[A-Z]+\>\\.*$//g; $report = "Found virus $virusname in $part"; $report = $Name . ': '. $report if $Name; $infections->{"$id"}{"$part"} .= $report . "\n"; $types->{"$id"}{"$part"} .= "v"; # it's a real virus return 1; } } The only change is the new line in the middle, just before the "if ($line =~" line. This should be sufficient to make it cope with both versions of the output. Please let me know if this fixes the problem for you, and works with both the old and the new versions of vba32. Cheers, Jules. Paul Hutchings wrote: > Just realised I ran a different thing to what you asked. > > Looks like it all comes down to a "." > > Without update: > > +---------------------------------------------------+ > | VirusBlokAda (Console scanner) | > | Vba32 Linux 3.12.6.1 / 2008.02.15 12:56 (Vba32.L) | > | Copyright (c) 1993-2008 by VBA Ltd. | > +---------------------------------------------------+ > Key file not found > Demo mode > Command line options: > -af+ -ha+ -rw+ > Ctrl-C will terminate program execution > > . > ./eicar.com : infected EICAR-Test-File > > Directories : 1 Files in archives: Files on disks: > Archives: - total : 0 - total : 1 > - scanned : 0 - scanned : 0 - scanned : 1 > - contain viruses : 0 - infected : 0 - infected : 1 > - deleted : 0 - suspicious : 0 - suspicious : 0 > > Startup : 23:07:40 24-08-2008 > End : 23:07:41 24-08-2008 > Total time : 00:00:01 > > With update: > > /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . > +---------------------------------------------------+ > | VirusBlokAda (Console scanner) | > | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | > | Copyright (c) 1993-2008 by VBA Ltd. | > +---------------------------------------------------+ > Key file not found > Demo mode > Command line options: > -af+ -ha+ -rw+ > Ctrl-C will terminate program execution > > . > /tmp/eicar/eicar.com : infected EICAR-Test-File > > Directories : 1 Files in archives: Files on disks: > Archives: - total : 0 - total : 1 > - scanned : 0 - scanned : 0 - scanned : 1 > - contain viruses : 0 - infected : 0 - infected : 1 > - deleted : 0 - suspicious : 0 - suspicious : 0 > > Startup : 23:06:00 24-08-2008 > End : 23:06:00 24-08-2008 > Total time : 00:00:00 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 24 August 2008 22:46 > To: MailScanner discussion > Subject: Re: vba32 problem with MailScanner --lint > > > On 24 Aug 2008, at 22:30, Julian Field <MailScanner@ecs.soton.ac.uk> > wrote: > > >> Aha, thanks for that, it will help me diagnose the problem. >> It's really something I need to take a look at. >> >> Could you put a copy of eicar.com in /tmp and run something like this >> cd /tmp >> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl . >> > > Don't forget the " ." on the end of that command! > > > >> And show me the output both before and after the "vbacl --update" >> has changed the version of vba32 you have installed. I need to >> handle both the old and the new outputs. >> >> Thanks. >> >> Paul Hutchings wrote: >> >>> Hmm something I noticed: >>> >>> When I first install Vba32 and run "MailScanner --lint" it's happy - >>> "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is >>> with >>> Vba32 Linux 3.12.6.1. >>> >>> After the first update via "vbacl --update" the issue starts with >>> MailScanner not picking up the output from vba32. >>> >>> At this point though, Vba32 has updated itself to Vba32 Linux >>> 3.12.8.4. >>> >>> I guess something has changed in the Vba32 output with the later >>> version >>> that MailScanner isn't aware of? >>> >>> Any ideas if this is something I can change or if it's something >>> Julian >>> needs to change in the mailscanner code? >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul >>> Hutchings >>> Sent: 24 August 2008 13:08 >>> To: MailScanner discussion >>> Subject: vba32 problem with MailScanner --lint >>> >>> Just trialling a few virus scanners, bitdefender, clamd, avg and >>> vba32 >>> are installed. >>> >>> Vba32 appears to be working if I test the wrapper: >>> >>> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe >>> +---------------------------------------------------+ >>> | VirusBlokAda (Console scanner) | >>> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) | >>> | Copyright (c) 1993-2008 by VBA Ltd. | >>> +---------------------------------------------------+ >>> User: VBA32 Testlizenz >>> License #000000324 Valid till 31.10.2008 >>> Command line options: >>> -af+ -ha+ -rw+ >>> Ctrl-C will terminate program execution >>> >>> /tmp/malware/29.exe >>> /tmp/malware/29.exe : infected Trojan- >>> GameThief.Win32.OnLineGames.shie >>> >>> Directories : 0 Files in archives: Files on disks: >>> Archives: - total : 0 - total : 1 >>> - scanned : 0 - scanned : 0 - scanned : 1 >>> - contain viruses : 0 - infected : 0 - infected : 1 >>> - deleted : 0 - suspicious : 0 - suspicious : 0 >>> >>> Startup : 13:05:01 24-08-2008 >>> End : 13:05:01 24-08-2008 >>> Total time : 00:00:00 >>> >>> Yes when I run a lint with MailScanner it doesn't appear to output a >>> string that MailScanner can take as meaning an infection has been >>> found: >>> >>> MailScanner --lint >>> Trying to setlogsock(unix) >>> Read 850 hostnames from the phishing whitelist >>> Read 5259 hostnames from the phishing blacklist >>> Checking version numbers... >>> Version installed (4.70.7) does not match version stated in >>> MailScanner.conf file (4.70.6), you may want to run >>> upgrade_MailScanner_conf >>> to ensure your MailScanner.conf file contains all the latest >>> settings. >>> >>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>> MailScanner setting GID to (89) >>> MailScanner setting UID to (89) >>> >>> Checking for SpamAssassin errors (if you use it)... >>> SpamAssassin temporary working directory is >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> SpamAssassin temp dir = >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database >>> SpamAssassin reported no errors. >>> Using locktype = posix >>> MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32" >>> Found these virus scanners installed: bitdefender, clamd, vba32, avg >>> === >>> ===================================================================== >>> === >>> Virus and Content Scanning: Starting >>> Avg: Virus identified EICAR_Test in eicar.com >>> Virus Scanning: Avg found 1 infections >>> 1/eicar.com:infected: EICAR-Test-File (not a virus) >>> Virus Scanning: Bitdefender found 1 infections >>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 1 infections >>> Virus Scanning: vba32 found 1 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 1 viruses >>> === >>> ===================================================================== >>> === >>> Virus Scanner test reports: >>> Avg said "Found virus EICAR_Test in file eicar.com" >>> Bitdefender said "Found virus EICAR-Test-File (not a virus) in file >>> eicar.com" >>> Clamd said "eicar.com was infected: Eicar-Test-Signature" >>> >>> If any of your virus scanners (bitdefender,clamd,vba32,avg) >>> are not listed there, you should check that they are installed >>> correctly >>> and that MailScanner is finding them correctly via its >>> virus.scanners.conf. >>> >>> Any suggestions please? >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Aug 25 20:43:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 25 20:43:32 2008 Subject: vba32 problem with MailScanner --lint In-Reply-To: <EMEW-k7OAdfa1535101bf3812a3311b6876e6024b65-FF689DC51C3C1640BE668A0E31182AD004DB0DA9@mail03.mira.co.uk> References: <FF689DC51C3C1640BE668A0E31182AD004DB0DA4@mail03.mira.co.uk> <48B1DF0E.7010304@vanderkooij.org> <EMEW-k7OAdfa1535101bf3812a3311b6876e6024b65-FF689DC51C3C1640BE668A0E31182AD004DB0DA9@mail03.mira.co.uk> Message-ID: <48B30B4E.1010204@ecs.soton.ac.uk> I don't think I've got a copy of drweb. Can you send me a full licensed copy off-list to mailscanner@ecs.soton.ac.uk please so that I can fix this problem for you? Thanks, Jules. Paul Hutchings wrote: > Yes Centos 5.2, it started off as 5.0 and a month or so back I did the > "yum upgrade" to 5.2. > > Can I confirm something - if I have multiple engines, MailScanner runs > all attachments through *all* engines even if it finds a virus with the > first engine it uses? > > I ask as I want to test engines for a couple of weeks to find which > deals best with a lot of the zero day stuff that we're seeing lately. > > Noticed a similar thing with drweb which also isn't working with > MailScanner: > > MailScanner --lint > Trying to setlogsock(unix) > Read 850 hostnames from the phishing whitelist > Read 5265 hostnames from the phishing blacklist > Checking version numbers... > Version installed (4.70.7) does not match version stated in > MailScanner.conf file (4.70.6), you may want to run > upgrade_MailScanner_conf > to ensure your MailScanner.conf file contains all the latest settings. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > MailScanner.conf says "Virus Scanners = drweb" > Found these virus scanners installed: bitdefender, clamd, drweb, avg, > antivir > ======================================================================== > === > Virus and Content Scanning: Starting > ======================================================================== > === > > If any of your virus scanners (bitdefender,clamd,drweb,avg,antivir) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > /usr/lib/MailScanner/drweb-wrapper /opt/drweb . > exec /opt/drweb/drweb -path=. > Dr.Web (R) Scanner for Linux v4.44.0 (4.44.0.0710180) > Copyright (c) Igor Daniloff, 1992-2007 > Doctor Web, Ltd., Moscow, Russia > Support service: http://support.drweb.com > To purchase: http://buy.drweb.com > Shell version: 4.44.0.10180 <API:2.2> > Engine version: 4.44.0.9170 <API:2.2> > Loading /var/drweb/bases/drwtoday.vdb - skipped > Loading /var/drweb/bases/drw44454.vdb - Ok, virus records: 1556 > Loading /var/drweb/bases/drw44453.vdb - Ok, virus records: 1885 > Loading /var/drweb/bases/drw44452.vdb - Ok, virus records: 2094 > Loading /var/drweb/bases/drw44451.vdb - Ok, virus records: 1696 > Loading /var/drweb/bases/drw44450.vdb - Ok, virus records: 3067 > Loading /var/drweb/bases/drw44449.vdb - Ok, virus records: 3544 > Loading /var/drweb/bases/drw44448.vdb - Ok, virus records: 1752 > Loading /var/drweb/bases/drw44447.vdb - Ok, virus records: 1310 > Loading /var/drweb/bases/drw44446.vdb - Ok, virus records: 4653 > Loading /var/drweb/bases/drw44445.vdb - Ok, virus records: 7112 > Loading /var/drweb/bases/drw44444.vdb - Ok, virus records: 2300 > Loading /var/drweb/bases/drw44443.vdb - Ok, virus records: 2532 > Loading /var/drweb/bases/drw44442.vdb - Ok, virus records: 2410 > Loading /var/drweb/bases/drw44441.vdb - Ok, virus records: 4202 > Loading /var/drweb/bases/drw44440.vdb - Ok, virus records: 5939 > Loading /var/drweb/bases/drw44439.vdb - Ok, virus records: 1088 > Loading /var/drweb/bases/drw44438.vdb - Ok, virus records: 1646 > Loading /var/drweb/bases/drw44437.vdb - Ok, virus records: 3563 > Loading /var/drweb/bases/drw44436.vdb - Ok, virus records: 5179 > Loading /var/drweb/bases/drw44435.vdb - Ok, virus records: 2885 > Loading /var/drweb/bases/drw44434.vdb - Ok, virus records: 5080 > Loading /var/drweb/bases/drw44433.vdb - Ok, virus records: 16365 > Loading /var/drweb/bases/drw44432.vdb - Ok, virus records: 13612 > Loading /var/drweb/bases/drw44431.vdb - Ok, virus records: 1725 > Loading /var/drweb/bases/drw44430.vdb - Ok, virus records: 4099 > Loading /var/drweb/bases/drw44429.vdb - Ok, virus records: 1319 > Loading /var/drweb/bases/drw44428.vdb - Ok, virus records: 3709 > Loading /var/drweb/bases/drw44427.vdb - Ok, virus records: 6097 > Loading /var/drweb/bases/drw44426.vdb - Ok, virus records: 1097 > Loading /var/drweb/bases/drw44425.vdb - Ok, virus records: 3605 > Loading /var/drweb/bases/drw44424.vdb - Ok, virus records: 7770 > Loading /var/drweb/bases/drw44423.vdb - Ok, virus records: 4210 > Loading /var/drweb/bases/drw44422.vdb - Ok, virus records: 1010 > Loading /var/drweb/bases/drw44421.vdb - Ok, virus records: 421 > Loading /var/drweb/bases/drw44420.vdb - Ok, virus records: 1306 > Loading /var/drweb/bases/drw44419.vdb - Ok, virus records: 1234 > Loading /var/drweb/bases/drw44418.vdb - Ok, virus records: 1238 > Loading /var/drweb/bases/drw44417.vdb - Ok, virus records: 4406 > Loading /var/drweb/bases/drw44416.vdb - Ok, virus records: 7847 > Loading /var/drweb/bases/drw44415.vdb - Ok, virus records: 6014 > Loading /var/drweb/bases/drw44414.vdb - Ok, virus records: 804 > Loading /var/drweb/bases/drw44413.vdb - Ok, virus records: 5020 > Loading /var/drweb/bases/drw44412.vdb - Ok, virus records: 1565 > Loading /var/drweb/bases/drw44411.vdb - Ok, virus records: 1582 > Loading /var/drweb/bases/drw44410.vdb - Ok, virus records: 1129 > Loading /var/drweb/bases/drw44409.vdb - Ok, virus records: 2302 > Loading /var/drweb/bases/drw44408.vdb - Ok, virus records: 3904 > Loading /var/drweb/bases/drw44407.vdb - Ok, virus records: 2456 > Loading /var/drweb/bases/drw44406.vdb - Ok, virus records: 4411 > Loading /var/drweb/bases/drw44405.vdb - Ok, virus records: 1311 > Loading /var/drweb/bases/drw44404.vdb - Ok, virus records: 2486 > Loading /var/drweb/bases/drw44403.vdb - Ok, virus records: 4462 > Loading /var/drweb/bases/drw44402.vdb - Ok, virus records: 94 > Loading /var/drweb/bases/drw44401.vdb - Ok, virus records: 557 > Loading /var/drweb/bases/drw44400.vdb - Ok, virus records: 945 > Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 209466 > Loading /var/drweb/bases/dwrtoday.vdb - Ok, virus records: 269 > Loading /var/drweb/bases/dwr44401.vdb - Ok, virus records: 679 > Loading /var/drweb/bases/dwntoday.vdb - Ok, virus records: 282 > Loading /var/drweb/bases/dwn44405.vdb - Ok, virus records: 718 > Loading /var/drweb/bases/dwn44404.vdb - Ok, virus records: 999 > Loading /var/drweb/bases/dwn44403.vdb - Ok, virus records: 1211 > Loading /var/drweb/bases/dwn44402.vdb - Ok, virus records: 814 > Loading /var/drweb/bases/dwn44401.vdb - Ok, virus records: 698 > Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 2747 > Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 13534 > Total virus records: 417022 > Key file: /opt/drweb/drweb32.key > License key number: 0010365091 > License key activates: 2008-08-25 > License key expires: 2008-09-25 > /tmp/eicar/eicar.com infected with EICAR Test File (NOT a Virus!) > Scan report for "/tmp/eicar": > Scanned: 1 Cured: 0 > Infected: 1 Deleted: 0 > Modifications: 0 Renamed: 0 > Suspicious: 0 Moved: 0 > Adware: 0 Ignored: 0 > Dialer: 0 > Joke: 0 Scan time: 0:00:00 > Riskware: 0 Scan speed: 1 Kb/s > Hacktool: 0 Scan speed: 1 Kb/s > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo > van der Kooij > Sent: 24 August 2008 23:22 > To: MailScanner discussion > Subject: Re: vba32 problem with MailScanner --lint > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Paul Hutchings wrote: > >> Just trialling a few virus scanners, bitdefender, clamd, avg and vba32 >> are installed. >> > > Just out of curiosity. Are you running on top of Centos 5? I have been > having some issues with vba on Centos 5 where it just generates a > segfault and dies. > > Your findings so far seem to indicate there is something going on with > how relative paths are handled. That might share some light on the > matter. > > Hugo > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIsd8NBvzDRVjxmYERAj6SAJ9x4IHZ254JfezUw8b2yqLQpNE8cQCdFhkO > pKdbeAoMrRWpSqzAlWZwP/g= > =BBpl > -----END PGP SIGNATURE----- > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Aug 25 20:52:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 25 20:52:42 2008 Subject: Split Per Recipient - Sendmail Issue In-Reply-To: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> References: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> Message-ID: <48B30D75.4050003@ecs.soton.ac.uk> Jon Bates wrote: > > I?ve followed these instructions to set up the per-recipient split > from Sendmail: > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient > > -- > > Upon starting MailScanner I get the following error message: > > Starting MailScanner daemons: > > incoming sendmail: /etc/init.d/MailScanner: line 139: > -C/etc/mail/sendmail-in.cf: No such file or directory > That would tend to imply to me that it is looking for a file called -C/etc/mail/sendmail-in.cf and not /etc/mail/sendmail-in.cf It may be something as simple as you missing a space after the "-C". Put in a "set -x" right near the top of the script, and you'll get to see the full commands that it is actually executing, which may tell you a lot about what is actually going on, as opposed to what you think is going on :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Aug 25 20:58:17 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 25 20:58:37 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". In-Reply-To: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> Message-ID: <48B30ED9.70805@ecs.soton.ac.uk> Jan Johansson wrote: > (forry for any re-post, but I have been having som issues. Thanks Julian > for helping me out!) > > I have some mails being rejected as "other infection" and I cannot for > the life of me see why that is. Nothing in the logs suggests the REAL > problem to me. > > Is it possible to disable this check, and simply NOT trigger on "other > infection"? > Can you get hold of a copy of the rejected message, even after its attachment(s) have been replaced? This should tell you the cause of the rejection. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Aug 25 21:08:49 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 25 21:09:09 2008 Subject: clamavmodule CL_SCAN_PHISHING_DOMAINLIST error In-Reply-To: <1219477397.25503.23.camel@darkstar.netcore.co.in> References: <1219477397.25503.23.camel@darkstar.netcore.co.in> Message-ID: <g8v3gg$7jh$1@ger.gmane.org> on 8-23-2008 12:43 AM ram spake the following: > I have Mail::ClamAV version 0.22 and clamav 0.93 > When I use clamavmodule in MailScanner this gives me an error > > > > Commercial virus checker failed with real error: Invalid function > CL_SCAN_PHISHING_DOMAINLIST > at /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/Mail/ClamAV.pm line 120. > > > > What is wrong ? > I am in the process of abandoning the clam module for clamd. I had too many problems like this lately. Either clam is moving way faster, or the module maintainer is loosing some interest in keeping up. Either way, the clamd setup with recent MailScanner versions uses quite a bit less memory, and the load is much lighter. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080825/1f5a2c32/signature.bin From MailScanner at ecs.soton.ac.uk Mon Aug 25 21:10:57 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 25 21:11:24 2008 Subject: Split Per Recipient - Sendmail Issue In-Reply-To: <EMEW-k7OKuDae310a3365778725ec9c2164c2604908-48B30D75.4050003@ecs.soton.ac.uk> References: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> <EMEW-k7OKuDae310a3365778725ec9c2164c2604908-48B30D75.4050003@ecs.soton.ac.uk> Message-ID: <48B311D1.8030509@ecs.soton.ac.uk> Julian Field wrote: > > > Jon Bates wrote: >> >> I?ve followed these instructions to set up the per-recipient split >> from Sendmail: >> >> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient >> >> >> -- >> >> Upon starting MailScanner I get the following error message: >> >> Starting MailScanner daemons: >> >> incoming sendmail: /etc/init.d/MailScanner: line 139: >> -C/etc/mail/sendmail-in.cf: No such file or directory >> > That would tend to imply to me that it is looking for a file called > -C/etc/mail/sendmail-in.cf > and not > /etc/mail/sendmail-in.cf > > It may be something as simple as you missing a space after the "-C". > > Put in a "set -x" right near the top of the script, and you'll get to > see the full commands that it is actually executing, which may tell > you a lot about what is actually going on, as opposed to what you > think is going on :-) Sorry, scrub that. I think you are either missing the "\" from the end of the previous line, or else the "\" is not the last character on the previous line. There must be no spaces after it, it must be the last character. It is trying to run "-C/etc/mail/sendmail-in.cf" as a command, which of course is invalid. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Mon Aug 25 21:38:02 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Aug 25 21:38:24 2008 Subject: New McAfee engine available Message-ID: <48B3182A.9080007@USherbrooke.ca> Hello all, I just installed engine 5.30 on my MS servers and everything is running fine: > uvscan --version > Virus Scan for Linux v5.30.0 > Copyright (c) 1992-2008 McAfee, Inc. All rights reserved. > (408) 988-3832 LICENSED COPY - Jun 16 2008 > > Scan engine v5.3.00 for Linux. > Virus data file v5369 created Aug 25 2008 > Scanning for 450746 viruses, trojans and variants. Make sure that all dat files are links to the current ones in /usr/local/uvscan (default location) : > cd /usr/local/uvscan/ && ls -l *dat > lrwxrwxrwx 1 root root 26 Aug 25 15:17 clean.dat -> > datfiles/current/clean.dat* > lrwxrwxrwx 1 root root 26 Apr 11 2007 extra.dat -> > datfiles/current/extra.dat > lrwxrwxrwx 1 root root 29 Apr 11 2007 internet.dat -> > datfiles/current/internet.dat > -r--r--r-- 1 root root 1056 Aug 25 15:17 license.dat > -r--r--r-- 1 root root 40317 Aug 25 15:17 messages.dat > lrwxrwxrwx 1 root root 26 Aug 25 15:17 names.dat -> > datfiles/current/names.dat* > lrwxrwxrwx 1 root root 25 Aug 25 15:18 scan.dat -> > datfiles/current/scan.dat* Didn't have the time to look at what's changed... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ssilva at sgvwater.com Mon Aug 25 22:28:22 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 25 22:28:41 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <48B05EA8.3000508@msapiro.net> References: <48B05EA8.3000508@msapiro.net> Message-ID: <g8v85n$ptj$1@ger.gmane.org> <snip> > > If only the Content-Type: message/partial part were removed, it would > still be possible for automated bounce recognition software to recognize > the DSN. Is there some reason why the entire message needs to be removed > and not just the message/partial part? > MailScanner breaks the message apart to scan it, but it only either sends or doesn't send the original message. It doesn't re-assemble it with bits and pieces. What if it assembled it wrong? What about signatures? If you tamper with a message, you broke it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080825/58dbe96a/signature.bin From jon.bates at summitinvestment.com.au Tue Aug 26 00:08:16 2008 From: jon.bates at summitinvestment.com.au (Jon Bates) Date: Tue Aug 26 00:08:34 2008 Subject: Split Per Recipient - Sendmail Issue In-Reply-To: <48B311D1.8030509@ecs.soton.ac.uk> References: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> <EMEW-k7OKuDae310a3365778725ec9c2164c2604908-48B30D75.4050003@ecs.soton.ac.uk> <48B311D1.8030509@ecs.soton.ac.uk> Message-ID: <005301c90707$75602310$60206930$@bates@summitinvestment.com.au> Julian Field wrote: >> >> >> Jon Bates wrote: >>> >>> I've followed these instructions to set up the per-recipient split >>> from Sendmail: >>> >>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sen dmail:how_to:split_mails_per_recipient >>> >>> >>> -- >>> >>> Upon starting MailScanner I get the following error message: >>> >>> Starting MailScanner daemons: >>> >>> incoming sendmail: /etc/init.d/MailScanner: line 139: >>> -C/etc/mail/sendmail-in.cf: No such file or directory >>> >> That would tend to imply to me that it is looking for a file called >> -C/etc/mail/sendmail-in.cf >> and not >> /etc/mail/sendmail-in.cf >> >> It may be something as simple as you missing a space after the "-C". >> >> Put in a "set -x" right near the top of the script, and you'll get to >> see the full commands that it is actually executing, which may tell >> you a lot about what is actually going on, as opposed to what you >> think is going on :-) > Sorry, scrub that. I think you are either missing the "\" from the end > of the previous line, or else the "\" is not the last character on the > previous line. There must be no spaces after it, it must be the last > character. It is trying to run "-C/etc/mail/sendmail-in.cf" as a > command, which of course is invalid. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc Brilliant this fixed my problem! I missed that / on the last line. Thank you kindly for your help Julian! Jon From kate at rheel.co.nz Tue Aug 26 00:18:08 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Tue Aug 26 00:17:28 2008 Subject: Setting up postfix to use backscatterer.org is it a good idea? Message-ID: <48B33DB0.80506@rheel.co.nz> Hi all, I'm trying to implement the use of backscatterer.org with postfix (following the instructions on the site) When i restart postfix and do tail /var/log/maillog one of the errors i get is: fatal: unsupported dictionary type: dbm How do I get this working properly? Thanks Kate From ssilva at sgvwater.com Tue Aug 26 00:54:15 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 26 00:54:39 2008 Subject: New McAfee engine available In-Reply-To: <48B3182A.9080007@USherbrooke.ca> References: <48B3182A.9080007@USherbrooke.ca> Message-ID: <g8vgnb$nai$1@ger.gmane.org> on 8-25-2008 1:38 PM Denis Beauchemin spake the following: > Hello all, > > I just installed engine 5.30 on my MS servers and everything is running > fine: >> uvscan --version >> Virus Scan for Linux v5.30.0 >> Copyright (c) 1992-2008 McAfee, Inc. All rights reserved. >> (408) 988-3832 LICENSED COPY - Jun 16 2008 >> >> Scan engine v5.3.00 for Linux. >> Virus data file v5369 created Aug 25 2008 >> Scanning for 450746 viruses, trojans and variants. > Make sure that all dat files are links to the current ones in > /usr/local/uvscan (default location) : >> cd /usr/local/uvscan/ && ls -l *dat >> lrwxrwxrwx 1 root root 26 Aug 25 15:17 clean.dat -> >> datfiles/current/clean.dat* >> lrwxrwxrwx 1 root root 26 Apr 11 2007 extra.dat -> >> datfiles/current/extra.dat >> lrwxrwxrwx 1 root root 29 Apr 11 2007 internet.dat -> >> datfiles/current/internet.dat >> -r--r--r-- 1 root root 1056 Aug 25 15:17 license.dat >> -r--r--r-- 1 root root 40317 Aug 25 15:17 messages.dat >> lrwxrwxrwx 1 root root 26 Aug 25 15:17 names.dat -> >> datfiles/current/names.dat* >> lrwxrwxrwx 1 root root 25 Aug 25 15:18 scan.dat -> >> datfiles/current/scan.dat* > Didn't have the time to look at what's changed... > > Denis > Been running it for almost a month on one server. Runs fine here also. McAfee doesn't seem to change their output very often so MailScanner has worked with it for ages. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080825/b79afe36/signature.bin From igueths at lava-net.com Tue Aug 26 01:44:55 2008 From: igueths at lava-net.com (Igor Gueths) Date: Tue Aug 26 01:45:08 2008 Subject: Setting up postfix to use backscatterer.org is it a good idea? In-Reply-To: <48B33DB0.80506@rheel.co.nz> References: <48B33DB0.80506@rheel.co.nz> Message-ID: <20080826004455.GA26333@lava-net.com> Hello. You are getting this error because your Postfix lacks support for the Berkeley DBM database format. To see a list of all currently supported map types, run postconf -m as root. Assuming you do not see dbm listed in the output, you will need to install Postfix with DBM support, by doing so using the method (s) put in place via your distro. Hope this helps somewhat. On Tue, Aug 26, 2008 at 11:18:08AM +1200, Kate Kleinschafer wrote: > Hi all, > > I'm trying to implement the use of backscatterer.org with postfix > (following the instructions on the site) > > When i restart postfix and do tail /var/log/maillog one of the errors i get > is: > fatal: unsupported dictionary type: dbm > > How do I get this working properly? > > Thanks > Kate > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Igor -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080825/67de5069/attachment.bin From kate at rheel.co.nz Tue Aug 26 03:38:20 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Tue Aug 26 03:37:26 2008 Subject: Setting up postfix to use backscatterer.org is it a good idea? In-Reply-To: <20080826004455.GA26333@lava-net.com> References: <48B33DB0.80506@rheel.co.nz> <20080826004455.GA26333@lava-net.com> Message-ID: <48B36C9C.6000508@rheel.co.nz> Hi Igor, Thanks for the information - I think I will leave it as is (havn't done a lot of big changes to postfix before) and try and implement the MailScanner watermarking feature. Cheers Kate Igor Gueths wrote: > Hello. You are getting this error because your Postfix lacks support for the > Berkeley DBM database format. To see a list of all currently supported map > types, run postconf -m as root. Assuming you do not see dbm listed in the > output, you will need to install Postfix with DBM support, by doing so using the > method (s) put in place via your distro. Hope this helps somewhat. > On Tue, Aug 26, 2008 at 11:18:08AM +1200, Kate Kleinschafer wrote: > >> Hi all, >> >> I'm trying to implement the use of backscatterer.org with postfix >> (following the instructions on the site) >> >> When i restart postfix and do tail /var/log/maillog one of the errors i get >> is: >> fatal: unsupported dictionary type: dbm >> >> How do I get this working properly? >> >> Thanks >> Kate >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080826/22f930a5/attachment.html From MailScanner at ecs.soton.ac.uk Tue Aug 26 09:46:53 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 26 09:47:15 2008 Subject: Message body lost when zip file quarantined In-Reply-To: <EMEW-k7NNqF0e12fe7858d4e2d34c8f21da0ba54617-20080824223604.GA1076@msapiro> References: <EMEW-k62M7R83824f738772de166a052e9e61740012-PC18702008070314030600150912edd5@msapiro> <486D47F2.6050104@ecs.soton.ac.uk> <EMEW-k7MJp20064aba633de257a719d5b696aa247b8-48B05AEB.6090504@msapiro.net> <57A410B1-046D-40E9-813F-B3D11A3927EB@ecs.soton.ac.uk> <EMEW-k7NNqF0e12fe7858d4e2d34c8f21da0ba54617-20080824223604.GA1076@msapiro> Message-ID: <48B3C2FD.2070806@ecs.soton.ac.uk> Just as a note for the list archive. I cannot reproduce the problem, it works okay for me and does not throw away the message body. Mark Sapiro wrote: > On Sun, Aug 24, 2008 at 04:44:01PM +0100, Julian Field wrote: > >> You shouldn't have left it that long! :-) >> Send them to me again, and I'll try to look at them this time. Sorry :-) >> >> -- >> Jules >> > > > OK. I've resent them. Thanks. > > /Mark > > > >> On 23 Aug 2008, at 19:46, Mark Sapiro <mark@msapiro.net> wrote: >> >> >>> On July 3, 2008, Julian Field wrote: >>> >>>> Mark Sapiro wrote: >>>> >>>>> Julian Field wrote:> >>>>> >>>>> >>>>>> Mark Sapiro wrote: >>>>>> >>>>>> >>>>>>>> MailScanner is scanning a message with an attached .zip archive >>>>>>>> which >>>>>>>> contains a number of .bat and .bat.bak files, other files and >>>>>>>> even >>>>>>>> another zip archive which contains a single .bat file. >>>>>>>> >>>>>>>> Mailscanner detects all the .bat and .bat.bak files in the zip >>>>>>>> files, >>>>>>>> sends a notice appropriately, and delivers the message with the >>>>>>>> attachment removed. All well and good. The problems are: >>>>>>>> >>>>>>>> 1) not only the original .zip is quarantined, but so also are the >>>>>>>> individual .bat, .bat.bak and .zip files extracted from the >>>>>>>> original >>>>>>>> .zip (other files in the .zip with OK names are not). This is >>>>>>>> not a >>>>>>>> major issue, but makes looking in the quarantine difficult as one >>>>>>>> doesn't know what files were separately attached and what files >>>>>>>> were >>>>>>>> just in the .zip. >>>>>>>> >>>>>>>> 2) The more serious issue is the original message body is also >>>>>>>> removed >>>>>>>> >>>>>>> >from the delivered message, and it is not stored anywhere. >>>>>>> >>>>>>> So, is there some misconfiguration on my part that is causing the >>>>>>> loss of the message body, or is this and the redundant files in >>>>>>> quarantine the expected behavior? >>>>>>> >>>>>>> >>>>>>> >>>>>> Number 2 is the one that interests me. Please can you send me a >>>>>> concrete example, preferably lifted straight out of a sendmail >>>>>> queue. >>>>>> >>>>>> >>>>> I use Postfix, not sendmail. >>>>> >>>>> Here's what I have: >>>>> >>>>> -The Postfix queue entry. >>>>> -The raw message received via bcc without passing through >>>>> MailScanner >>>>> -The {Filename?} message delivered to the recipient after >>>>> MailScanner >>>>> -The notice sent as a result of 'Send Notices = yes' >>>>> >>>>> Which of these would you like (and may I send it/them off list)? >>>>> >>>>> >>>> All of the above please. Send them zipped up to >>>> mailscanner@ecs.soton.ac.uk. >>>> >>> The files were sent on July 3 as requested. Has there been anything >>> discovered or done about this? >>> >>> -- >>> Mark Sapiro <mark@msapiro.net> The highway is for gamblers, >>> San Francisco Bay Area, California better use your sense - B. Dylan >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Tue Aug 26 12:39:01 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Aug 26 12:39:31 2008 Subject: Help with a regexp In-Reply-To: <11C7B302EF6C334C9A7DDD638E09B661298E2E@103mx.businessmart.de> References: <48B2B22D.5050405@cnpapers.com> <11C7B302EF6C334C9A7DDD638E09B661298E2E@103mx.businessmart.de> Message-ID: <48B3EB55.4030604@cnpapers.com> Thanks Steve and Dominik. I'll try one and/or the other shortly. Steve Schramm, Dominik wrote: > Hi Steve, > > Steve Campbell wrote on Monday, August 25, 2008 3:23 PM: > > >> One of our domain names is cnpapers.com and another is cnpapers.net. >> The SA rule URI_CHINA_ADJ catches a lot of our mail, and although >> it is a relatively low scoring rule, it does contribute. >> >> The rule is defined as follows: >> >> /^(?:https?:\/\/)?.*\.cn.*/i >> > > The regex says: > > an optional protocol prefix ("http://" or "https://"), followed > by an arbitrary amount of arbitrary characters (which may be omitted > altogether), followed by ".cn", followed by an arbitrary amount of > arbitrary characters (which may be omitted altogether). So ".cn" is > the only obligatory character string and sufficient for the regex > to match; the scanner probably finds somethings like > mailhost.cnpapers.com in the headers or http://www.cnpapers.com > in the footer. > > What it should catch IMHO is: > > an optional protocol prefix ("http://" or "https://"), followed > by an arbitrary amount of arbitrary characters (which may be omitted > altogether), followed by ".cn", either followed by a slash or followed > by whitespace, followed by an arbitrary amount of arbitrary characters > (which may be omitted altogether). > > And that would translate back into a regex like this: > > /^(?:https?:\/\/)?.*\.cn(?:\/|\s).*/i > > However, I find the expression rather vague, even like this. It > should restrict the characters between the optional http(s) and > ".cn" to those allowed in domain names. > > Hope this helps, > Dominik > > From mark at msapiro.net Tue Aug 26 16:09:22 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Aug 26 16:09:31 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <g8v85n$ptj$1@ger.gmane.org> References: <48B05EA8.3000508@msapiro.net> <g8v85n$ptj$1@ger.gmane.org> Message-ID: <20080826150922.GA1532@msapiro> On Mon, Aug 25, 2008 at 02:28:22PM -0700, Scott Silva wrote: > <snip> > > > >If only the Content-Type: message/partial part were removed, it would > >still be possible for automated bounce recognition software to recognize > >the DSN. Is there some reason why the entire message needs to be removed > >and not just the message/partial part? > > > MailScanner breaks the message apart to scan it, but it only either sends > or doesn't send the original message. It doesn't re-assemble it with bits > and pieces. What if it assembled it wrong? What about signatures? > > If you tamper with a message, you broke it. One of us is not understanding the other. The message I'm talking about has multiple MIME parts, one of which has a (bogus) message/partial Content-Type:. I understand why MailScanner doesn't like the message/partial part. What I am asking is why does MailScanner quarantine the entire message instead of just the message/partial part. It clearly does this for other message parts it doesn't like such as attached files with 'bad' names. Thinking about this a bit more, perhaps the answer to my question is that MailScanner only removes just 'attachments' if there is a text/plain part in which to insert the Warning: This message has had one or more attachments removed Warning: <list of names> Warning: Please read ... lines. Or perhaps it only removes just 'attachments' if they have names. In any case, the answer is not that MailScanner makes no alterations to delivered messages. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ssilva at sgvwater.com Tue Aug 26 16:48:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 26 16:48:23 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <20080826150922.GA1532@msapiro> References: <48B05EA8.3000508@msapiro.net> <g8v85n$ptj$1@ger.gmane.org> <20080826150922.GA1532@msapiro> Message-ID: <g918jh$rq7$1@ger.gmane.org> on 8-26-2008 8:09 AM Mark Sapiro spake the following: > On Mon, Aug 25, 2008 at 02:28:22PM -0700, Scott Silva wrote: >> <snip> >>> If only the Content-Type: message/partial part were removed, it would >>> still be possible for automated bounce recognition software to recognize >>> the DSN. Is there some reason why the entire message needs to be removed >>> and not just the message/partial part? >>> >> MailScanner breaks the message apart to scan it, but it only either sends >> or doesn't send the original message. It doesn't re-assemble it with bits >> and pieces. What if it assembled it wrong? What about signatures? >> >> If you tamper with a message, you broke it. > > > One of us is not understanding the other. > > The message I'm talking about has multiple MIME parts, one of which has > a (bogus) message/partial Content-Type:. > > I understand why MailScanner doesn't like the message/partial part. > What I am asking is why does MailScanner quarantine the entire message > instead of just the message/partial part. It clearly does this for other > message parts it doesn't like such as attached files with 'bad' names. > > Thinking about this a bit more, perhaps the answer to my question is > that MailScanner only removes just 'attachments' if there is a text/plain > part in which to insert the > > Warning: This message has had one or more attachments removed > Warning: <list of names> > Warning: Please read ... > > lines. Or perhaps it only removes just 'attachments' if they have names. > > In any case, the answer is not that MailScanner makes no alterations to > delivered messages. > Doesn't mailscanner have a setting to allow partial messages? # Do you want to allow partial messages, which only contain a fraction of # the attachments, not the whole thing? There is absolutely no way to # scan these "partial messages" properly for viruses, as MailScanner never # sees all of the attachment at the same time. Enabling this option can # allow viruses through. You have been warned. # This can also be the filename of a ruleset so you can, for example, allow # them in outgoing mail but not in incoming mail. Allow Partial Messages = no MAybe you could lessen the problems by allowing only from that domain. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080826/7c459b1d/signature.bin From MailScanner at ecs.soton.ac.uk Tue Aug 26 17:07:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 26 17:07:26 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <EMEW-k7PGHFb5f2ceb0e49d0b46a81ffc1129d9612a-20080826150922.GA1532@msapiro> References: <48B05EA8.3000508@msapiro.net> <g8v85n$ptj$1@ger.gmane.org> <EMEW-k7PGHFb5f2ceb0e49d0b46a81ffc1129d9612a-20080826150922.GA1532@msapiro> Message-ID: <48B42A2B.2060601@ecs.soton.ac.uk> Mark Sapiro wrote: > On Mon, Aug 25, 2008 at 02:28:22PM -0700, Scott Silva wrote: > >> <snip> >> >>> If only the Content-Type: message/partial part were removed, it would >>> still be possible for automated bounce recognition software to recognize >>> the DSN. Is there some reason why the entire message needs to be removed >>> and not just the message/partial part? >>> >>> >> MailScanner breaks the message apart to scan it, but it only either sends >> or doesn't send the original message. It doesn't re-assemble it with bits >> and pieces. What if it assembled it wrong? What about signatures? >> >> If you tamper with a message, you broke it. >> > > > One of us is not understanding the other. > > The message I'm talking about has multiple MIME parts, one of which has > a (bogus) message/partial Content-Type:. > > I understand why MailScanner doesn't like the message/partial part. > What I am asking is why does MailScanner quarantine the entire message > instead of just the message/partial part. It clearly does this for other > message parts it doesn't like such as attached files with 'bad' names. > > Thinking about this a bit more, perhaps the answer to my question is > that MailScanner only removes just 'attachments' if there is a text/plain > part in which to insert the > > Warning: This message has had one or more attachments removed > Warning: <list of names> > Warning: Please read ... > > lines. Or perhaps it only removes just 'attachments' if they have names. > It can remove message parts that don't have names, I do it for "external body" messages. I'll change the "partial message" logic and put out a new beta for you that does this. I have to beware that there may be more than one "partial message" section in a message. But it shouldn't be any great problem. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Tue Aug 26 17:13:00 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Aug 26 17:13:08 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <g918jh$rq7$1@ger.gmane.org> References: <48B05EA8.3000508@msapiro.net> <g8v85n$ptj$1@ger.gmane.org> <20080826150922.GA1532@msapiro> <g918jh$rq7$1@ger.gmane.org> Message-ID: <op.ugh4nycp53oa6f@ajc5.lan> > Doesn't mailscanner have a setting to allow partial messages? I think that's for a set of messages that, when re-assembled, contain the complete attachment. Used to be popular for sending very large files via e-mail. As opposed to single messages with odd MIME formatting. Anthony -- www.fonant.com - Quality web sites From ajcartmell at fonant.com Tue Aug 26 17:15:31 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Aug 26 17:15:45 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <op.ugh4nycp53oa6f@ajc5.lan> References: <48B05EA8.3000508@msapiro.net> <g8v85n$ptj$1@ger.gmane.org> <20080826150922.GA1532@msapiro> <g918jh$rq7$1@ger.gmane.org> <op.ugh4nycp53oa6f@ajc5.lan> Message-ID: <op.ugh4r5uk53oa6f@ajc5.lan> >> Doesn't mailscanner have a setting to allow partial messages? > > I think that's for a set of messages that, when re-assembled, contain > the complete attachment. Used to be popular for sending very large files > via e-mail. Sorry, on re-reading the original problem, and Julian's response, I think I mis-understood too... Anthony -- www.fonant.com - Quality web sites From j2 at mupp.net Tue Aug 26 17:28:53 2008 From: j2 at mupp.net (Jan Johansson) Date: Tue Aug 26 17:30:42 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". In-Reply-To: <48B30ED9.70805@ecs.soton.ac.uk> References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> <48B30ED9.70805@ecs.soton.ac.uk> Message-ID: <9CB5A76200029E439A44D2E52901D6A417438E@waldorf.Muppnet.local> >Can you get hold of a copy of the rejected message, even after its >attachment(s) have been replaced? This should tell you the cause of the >rejection. I have a few in my quarantine.. But I see NOTHING which would explain it.. And.. this is now with "virus scanners = none" in the config even... Here is one of them; X-Greylist: domain auto-whitelisted by SQLgrey-1.6.8 Received: from mailsrv01.kvalitetsfisk.se (static-62.95.45.155.addr.tdcsong.se [62.95.45.155]) by mx2 (Postfix) with ESMTP id 260931BAC006 for <stefan.kjellstrom@ekeby-ktv.net>; Tue, 26 Aug 2008 14:38:38 +0200 (CEST) Subject: E-post: Sommarblad v 26-32 2008.pdf Date: Thu, 10 Jul 2008 13:44:54 +0200 Message-ID: <EA9D0B46B77B3748B14B98E4BE050E4908BD29@kvalitetsfisk.com> X-MS-Has-Attach: yes MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C8E282.5F0ED793" X-MS-TNEF-Correlator: <EA9D0B46B77B3748B14B98E4BE050E4908BD29@kvalitetsfisk.com> Thread-Topic: E-post: Sommarblad v 26-32 2008.pdf Thread-Index: Acjigl7kOdeAkgpgS8CRjDwKqIYbFA== Content-class: urn:content-classes:message From: =?iso-8859-1?Q?Stefan_Kjellstr=F6m=28Kvalitetsfisk_AB=29?= <Stefan@kvalitetsfisk.se> X-MimeOLE: Produced By Microsoft Exchange V6.5 To: <stefan.kjellstrom@ekeby-ktv.net> This is a multi-part message in MIME format. ------_=_NextPart_001_01C8E282.5F0ED793 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 Meddelandet kan nu skickas med f=F6ljande bifogade filer eller l=E4nkar: Sommarblad v 26-32 2008.pdf Obs! F=F6r att skydda mot datorvirus kan e-postprogram f=F6rhindra att = vissa sorters bifogade filer skickas eller tas emot. Kontrollera dina = inst=E4llningar f=F6r e-posts=E4kerhet om du vill veta hur bifogade = filer hanteras. ------_=_NextPart_001_01C8E282.5F0ED793 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 eJ8+IiMMAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5N aWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAELgAEAIQAAADIyMEFGNUQzRUY3OEY5 NDY5 NUUyRUI4RTE5QzY0NkE5AFoHAQSAAQAkAAAARS1wb3N0OiBTb21tYXJibGFkIHYgMjYtMzIg MjAw OC5wZGYAlgoBBYADAA4AAADYBwcACgANACwANgAEAGMBASCAAwAOAAAA2AcHAAsADQADADAA BQA2 AQEJgAEAIQAAADIyMEFGNUQzRUY3OEY5NDY5NUUyRUI4RTE5QzY0NkE5AFoHAQOQBgC0BgAA L [a lot of encoded data snipped out] ------_=_NextPart_001_01C8E282.5F0ED793-- -- Meddelandet har kontrollerats mot virus samt skadligt innehåll av MailScanner och förmodas vara säkert. From j2 at mupp.net Tue Aug 26 17:40:29 2008 From: j2 at mupp.net (Jan Johansson) Date: Tue Aug 26 17:42:03 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> <48B30ED9.70805@ecs.soton.ac.uk> Message-ID: <9CB5A76200029E439A44D2E52901D6A417438F@waldorf.Muppnet.local> >I have a few in my quarantine.. But I see NOTHING which would explain it.. Belay that... So, would setting Deliver Unparsable TNEF = yes cure this problem (YES I know it is not MY problem, but the customer want these mails to go through. Aug 26 14:38:48 mx2 check[5521]: Expanding TNEF archive at /var/spool/MailScanner/incoming/5521/260931BAC006.67447/winmail.dat Aug 26 14:38:48 mx2 check[5521]: Corrupt TNEF winmail.dat that cannot be analysed in message 260931BAC006.67447 Aug 26 14:38:48 mx2 check[5521]: Saved entire message to /var/spool/MailScanner/quarantine/20080826/260931BAC006.67447 Aug 26 14:38:49 mx2 check[5521]: Requeue: 260931BAC006.67447 to 2F0741BAC007 Aug 26 14:38:49 mx2 check[5521]: Logging message 260931BAC006.67447 to SQL -- Meddelandet har kontrollerats mot virus samt skadligt innehåll av MailScanner och förmodas vara säkert. From ssilva at sgvwater.com Tue Aug 26 17:44:46 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 26 17:45:03 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". In-Reply-To: <9CB5A76200029E439A44D2E52901D6A417438E@waldorf.Muppnet.local> References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> <48B30ED9.70805@ecs.soton.ac.uk> <9CB5A76200029E439A44D2E52901D6A417438E@waldorf.Muppnet.local> Message-ID: <g91btv$8gn$1@ger.gmane.org> on 8-26-2008 9:28 AM Jan Johansson spake the following: >> Can you get hold of a copy of the rejected message, even after its >> attachment(s) have been replaced? This should tell you the cause of the > >> rejection. > > I have a few in my quarantine.. But I see NOTHING which would explain > it.. > > And.. this is now with "virus scanners = none" in the config even... > > > Here is one of them; > This is from the quarantine. What about the message passed on to the end user that has the headers and the replacement attachment intact? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080826/dde9f764/signature.bin From ssilva at sgvwater.com Tue Aug 26 17:50:53 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 26 17:51:12 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". In-Reply-To: <9CB5A76200029E439A44D2E52901D6A417438F@waldorf.Muppnet.local> References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> <48B30ED9.70805@ecs.soton.ac.uk> <9CB5A76200029E439A44D2E52901D6A417438F@waldorf.Muppnet.local> Message-ID: <g91c9e$8gn$2@ger.gmane.org> on 8-26-2008 9:40 AM Jan Johansson spake the following: >> I have a few in my quarantine.. But I see NOTHING which would explain > it.. > > Belay that... So, would setting Deliver Unparsable TNEF = yes cure this > problem (YES I know it is not MY problem, but the customer want these > mails to go through. > > Aug 26 14:38:48 mx2 check[5521]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/5521/260931BAC006.67447/winmail.dat > Aug 26 14:38:48 mx2 check[5521]: Corrupt TNEF winmail.dat that cannot be > analysed in message 260931BAC006.67447 > Aug 26 14:38:48 mx2 check[5521]: Saved entire message to > /var/spool/MailScanner/quarantine/20080826/260931BAC006.67447 > Aug 26 14:38:49 mx2 check[5521]: Requeue: 260931BAC006.67447 to > 2F0741BAC007 > Aug 26 14:38:49 mx2 check[5521]: Logging message 260931BAC006.67447 to > SQL > It should. Shouldn't take too long to test it, especially if you have a quarantined sample. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080826/ef15e812/signature.bin From j2 at mupp.net Tue Aug 26 17:58:49 2008 From: j2 at mupp.net (Jan Johansson) Date: Tue Aug 26 18:00:26 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". In-Reply-To: <g91c9e$8gn$2@ger.gmane.org> References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> <48B30ED9.70805@ecs.soton.ac.uk><9CB5A76200029E439A44D2E52901D6A417438F@waldorf.Muppnet.local> <g91c9e$8gn$2@ger.gmane.org> Message-ID: <9CB5A76200029E439A44D2E52901D6A4174390@waldorf.Muppnet.local> Pkl0IHNob3VsZC4gU2hvdWxkbid0IHRha2UgdG9vIGxvbmcgdG8gdGVzdCBp dCwgZXNwZWNpYWxseSBpZiB5b3UgaGF2ZSBhIHF1YXJhbnRpbmVkIHNhbXBs ZS4NCg0KV2VsbCwgc2luY2UgaSBhbSB1c2luZyBNYWlsd2F0Y2gsIGFueXRo aW5nIHJlbGVhc2VkIGZyb20gUWFyYW50aW5lIGlzIGF1dG9tYXRpY2FsbHkg YWNjZXB0ZWQuIA0KSSB3aWxsIGp1c3QgaGF2ZSB0byBhc2sgdGhlIGN1c3Rv bWVyIHRvICJ0cnkgYWdhaW4iLiANCg0KV0hZIGhhdmVu4oCZdCBJIHNlZW4g dGhpcyBiZWZvcmU/ICpzaWdoKg0KDQpUaGFua3MhDQoKLS0gCk1lZGRlbGFu ZGV0IGhhciBrb250cm9sbGVyYXRzIG1vdCB2aXJ1cyBzYW10IHNrYWRsaWd0 IAppbm5laOVsbCBhdiBNYWlsU2Nhbm5lciBvY2ggZvZybW9kYXMgdmFyYSBz 5GtlcnQuCgo= From mark at msapiro.net Tue Aug 26 19:39:20 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Aug 26 19:39:36 2008 Subject: Message body lost when zip file quarantined In-Reply-To: <48B3C2FD.2070806@ecs.soton.ac.uk> Message-ID: <PC1870200808261139200000c7430054@msapiro> Julian Field wrote: >Just as a note for the list archive. I cannot reproduce the problem, it >works okay for me and does not throw away the message body. Jules wrote to me off list, and it turns out he made a simplification in my unduly complicated example which coincidently avoided the problem. I have replied to Jules off list, but here's a summary of my findings. It turns out the problem can be triggered by a much simpler example. Sorry for not analysing this more thoroughly before the original report. Here's how you can duplicate the problem: 1) create file.bat (or any forbidden name?) 2) zip file.bat into file.zip 3) place file.zip in otherwise empty directory x 4) zip directory x into x.zip Now x.zip is a zip containing directory x which in turn contains file.zip which is a zip of a file with a forbidden name. Attach this file to a plain text message and send it through MailScanner, and the plain text part will be lost. >Mark Sapiro wrote: >> On Sun, Aug 24, 2008 at 04:44:01PM +0100, Julian Field wrote: >> >>> You shouldn't have left it that long! :-) >>> Send them to me again, and I'll try to look at them this time. Sorry :-) >>> >>> -- >>> Jules >>> >> >> >> OK. I've resent them. Thanks. >> >> /Mark >> >> >> >>> On 23 Aug 2008, at 19:46, Mark Sapiro <mark@msapiro.net> wrote: >>> >>> >>>> On July 3, 2008, Julian Field wrote: >>>> >>>>> Mark Sapiro wrote: >>>>> >>>>>> Julian Field wrote:> >>>>>> >>>>>> >>>>>>> Mark Sapiro wrote: >>>>>>> >>>>>>> >>>>>>>>> MailScanner is scanning a message with an attached .zip archive >>>>>>>>> which >>>>>>>>> contains a number of .bat and .bat.bak files, other files and >>>>>>>>> even >>>>>>>>> another zip archive which contains a single .bat file. >>>>>>>>> >>>>>>>>> Mailscanner detects all the .bat and .bat.bak files in the zip >>>>>>>>> files, >>>>>>>>> sends a notice appropriately, and delivers the message with the >>>>>>>>> attachment removed. All well and good. The problems are: >>>>>>>>> >>>>>>>>> 1) not only the original .zip is quarantined, but so also are the >>>>>>>>> individual .bat, .bat.bak and .zip files extracted from the >>>>>>>>> original >>>>>>>>> .zip (other files in the .zip with OK names are not). This is >>>>>>>>> not a >>>>>>>>> major issue, but makes looking in the quarantine difficult as one >>>>>>>>> doesn't know what files were separately attached and what files >>>>>>>>> were >>>>>>>>> just in the .zip. >>>>>>>>> >>>>>>>>> 2) The more serious issue is the original message body is also >>>>>>>>> removed >>>>>>>>> >>>>>>>> >from the delivered message, and it is not stored anywhere. >>>>>>>> >>>>>>>> So, is there some misconfiguration on my part that is causing the >>>>>>>> loss of the message body, or is this and the redundant files in >>>>>>>> quarantine the expected behavior? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Number 2 is the one that interests me. Please can you send me a >>>>>>> concrete example, preferably lifted straight out of a sendmail >>>>>>> queue. >>>>>>> >>>>>>> >>>>>> I use Postfix, not sendmail. >>>>>> >>>>>> Here's what I have: >>>>>> >>>>>> -The Postfix queue entry. >>>>>> -The raw message received via bcc without passing through >>>>>> MailScanner >>>>>> -The {Filename?} message delivered to the recipient after >>>>>> MailScanner >>>>>> -The notice sent as a result of 'Send Notices = yes' >>>>>> >>>>>> Which of these would you like (and may I send it/them off list)? >>>>>> >>>>>> >>>>> All of the above please. Send them zipped up to >>>>> mailscanner@ecs.soton.ac.uk. >>>>> >>>> The files were sent on July 3 as requested. Has there been anything >>>> discovered or done about this? >>>> >>>> -- >>>> Mark Sapiro <mark@msapiro.net> The highway is for gamblers, >>>> San Francisco Bay Area, California better use your sense - B. Dylan >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >> >> > >Jules > >-- >Julian Field MEng CITP CEng >www.MailScanner.info >Buy the MailScanner book at www.MailScanner.info/store > >Need help customising MailScanner? >Contact me! >Need help fixing or optimising your systems? >Contact me! >Need help getting you started solving new requirements from your boss? >Contact me! > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From J.Ede at birchenallhowden.co.uk Wed Aug 27 10:36:06 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Aug 27 10:37:31 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "other infection". In-Reply-To: <9CB5A76200029E439A44D2E52901D6A4174390@waldorf.Muppnet.local> References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local> <48B30ED9.70805@ecs.soton.ac.uk><9CB5A76200029E439A44D2E52901D6A417438F@waldorf.Muppnet.local> <g91c9e$8gn$2@ger.gmane.org>, <9CB5A76200029E439A44D2E52901D6A4174390@waldorf.Muppnet.local> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDBC@server02.bhl.local> ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Johansson [j2@mupp.net] Sent: 26 August 2008 17:58 To: MailScanner discussion Subject: RE: Mailscanner (or rather clam AV) tagging some messages as "other infection". >It should. Shouldn't take too long to test it, especially if you have a quarantined sample. Well, since i am using Mailwatch, anything released from Qarantine is automatically accepted. I will just have to ask the customer to "try again". WHY haven?t I seen this before? *sigh* Thanks! Does the customer in question have an Exchange 2007 server? We had some issues with TNEF when first moved to EX2007, but moving to the inbuilt TNEF expander seemed to solve the issue. Jason From mbneto at gmail.com Wed Aug 27 15:13:17 2008 From: mbneto at gmail.com (mbneto) Date: Wed Aug 27 15:13:28 2008 Subject: Restricting message size per recipient In-Reply-To: <48B0662E.4030301@vanderkooij.org> References: <5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> <48B0662E.4030301@vanderkooij.org> Message-ID: <5cf776b80808270713h187dc12gb07274bbf1a47681@mail.gmail.com> Thanks. I'll try that. On Sat, Aug 23, 2008 at 3:34 PM, Hugo van der Kooij < hvdkooij@vanderkooij.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > mbneto wrote: > > > I'd like to limit the size of the message sent/received by users based > > on the email address of that user. I can do this at MTA level but for > > all users. > > > > Can I do this from MailScanner? I'd like to set the maximum in my MTA > > and lower that limit for the rest of users. > > Just create a ruleset to define limits you want to impose. > > Call it from MailScaner like this: > Maximum Message Size = %rules-dir%/max.message.size.rules > > Then define the limits per user as you see fit: > #To: *@domain1.com 10M > #To: *@domain2.com 20M > #From: user@domain3.com 5M > #From: *@domain3.com 500K > > > Hugo. > > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG <http://hugo.vanderkooij.org/PGP/GPG>? Use: > http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIsGYsBvzDRVjxmYERAii5AJ43UX+uljk8am2Ur6NBcFMCpI+wJwCguUFU > DRAFjRmKGNQHXmibFDFJZgA= > =PARA > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080827/4dc237a7/attachment.html From steve.swaney at fsl.com Wed Aug 27 15:47:04 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 27 15:47:16 2008 Subject: Restricting message size per recipient In-Reply-To: <5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> References: <5cf776b80808230532k4eaef8e0w66fb387e89f82f40@mail.gmail.com> Message-ID: <48B568E8.1030206@fsl.com> mbneto wrote: > Hi, > > I'd like to limit the size of the message sent/received by users based > on the email address of that user. I can do this at MTA level but > for all users. > > Can I do this from MailScanner? I'd like to set the maximum in my MTA > and lower that limit for the rest of users. You can add a milter to sendmail to filter at the MTA level. Milter-Length: A utility milter that can reject mail according to different message size limits per IP, domain name, or sender address. Free source download available at http://www.snertsoft.com/sendmail/milter-length/ This feature is built into BarricadeMX which can reject mail before accepting the message according to different message size limits per IP, domain name, sender address plus any combination of From: and To: matches. This will work with any MTA. More information on BarricadeMX is available at www.fsl.com Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com -------------- next part -------------- A non-text attachment was scrubbed... Name: steve_swaney.vcf Type: text/x-vcard Size: 305 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080827/f5e5d9c6/steve_swaney.vcf From glenn.steen at gmail.com Wed Aug 27 15:47:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 27 15:47:54 2008 Subject: New McAfee engine available In-Reply-To: <48B3182A.9080007@USherbrooke.ca> References: <48B3182A.9080007@USherbrooke.ca> Message-ID: <223f97700808270747x737d1e4fs3447df176d54fe7b@mail.gmail.com> 2008/8/25 Denis Beauchemin <Denis.Beauchemin@usherbrooke.ca>: > Hello all, > > I just installed engine 5.30 on my MS servers and everything is running > fine: >> >> uvscan --version >> Virus Scan for Linux v5.30.0 >> Copyright (c) 1992-2008 McAfee, Inc. All rights reserved. >> (408) 988-3832 LICENSED COPY - Jun 16 2008 >> >> Scan engine v5.3.00 for Linux. >> Virus data file v5369 created Aug 25 2008 >> Scanning for 450746 viruses, trojans and variants. > > Make sure that all dat files are links to the current ones in > /usr/local/uvscan (default location) : >> >> cd /usr/local/uvscan/ && ls -l *dat >> lrwxrwxrwx 1 root root 26 Aug 25 15:17 clean.dat -> >> datfiles/current/clean.dat* >> lrwxrwxrwx 1 root root 26 Apr 11 2007 extra.dat -> >> datfiles/current/extra.dat >> lrwxrwxrwx 1 root root 29 Apr 11 2007 internet.dat -> >> datfiles/current/internet.dat >> -r--r--r-- 1 root root 1056 Aug 25 15:17 license.dat >> -r--r--r-- 1 root root 40317 Aug 25 15:17 messages.dat >> lrwxrwxrwx 1 root root 26 Aug 25 15:17 names.dat -> >> datfiles/current/names.dat* >> lrwxrwxrwx 1 root root 25 Aug 25 15:18 scan.dat -> >> datfiles/current/scan.dat* > > Didn't have the time to look at what's changed... > > Denis > Since we're coming up to the "official release" now, this is timely:-). Changes... "Leaner, faster, better ..." .... Normal seel-speak:-):-). Seems to have a smaller memory footprint though. And is supposed to handle docx and more archive formats (or was that selfextracting formats...?). All in all a real easy upgrade. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Aug 27 15:53:38 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 27 15:53:48 2008 Subject: Most Cost Effective Antivirus Licensing? In-Reply-To: <FF689DC51C3C1640BE668A0E31182AD004DB0DA0@mail03.mira.co.uk> References: <AckEljDfNRb1/EpvQuGv6xCZ9YQ85A==> <FF689DC51C3C1640BE668A0E31182AD004DB0DA0@mail03.mira.co.uk> Message-ID: <223f97700808270753n2282845u358b8987944549be@mail.gmail.com> 2008/8/22 Paul Hutchings <paul.hutchings@mira.co.uk>: > I'm running Postfix + MailScanner with ClamAV. I'd like to get another > engine and I'd like to know if anyone has looked into what the most cost > effective product is in terms of obeying the licensing agreements? > > For example each vendor makes a linux "server protection" product which > is usually prices at flat rate and is cheaper than a "linux mail server > protection" product which is usually priced per mailbox - per mailbox > where, on the linux server, on an internal Exchange server behind a DMZ > MailScanner box.. if you see what I mean? > > Cheers, > Paul > Generally speaking... MailScanner most often use a command line scanner, so don't really need the "Mail-server" variants. Some seem to try "cover" that in their licenses though, so I suppose one need look very carefully at the wording (perhaps contact a lawyer, to help with that). My concern is usually more on the effectiveness of it, rather than at the cost... No matter how cheap it is, if it is cr*p... I *will* not use it:-). Do you perhaps have a site license for your windoze boxes? That might actually include all you need already:-). ... I get McAfee that way;). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Aug 27 16:05:25 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 27 16:05:35 2008 Subject: Infinite Loop In-Reply-To: <BAY133-W5354C107095474A373C2EABC650@phx.gbl> References: <BAY133-W544A07DCC859D843C398BCBC650@phx.gbl> <48AFF50E.9050800@vanderkooij.org> <BAY133-W23C7A9E01F07671096CC03BC650@phx.gbl> <BAY133-W5354C107095474A373C2EABC650@phx.gbl> Message-ID: <223f97700808270805w7b17af53t2e69859e20f52baa@mail.gmail.com> 2008/8/23 Caza Henha <cazahenha@hotmail.com>: (snip) > commit ineffective with AutoCommit enabled at > /etc/MailScanner/CustomFunctions/MailWatch.pm line 93, <CLIENT> line 30. > > but I think that is an entirely diffeent issue. This is an informatinal message, due to MailWatch... MailWatch will do commit wherever needed, but you have autocommit on in your MySQL database... So the commits have already been done. The "error" does no harm. Just ignore it and move on to making the changes Jules suggest. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 27 21:41:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 27 21:41:54 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <EMEW-k7OMWxdb6053fc391f82ca346ee175c1ffbac5-g8v85n$ptj$1@ger.gmane.org> References: <48B05EA8.3000508@msapiro.net> <EMEW-k7OMWxdb6053fc391f82ca346ee175c1ffbac5-g8v85n$ptj$1@ger.gmane.org> Message-ID: <48B5BC00.3050408@ecs.soton.ac.uk> Scott Silva wrote: > <snip> >> >> If only the Content-Type: message/partial part were removed, it would >> still be possible for automated bounce recognition software to recognize >> the DSN. Is there some reason why the entire message needs to be removed >> and not just the message/partial part? >> > MailScanner breaks the message apart to scan it, but it only either > sends or doesn't send the original message. It doesn't re-assemble it > with bits and pieces. What if it assembled it wrong? What about > signatures? > > If you tamper with a message, you broke it. > I am putting out a new beta as I type, with improved message/partial code in it. This should solve this problem with bigfoot.com DSNs. Please try this out and let me know how you get on. Thanks, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bfebrian.mailscanner at gedubrak.com Thu Aug 28 11:07:40 2008 From: bfebrian.mailscanner at gedubrak.com (Budi Febrianto) Date: Thu Aug 28 11:08:01 2008 Subject: Split Per Recipient - Sendmail Issue In-Reply-To: <48B311D1.8030509@ecs.soton.ac.uk> References: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> <EMEW-k7OKuDae310a3365778725ec9c2164c2604908-48B30D75.4050003@ecs.soton.ac.uk> <48B311D1.8030509@ecs.soton.ac.uk> Message-ID: <48B678EC.5080102@gedubrak.com> Julian Field wrote: > > Sorry, scrub that. I think you are either missing the "\" from the end > of the previous line, or else the "\" is not the last character on the > previous line. There must be no spaces after it, it must be the last > character. It is trying to run "-C/etc/mail/sendmail-in.cf" as a > command, which of course is invalid. > > Jules > Is there any performance degradation with this split per recipients? I'm running mailscanner with 1GB ram and serves around 10000 emails /day. Thanks From telecaadmin at gmail.com Thu Aug 28 11:20:35 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Thu Aug 28 11:22:21 2008 Subject: Split Per Recipient - Sendmail Issue In-Reply-To: <48B678EC.5080102@gedubrak.com> References: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> <EMEW-k7OKuDae310a3365778725ec9c2164c2604908-48B30D75.4050003@ecs.soton.ac.uk> <48B311D1.8030509@ecs.soton.ac.uk> <48B678EC.5080102@gedubrak.com> Message-ID: <48B67BF3.1060601@gmail.com> > Is there any performance degradation with this split per recipients? > I'm running mailscanner with 1GB ram and serves around 10000 emails /day. Theoretically. You will see more SMTP transactions because of the splitting; each multiple recipient split means an additional mail to be sent. But then again, what's a SMTP transaction in modern CPU days' terms... Cheers. From MailScanner at ecs.soton.ac.uk Thu Aug 28 11:28:09 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 28 11:28:26 2008 Subject: Split Per Recipient - Sendmail Issue In-Reply-To: <EMEW-k7RBGvc00832d2f37ec51d8a35dc8c32683740-48B678EC.5080102@gedubrak.com> References: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> <EMEW-k7OKuDae310a3365778725ec9c2164c2604908-48B30D75.4050003@ecs.soton.ac.uk> <48B311D1.8030509@ecs.soton.ac.uk> <EMEW-k7RBGvc00832d2f37ec51d8a35dc8c32683740-48B678EC.5080102@gedubrak.com> Message-ID: <48B67DB9.8060207@ecs.soton.ac.uk> Budi Febrianto wrote: > Julian Field wrote: >> >> Sorry, scrub that. I think you are either missing the "\" from the >> end of the previous line, or else the "\" is not the last character >> on the previous line. There must be no spaces after it, it must be >> the last character. It is trying to run "-C/etc/mail/sendmail-in.cf" >> as a command, which of course is invalid. >> >> Jules >> > Is there any performance degradation with this split per recipients? The vast proportion of mail (I think) has only 1 recipient anyway, so you shouldn't notice much change in load. The SpamAssassin cache will help you a lot here, as messages that have been split will be identical and so the cache will have the answer for you. And the messages will tend to appear in the same batch, so the virus scanning overhead will be minimal too. > I'm running mailscanner with 1GB ram and serves around 10000 emails /day. > > Thanks > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Thu Aug 28 15:22:47 2008 From: ka at pacific.net (Ken A) Date: Thu Aug 28 15:22:57 2008 Subject: Split Per Recipient - Sendmail Issue In-Reply-To: <48B678EC.5080102@gedubrak.com> References: <EMEW-k7O2w835456eb9b69ed0e33c16f72e5ba9c0d1-00c401c90654$b04e97d0$10ebc770$@bates@summitinvestment.com.au> <EMEW-k7OKuDae310a3365778725ec9c2164c2604908-48B30D75.4050003@ecs.soton.ac.uk> <48B311D1.8030509@ecs.soton.ac.uk> <48B678EC.5080102@gedubrak.com> Message-ID: <48B6B4B7.4020507@pacific.net> Budi Febrianto wrote: > Julian Field wrote: >> >> Sorry, scrub that. I think you are either missing the "\" from the end >> of the previous line, or else the "\" is not the last character on the >> previous line. There must be no spaces after it, it must be the last >> character. It is trying to run "-C/etc/mail/sendmail-in.cf" as a >> command, which of course is invalid. >> >> Jules >> > Is there any performance degradation with this split per recipients? > I'm running mailscanner with 1GB ram and serves around 10000 emails /day. > > Thanks > > 10k/day should be no problem. You might want to look at "max recipients per message" and "bad rcpt throttle" in your incoming sendmail config to reduce chances of a DoS. Ken -- Ken Anderson Pacific.Net From ben.tisdall at photobox.com Thu Aug 28 15:32:39 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Thu Aug 28 15:33:20 2008 Subject: How to verify MS is using dccifd Message-ID: <48B6B707.2070805@photobox.com> Hi esteemed MailScanners, Subject says it all. I've followed the instructions kindly provided here: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:dcc:dccifd_install dccifd is running but I don't see any debug lines relating to MS using dcc at all. I'm certain that either ddcproc or dccifd is being used, because if I disable it in spam.assassin.prefs.conf spam scans speed up dramatically, but I'm not sure which. Strace'ing the dccifd child produces this: bentis@newacorn:/etc/mail/spamassassin$ sudo strace -p 26991 Password: Process 26991 attached - interrupt to quit poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 (Note the same output is produced by our live MS box, but I didn't install that one). Please let me know if further info is required. Cheers! Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From MailScanner at ecs.soton.ac.uk Thu Aug 28 15:43:23 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 28 15:43:43 2008 Subject: How to verify MS is using dccifd In-Reply-To: <EMEW-k7RFcu76e7ed385966f80cf4c92e28412199ad-48B6B707.2070805@photobox.com> References: <EMEW-k7RFcu76e7ed385966f80cf4c92e28412199ad-48B6B707.2070805@photobox.com> Message-ID: <48B6B98B.1060609@ecs.soton.ac.uk> You will see if it is used in the output of MailScanner --debug --debug-sa That will mention dcc and whether it is using dccproc or dccifd. Ben Tisdall wrote: > Hi esteemed MailScanners, > > Subject says it all. > > I've followed the instructions kindly provided here: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:dcc:dccifd_install > > dccifd is running but I don't see any debug lines relating to MS using > dcc at all. > > I'm certain that either ddcproc or dccifd is being used, because if I > disable it in spam.assassin.prefs.conf spam scans speed up dramatically, > but I'm not sure which. > > Strace'ing the dccifd child produces this: > > bentis@newacorn:/etc/mail/spamassassin$ sudo strace -p 26991 > Password: > Process 26991 attached - interrupt to quit > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > poll([{fd=3, events=POLLIN}], 1, 1000) = 0 > > (Note the same output is produced by our live MS box, but I didn't > install that one). > > Please let me know if further info is required. > > Cheers! > > Ben. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ben.tisdall at photobox.com Thu Aug 28 16:34:02 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Thu Aug 28 16:34:15 2008 Subject: How to verify if MS is using dccifd (re-send) Message-ID: <48B6C56A.2020407@photobox.com> Hi esteemed MailScanners, Subject says it all. I've followed the instructions kindly provided here: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:dcc:dccifd_install dccifd is running but I don't see any debug lines relating to MS using dcc at all. I'm certain that either ddcproc or dccifd is being used, because if I disable it in spam.assassin.prefs.conf spam scans speed up dramatically, but I'm not sure which. Strace'ing the dccifd child produces this: bentis@newacorn:/etc/mail/spamassassin$ sudo strace -p 26991 Password: Process 26991 attached - interrupt to quit poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 poll([{fd=3, events=POLLIN}], 1, 1000) = 0 (Note the same output is produced by our live MS box, but I didn't install that one). Please let me know if further info is required. Cheers! Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From ssilva at sgvwater.com Thu Aug 28 16:46:24 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 28 16:46:50 2008 Subject: How to verify if MS is using dccifd (re-send) In-Reply-To: <48B6C56A.2020407@photobox.com> References: <48B6C56A.2020407@photobox.com> Message-ID: <g96h8g$7p8$1@ger.gmane.org> on 8-28-2008 8:34 AM Ben Tisdall spake the following: > Hi esteemed MailScanners, > > Subject says it all. > <snip> Julian already answered you. If you didn't receive it, you need to whitelist traffic from the list. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080828/4a2fffdb/signature.bin From kris.brinkman.ctr at ustranscom.mil Thu Aug 28 20:43:46 2008 From: kris.brinkman.ctr at ustranscom.mil (Brinkman, Kris CTR USTRANSCOM J6) Date: Thu Aug 28 20:44:20 2008 Subject: Office 2007 x files Message-ID: <DF7D4FC30FACF149862AEB12FB27CF45065CD5FA@USTCVEX14.hq.ds.transcom.mil> Does anyone know of a way to add some logic to filename checks. Recently we're seeing that an outside user can send an Office 2007 file to us and it is passed since we allow Office files. However, once the file is opened and saved by a Office 2003 user using the compatibility package it automatically creates an EMF file in the .pptx file. If the user then sends the file back out, mailscanner opens the file and finds the EMF file inside of it and blocks it. Is there a way to tell it to allow EMF if they are inside a .pptx file. The only other option I can come up with is to allow email from our domain to send EMF files using the filename.rules files. Thanks Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4981 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080828/2ba82370/smime.bin From mikael at syska.dk Thu Aug 28 23:42:11 2008 From: mikael at syska.dk (Mikael Syska) Date: Thu Aug 28 23:42:21 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 Message-ID: <6beca9db0808281542y47eeab46kdaa64a7f48eac3b1@mail.gmail.com> Hi, For some time I have been thinking about getting our Exchange servers that are placed in diffenrent location than our MailScanner to add Watermark themselvf and also to save alot of traffic ... I come up with this solution, a Transport Agent for Exhcange 2007. It can probebly to converted to also include Exchange 2003, but thats out of my knowledge .... EventSinks aint my cup of tea. If there are any problems with it, please contact me so we can solve the problem. Ideas for more are very welcome ... :-) Link and other info is available here: http://ifyoudo.net/post/2008/08/07/MailScannerWatermark-Plugin-For-Microsoft-Exchange-2007.aspx best regards Mikael Syska -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/89b76ac6/attachment.html From pmcewan at energywebnetwork.com Fri Aug 29 01:18:26 2008 From: pmcewan at energywebnetwork.com (Paul McEwan) Date: Fri Aug 29 01:18:38 2008 Subject: Moving Mailboxes Message-ID: <008f01c9096c$c1edb9b0$45c92d10$@com> I'm not really sure if this is the right place to post this, so I apologize in advance. Part of the problem is I'm not familiar enough with the inner workings of Linux. Anyway ... We are running out of space on /var/spool/mail, and I need to move individual mailboxes or all of them at some point to network storage. I modified the .procmailrc file of a test user and can successfully receive email to the network device. The problem is that it's still looking in /var/spool/mail for the mailbox. I setup a symlink which worked for a bit, but then it got replaced with a BOGUS file. What's the correct way to do this? We're using MailScanner, ClamAV, SendMail and ProcMail on RHEL3 Thanks -- Paul -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Fri Aug 29 01:47:19 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 01:47:46 2008 Subject: Moving Mailboxes In-Reply-To: <008f01c9096c$c1edb9b0$45c92d10$@com> References: <008f01c9096c$c1edb9b0$45c92d10$@com> Message-ID: <43BB89B4-ADBE-4A9F-A399-98F497FC3A33@rtpty.com> The fact that it got replaced by a BOGUS file, I believe, is probably because of a permissions issue. One thing you can try is removing the procmail recipe and symlinking /whereveryourmailstoreis to another disk/partition with more space, for example. Sent from my iPhone On Aug 28, 2008, at 7:18 PM, "Paul McEwan" <pmcewan@energywebnetwork.com> wrote: > I'm not really sure if this is the right place to post this, so I > apologize > in advance. Part of the problem is I'm not familiar enough with the > inner > workings of Linux. Anyway ... > > We are running out of space on /var/spool/mail, and I need to move > individual mailboxes or all of them at some point to network > storage. I > modified the .procmailrc file of a test user and can successfully > receive > email to the network device. The problem is that it's still looking > in > /var/spool/mail for the mailbox. I setup a symlink which worked for > a bit, > but then it got replaced with a BOGUS file. What's the correct way > to do > this? > > We're using MailScanner, ClamAV, SendMail and ProcMail on RHEL3 > > Thanks > > -- Paul > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Fri Aug 29 06:32:03 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 29 06:32:15 2008 Subject: Moving Mailboxes In-Reply-To: <008f01c9096c$c1edb9b0$45c92d10$@com> References: <008f01c9096c$c1edb9b0$45c92d10$@com> Message-ID: <48B789D3.70800@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul McEwan wrote: > I'm not really sure if this is the right place to post this, so I apologize > in advance. Part of the problem is I'm not familiar enough with the inner > workings of Linux. Anyway ... > > We are running out of space on /var/spool/mail, and I need to move > individual mailboxes or all of them at some point to network storage. I > modified the .procmailrc file of a test user and can successfully receive > email to the network device. The problem is that it's still looking in > /var/spool/mail for the mailbox. I setup a symlink which worked for a bit, > but then it got replaced with a BOGUS file. What's the correct way to do > this? Stop the MTA. Move the whole tree around. Then set a symlink on the tree itself. Not on the individual mailboxes. Restart the MTA once you are done. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIt4nRBvzDRVjxmYERAjU9AJ9lO2yZUsfgvkW+FypW4HeGanBAlgCcCTA9 MrqYw6edKMgO2PGsAZkhIUI= =Wzqq -----END PGP SIGNATURE----- From j2 at mupp.net Fri Aug 29 06:43:44 2008 From: j2 at mupp.net (Jan Johansson) Date: Fri Aug 29 06:45:56 2008 Subject: Mailscanner (or rather clam AV) tagging some messages as "otherinfection". In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDBC@server02.bhl.local> References: <EMEW-k7NMmVbd9744245923accffb93447f76f2b5aa-9CB5A76200029E439A44D2E52901D6A417438D@waldorf.Muppnet.local><48B30ED9.70805@ecs.soton.ac.uk><9CB5A76200029E439A44D2E52901D6A417438F@waldorf.Muppnet.local><g91c9e$8gn$2@ger.gmane.org>, <9CB5A76200029E439A44D2E52901D6A4174390@waldorf.Muppnet.local> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDBC@server02.bhl.local> Message-ID: <9CB5A76200029E439A44D2E52901D6A4174396@waldorf.Muppnet.local> >Does the customer in question have an Exchange 2007 server? We had some issues with TNEF when first moved to EX2007, but moving to the inbuilt TNEF >expander seemed to solve the issue. Not sure, it is tagged as "Exchange V6.5". What does that correlate to? -- Meddelandet har kontrollerats mot virus samt skadligt innehåll av MailScanner och förmodas vara säkert. From hvdkooij at vanderkooij.org Fri Aug 29 07:19:53 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 29 07:20:03 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48B29347.6000801@fsl.com> References: <PC1870200808242135190078d9acb021@msapiro> <48B247D3.6070602@vanderkooij.org> <48B29347.6000801@fsl.com> Message-ID: <48B79509.8040804@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Hugo van der Kooij wrote: > >> It is safe to assume someone has been tampering with my message >> Identifiers. And I am entitled to block those as RFC violations. > > This is a bug, not a RFC violation; show me where in any of the e-mail > RFCs it says that a Message-ID cannot be modified. The RFC bit has been explained. But the pproblem is not yet resolved. I think that the following header detection lines in postfix will spot and reject this specific RFC violation for me: # RFC2822 violations /^References:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT Your MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 /^In-Reply-To:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT Your MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 As I can not judge what MessageID someone else is sending I know that this format will be invalid for any message send by my mailserver so those I can spot and reject as RFC violations. Preferably I would like to detect all modifications so other programmers falling into the same pit will be detected. But that requires a bit more studying. (I might add it to the custom SPAM scanner I as thinking of ;-) The only person to send out these modified MessageID's is Jules as far as I have seen them. And his replies consistenly show up in the wrong place in anything but the most simple thread in thunderbird. I am sorry but in this regard I expect a programmer of email related software to be specificly aware of the RFC. Most certainly after being pointed to the current deviation. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIt5UHBvzDRVjxmYERAm7BAKCqv30ZQn44SDSpYeeNmz6AFit4nQCeJUL7 CK+Cjbs3Tb5Vqd0T3AAA21w= =JQca -----END PGP SIGNATURE----- From andrew at gdcon.net Fri Aug 29 10:20:58 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Aug 29 10:11:49 2008 Subject: Moving Mailboxes In-Reply-To: <43BB89B4-ADBE-4A9F-A399-98F497FC3A33@rtpty.com> References: <008f01c9096c$c1edb9b0$45c92d10$@com> <43BB89B4-ADBE-4A9F-A399-98F497FC3A33@rtpty.com> Message-ID: <007a86988194e93952a2b34cc0f663a1.squirrel@wm.gdcon.net> On Fri, August 29, 2008 1:47 am, Alex Neuman van der Hans wrote: > > Sent from my iPhone > I'm sorry... -- This message was scanned by ESVA and is believed to be clean. From jonas at vrt.dk Fri Aug 29 10:12:43 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Fri Aug 29 10:13:05 2008 Subject: Possible issue with new MailScanner versions Message-ID: <003c01c909b7$653d2160$2fb76420$@dk> Hi List Ive recently upgraded to the newest version of MailScanner. When running a debug on a batch I get some new lines of output ive not seen before. I would like to know if this is normal, and what they mean. Here is my debug output: scanner0:/opt/MailScanner/bin# ./MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 14 messages. pid==0 PipeReturn==0 Results of HTML::Parser are pid==0 PipeReturn==0 Results of HTML::Parser are DisarmDoneSomething web bug pid==0 PipeReturn==0 Results of HTML::Parser are web bug commit ineffective with AutoCommit enabled at /opt/MailScanner/lib/MailScanner/CustomFunctions/MailWatch.pm line 95, <CLIENT> line 597. Commmit ineffective while AutoCommit is on at /opt/MailScanner/lib/MailScanner/CustomFunctions/MailWatch.pm line 95, <CLIENT> line 597. Stopping now as you are debugging me. It's the following lines im curious about: pid==0 PipeReturn==0 Results of HTML::Parser are I know there have been HTML::Parser changes done by Julian recently, so is this a result of that? Maybe just some test debug that wasn't removed? I run MailScanner version MailScanner-4.71.7-1. Hope everyone have had a great summer J -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/0393b1cf/attachment.html From MailScanner at ecs.soton.ac.uk Fri Aug 29 10:27:53 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 29 10:28:10 2008 Subject: Office 2007 x files In-Reply-To: <EMEW-k7RKqx8dc2a51ae040c04de93e6920ad12ec57-DF7D4FC30FACF149862AEB12FB27CF45065CD5FA@USTCVEX14.hq.ds.transcom.mil> References: <EMEW-k7RKqx8dc2a51ae040c04de93e6920ad12ec57-DF7D4FC30FACF149862AEB12FB27CF45065CD5FA@USTCVEX14.hq.ds.transcom.mil> Message-ID: <48B7C119.7040509@ecs.soton.ac.uk> You cannot allow filenames *only* if they are in an archive. That wouldn't add any protection as anyone malicious would just put their nasty *.emf files in an archive before sending them to you. You just need to add \.emf$ files in filename.rules.conf. Brinkman, Kris CTR USTRANSCOM J6 wrote: > Does anyone know of a way to add some logic to filename checks. Recently > we're seeing that an outside user can send an Office 2007 file to us and it > is passed since we allow Office files. However, once the file is opened and > saved by a Office 2003 user using the compatibility package it automatically > creates an EMF file in the .pptx file. If the user then sends the file back > out, mailscanner opens the file and finds the EMF file inside of it and > blocks it. Is there a way to tell it to allow EMF if they are inside a > .pptx file. The only other option I can come up with is to allow email from > our domain to send EMF files using the filename.rules files. > > Thanks > Kris > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Aug 29 10:38:31 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 29 10:38:53 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: <EMEW-k7RNn19f2125933e41d8b8c5d77c4ba6cea9a9-6beca9db0808281542y47eeab46kdaa64a7f48eac3b1@mail.gmail.com> References: <EMEW-k7RNn19f2125933e41d8b8c5d77c4ba6cea9a9-6beca9db0808281542y47eeab46kdaa64a7f48eac3b1@mail.gmail.com> Message-ID: <48B7C397.5010508@ecs.soton.ac.uk> Can you add this to the Wiki please? It looks really useful to know. Mikael Syska wrote: > Hi, > > For some time I have been thinking about getting our Exchange servers > that are placed in diffenrent location than our MailScanner to add > Watermark themselvf and also to save alot of traffic ... I come up > with this solution, a Transport Agent for Exhcange 2007. It can > probebly to converted to also include Exchange 2003, but thats out of > my knowledge .... EventSinks aint my cup of tea. > > If there are any problems with it, please contact me so we can solve > the problem. > > Ideas for more are very welcome ... :-) > > Link and other info is available here: > http://ifyoudo.net/post/2008/08/07/MailScannerWatermark-Plugin-For-Microsoft-Exchange-2007.aspx > > best regards > Mikael Syska Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Fri Aug 29 10:58:36 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Fri Aug 29 10:58:55 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: <48B7C397.5010508@ecs.soton.ac.uk> References: <EMEW-k7RNn19f2125933e41d8b8c5d77c4ba6cea9a9-6beca9db0808281542y47eeab46kdaa64a7f48eac3b1@mail.gmail.com> <48B7C397.5010508@ecs.soton.ac.uk> Message-ID: <004401c909bd$ce4b2570$6ae17050$@dk> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 29. august 2008 11:39 To: MailScanner discussion Subject: Re: MailScanner Watermark Plugin For Microsoft Exchange 2007 Can you add this to the Wiki please? It looks really useful to know. Mikael Syska wrote: > Hi, > > For some time I have been thinking about getting our Exchange servers > that are placed in diffenrent location than our MailScanner to add > Watermark themselvf and also to save alot of traffic ... I come up > with this solution, a Transport Agent for Exhcange 2007. It can > probebly to converted to also include Exchange 2003, but thats out of > my knowledge .... EventSinks aint my cup of tea. > > If there are any problems with it, please contact me so we can solve > the problem. > > Ideas for more are very welcome ... :-) > > Link and other info is available here: > http://ifyoudo.net/post/2008/08/07/MailScannerWatermark-Plugin-For-Microsoft -Exchange-2007.aspx > > best regards > Mikael Syska I helped Mikael test the code a little bit, and I can confirm that it works. As talked about several weeks ago this is super usefull for all those of us who suffer from backscatter but for one reason or another cant or wont send all our outgoing mail via a MailScanner relay. So kudos to Mikael for coding this sweet addonf or exchange :) I can only hope it inspires somebody to implement the equivalent functions as an exchange 2003 event sink. Best regards Jonas Larsen From indunil75 at gmail.com Fri Aug 29 11:30:28 2008 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Aug 29 11:30:37 2008 Subject: MailScanner error Message-ID: <7ed6b0aa0808290330q5f1f4260mc784f222ffb2053b@mail.gmail.com> [root@osthub ~]# /etc/init.d/MailScanner start Hi, I recentlty updated to CentOS 4.6 from CentOS 4.4 with yum update my postfix mail server. Then, I get this error messgae, Whilt starting. I expect your ideas to solve this ISSUE. Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Variable "$FIELD_NAME" is not imported at /usr/lib/MailScanner/MailScanner/Message.pm line 6895. Variable "$FIELD_NAME" is not imported at /usr/lib/MailScanner/MailScanner/Message.pm line 6898. Global symbol "$FIELD_NAME" requires explicit package name at /usr/lib/MailScanner/MailScanner/Message.pm line 6895. Global symbol "$FIELD_NAME" requires explicit package name at /usr/lib/MailScanner/MailScanner/Message.pm line 6898. Compilation failed in require at /usr/sbin/MailScanner line 79. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 79. [ OK ] -- Thank you Indunil Jayasooriya From MailScanner at ecs.soton.ac.uk Fri Aug 29 11:41:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 29 11:41:47 2008 Subject: Possible issue with new MailScanner versions In-Reply-To: <EMEW-k7SAUM8128433d714814ba2077f3001e125d1f-003c01c909b7$653d2160$2fb76420$@dk> References: <EMEW-k7SAUM8128433d714814ba2077f3001e125d1f-003c01c909b7$653d2160$2fb76420$@dk> Message-ID: <48B7D256.9050505@ecs.soton.ac.uk> This is just some debug code I left in the beta, I have just commented it out for you so it won't be in the next release. Jonas Akrouh Larsen wrote: > > Hi List > > Ive recently upgraded to the newest version of MailScanner. > > When running a debug on a batch I get some new lines of output ive not > seen before. > > I would like to know if this is normal, and what they mean. > > Here is my debug output: > > scanner0:/opt/MailScanner/bin# ./MailScanner --debug > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > > Building a message batch to scan... > > Have a batch of 14 messages. > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are > > DisarmDoneSomething web bug > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are web bug > > commit ineffective with AutoCommit enabled at > /opt/MailScanner/lib/MailScanner/CustomFunctions/MailWatch.pm line 95, > <CLIENT> line 597. > > Commmit ineffective while AutoCommit is on at > /opt/MailScanner/lib/MailScanner/CustomFunctions/MailWatch.pm line 95, > <CLIENT> line 597. > > Stopping now as you are debugging me. > > It?s the following lines im curious about: > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are > > I know there have been HTML::Parser changes done by Julian recently, > so is this a result of that? Maybe just some test debug that wasn?t > removed? > > I run MailScanner version MailScanner-4.71.7-1. > > Hope everyone have had a great summer J > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ben.tisdall at photobox.com Fri Aug 29 11:58:40 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Aug 29 11:58:55 2008 Subject: How to verify if MS is using dccifd (re-send) In-Reply-To: <g96h8g$7p8$1@ger.gmane.org> References: <48B6C56A.2020407@photobox.com> <g96h8g$7p8$1@ger.gmane.org> Message-ID: <48B7D660.5070904@photobox.com> Scott Silva wrote: > on 8-28-2008 8:34 AM Ben Tisdall spake the following: >> Hi esteemed MailScanners, >> >> Subject says it all. >> > <snip> > > Julian already answered you. If you didn't receive it, you need to > whitelist traffic from the list. > Many apologies all, in general mail from the list was getting through, but Julien's reply had been quarantined. Many thanks for your your ever-prompt response Julian! Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com Google Talk: ben.tisdall@gmail.com | skype: btisdall +44 (0)20 8453 6161 From alex at rtpty.com Fri Aug 29 12:07:22 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 12:07:43 2008 Subject: Moving Mailboxes In-Reply-To: <007a86988194e93952a2b34cc0f663a1.squirrel@wm.gdcon.net> References: <008f01c9096c$c1edb9b0$45c92d10$@com> <43BB89B4-ADBE-4A9F-A399-98F497FC3A33@rtpty.com> <007a86988194e93952a2b34cc0f663a1.squirrel@wm.gdcon.net> Message-ID: <4B61978F-5177-4A27-81FF-C5468D20CBF9@rtpty.com> Why? Sent from my iPhone On Aug 29, 2008, at 4:20 AM, "Andrew MacLachlan" <andrew@gdcon.net> wrote: > On Fri, August 29, 2008 1:47 am, Alex Neuman van der Hans wrote: > >> >> Sent from my iPhone >> > > I'm sorry... > > > -- > This message was scanned by ESVA and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jonas at vrt.dk Fri Aug 29 12:15:52 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Fri Aug 29 12:16:16 2008 Subject: Possible issue with new MailScanner versions In-Reply-To: <48B7D256.9050505@ecs.soton.ac.uk> References: <EMEW-k7SAUM8128433d714814ba2077f3001e125d1f-003c01c909b7$653d2160$2fb76420$@dk> <48B7D256.9050505@ecs.soton.ac.uk> Message-ID: <004b01c909c8$993cd620$cbb68260$@dk> Thanks alot Julian. Stellar support as always :) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 29. august 2008 12:41 To: MailScanner discussion Subject: Re: Possible issue with new MailScanner versions This is just some debug code I left in the beta, I have just commented it out for you so it won't be in the next release. Jonas Akrouh Larsen wrote: > > Hi List > > Ive recently upgraded to the newest version of MailScanner. > > When running a debug on a batch I get some new lines of output ive not > seen before. > > I would like to know if this is normal, and what they mean. > > Here is my debug output: > > scanner0:/opt/MailScanner/bin# ./MailScanner --debug > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > > Building a message batch to scan... > > Have a batch of 14 messages. > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are > > DisarmDoneSomething web bug > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are web bug > > commit ineffective with AutoCommit enabled at > /opt/MailScanner/lib/MailScanner/CustomFunctions/MailWatch.pm line 95, > <CLIENT> line 597. > > Commmit ineffective while AutoCommit is on at > /opt/MailScanner/lib/MailScanner/CustomFunctions/MailWatch.pm line 95, > <CLIENT> line 597. > > Stopping now as you are debugging me. > > It's the following lines im curious about: > > pid==0 > > PipeReturn==0 > > Results of HTML::Parser are > > I know there have been HTML::Parser changes done by Julian recently, > so is this a result of that? Maybe just some test debug that wasn't > removed? > > I run MailScanner version MailScanner-4.71.7-1. > > Hope everyone have had a great summer J > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ben.tisdall at photobox.com Fri Aug 29 12:20:56 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Aug 29 12:21:13 2008 Subject: Probably OT: performance hit from razor2 Message-ID: <48B7DB98.2090601@photobox.com> Hi all, running some tests with scan speed logging enabled, I'm seeing a much bigger overhead with razor2 compared to Pyzor & dcc, just wondered whether it was typical? Here are the results from my simple test of firing batches of 100 mails at the server & averaging the "Spam checks completed in ..." values for each batch. without razor2/dcc/pyzor: 4470 bytes/sec razor2 only: 1500 bytes/sec dcc only: 3300 bytes/sec pyzor only: 3050 bytes/sec Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From roland at inbox4u.de Fri Aug 29 12:48:29 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 12:49:17 2008 Subject: AW: MailScanner error In-Reply-To: <7ed6b0aa0808290330q5f1f4260mc784f222ffb2053b@mail.gmail.com> References: <7ed6b0aa0808290330q5f1f4260mc784f222ffb2053b@mail.gmail.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BEC@TS-DC2.ts-webarts.local> Hi, this is probably happening due to the fact, that perl was updated too. Please reinstall MailScanner to solve the issue. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Indunil Jayasooriya > Gesendet: Freitag, 29. August 2008 12:30 > An: MailScanner discussion > Betreff: MailScanner error > > [root@osthub ~]# /etc/init.d/MailScanner start > Hi, > > I recentlty updated to CentOS 4.6 from CentOS 4.4 with yum update my > postfix mail server. > > Then, I get this error messgae, Whilt starting. > > I expect your ideas to solve this ISSUE. > > Starting MailScanner daemons: > incoming postfix: [ OK ] > outgoing postfix: [ OK ] > MailScanner: Variable "$FIELD_NAME" is not imported at > /usr/lib/MailScanner/MailScanner/Message.pm line 6895. > Variable "$FIELD_NAME" is not imported at > /usr/lib/MailScanner/MailScanner/Message.pm line 6898. > Global symbol "$FIELD_NAME" requires explicit package name at > /usr/lib/MailScanner/MailScanner/Message.pm line 6895. > Global symbol "$FIELD_NAME" requires explicit package name at > /usr/lib/MailScanner/MailScanner/Message.pm line 6898. > Compilation failed in require at /usr/sbin/MailScanner line 79. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 79. > [ OK ] > > > > -- > Thank you > Indunil Jayasooriya > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Fri Aug 29 12:54:15 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 29 12:54:24 2008 Subject: Moving Mailboxes In-Reply-To: <4B61978F-5177-4A27-81FF-C5468D20CBF9@rtpty.com> References: <008f01c9096c$c1edb9b0$45c92d10$@com> <43BB89B4-ADBE-4A9F-A399-98F497FC3A33@rtpty.com> <007a86988194e93952a2b34cc0f663a1.squirrel@wm.gdcon.net> <4B61978F-5177-4A27-81FF-C5468D20CBF9@rtpty.com> Message-ID: <223f97700808290454t3f475b36q1f38e06561dc276@mail.gmail.com> 2008/8/29 Alex Neuman van der Hans <alex@rtpty.com> > Why? > > Sent from my iPhone > > > On Aug 29, 2008, at 4:20 AM, "Andrew MacLachlan" <andrew@gdcon.net> wrote: > > On Fri, August 29, 2008 1:47 am, Alex Neuman van der Hans wrote: >> >> >>> Sent from my iPhone >>> >>> >> I'm sorry... >> >> Envy-turned-gloating perhaps?:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/aab9b660/attachment.html From roland at inbox4u.de Fri Aug 29 12:55:02 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 12:56:23 2008 Subject: AW: Probably OT: performance hit from razor2 In-Reply-To: <48B7DB98.2090601@photobox.com> References: <48B7DB98.2090601@photobox.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BED@TS-DC2.ts-webarts.local> Hi Ben, do you run dcc locally? The checks with razor, pyzor and dcc are dependent on how fast the answer is returned. This may vary due to the load of the servers. To have a real feeling of the overhead produced by the checks, you should repeat your test several times at different hours and on different weekdays. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Ben Tisdall > Gesendet: Freitag, 29. August 2008 13:21 > An: MailScanner discussion > Betreff: Probably OT: performance hit from razor2 > > Hi all, > > running some tests with scan speed logging enabled, I'm seeing a much > bigger overhead with razor2 compared to Pyzor & dcc, just wondered > whether it was typical? > > Here are the results from my simple test of firing batches of 100 mails > at the server & averaging the "Spam checks completed in ..." values for > each batch. > > without razor2/dcc/pyzor: 4470 bytes/sec > > razor2 only: 1500 bytes/sec > > dcc only: 3300 bytes/sec > > pyzor only: 3050 bytes/sec > > Best regards, > > Ben. > > -- > Ben Tisdall > Linux Systems Administrator | www.photobox.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ben.tisdall at photobox.com Fri Aug 29 13:03:21 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Aug 29 13:03:43 2008 Subject: --debug output doesn't reflect "use_razor2 0"? Message-ID: <48B7E589.4010104@photobox.com> Just running some more tests with use_razor2 0 & notice that there's no notification in the debug output that it's disabled, ie: 12:51:21 [8181] dbg: razor2: razor2 is available, version 2.84 (though clearly it is disabled from the absence of entries in razor-agent.log) Whereas: 12:58:37 [8287] dbg: pyzor: use_pyzor option not enabled, disabling Pyzor 12:58:37 [8287] dbg: dcc: dccifd is not available: use_dcc is set to 0 This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.70.7 Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From alex at rtpty.com Fri Aug 29 13:21:24 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 13:21:54 2008 Subject: Moving Mailboxes In-Reply-To: <223f97700808290454t3f475b36q1f38e06561dc276@mail.gmail.com> References: <008f01c9096c$c1edb9b0$45c92d10$@com> <43BB89B4-ADBE-4A9F-A399-98F497FC3A33@rtpty.com> <007a86988194e93952a2b34cc0f663a1.squirrel@wm.gdcon.net> <4B61978F-5177-4A27-81FF-C5468D20CBF9@rtpty.com> <223f97700808290454t3f475b36q1f38e06561dc276@mail.gmail.com> Message-ID: <A31189E0-6B5C-46AD-8EF6-9332890A1CBA@rtpty.com> Hahaha... Sent from my iPhone On Aug 29, 2008, at 6:54 AM, "Glenn Steen" <glenn.steen@gmail.com> wrote: > > > 2008/8/29 Alex Neuman van der Hans <alex@rtpty.com> > Why? > > Sent from my iPhone > > > On Aug 29, 2008, at 4:20 AM, "Andrew MacLachlan" <andrew@gdcon.net> > wrote: > > On Fri, August 29, 2008 1:47 am, Alex Neuman van der Hans wrote: > > > Sent from my iPhone > > > I'm sorry... > > > Envy-turned-gloating perhaps?:-) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/6473ee97/attachment.html From alex at rtpty.com Fri Aug 29 13:27:45 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 13:28:38 2008 Subject: AW: Probably OT: performance hit from razor2 In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BED@TS-DC2.ts-webarts.local> References: <48B7DB98.2090601@photobox.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BED@TS-DC2.ts-webarts.local> Message-ID: <989F1BEA-D734-4012-95B5-560E9D8E40E8@rtpty.com> Since some lookups have to be resolved, DNS is also an issue, if only =20= a little bit. Do you run a caching nameserver? Sent from my iPhone On Aug 29, 2008, at 6:55 AM, "Ehle, Roland" <roland@inbox4u.de> wrote: > Hi Ben, > > do you run dcc locally? The checks with razor, pyzor and dcc are =20 > dependent on how fast the answer is returned. This may vary due to =20 > the load of the servers. > > To have a real feeling of the overhead produced by the checks, you =20 > should repeat your test several times at different hours and on =20 > different weekdays. > > Regards, > Roland > >> -----Urspr=A8=B9ngliche Nachricht----- >> Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] Im Auftrag von Ben Tisdall >> Gesendet: Freitag, 29. August 2008 13:21 >> An: MailScanner discussion >> Betreff: Probably OT: performance hit from razor2 >> >> Hi all, >> >> running some tests with scan speed logging enabled, I'm seeing a much >> bigger overhead with razor2 compared to Pyzor & dcc, just wondered >> whether it was typical? >> >> Here are the results from my simple test of firing batches of 100 =20 >> mails >> at the server & averaging the "Spam checks completed in ..." values =20= >> for >> each batch. >> >> without razor2/dcc/pyzor: 4470 bytes/sec >> >> razor2 only: 1500 bytes/sec >> >> dcc only: 3300 bytes/sec >> >> pyzor only: 3050 bytes/sec >> >> Best regards, >> >> Ben. >> >> -- >> Ben Tisdall >> Linux Systems Administrator | www.photobox.com >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rjette at mestek.com Fri Aug 29 14:29:23 2008 From: rjette at mestek.com (Raymond Jette) Date: Fri Aug 29 14:29:33 2008 Subject: sa-learn with an Exchange server Message-ID: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com> Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/49e6463c/attachment.html From rjette at mestek.com Fri Aug 29 14:40:11 2008 From: rjette at mestek.com (Raymond Jette) Date: Fri Aug 29 14:40:21 2008 Subject: sa-learn with an Exchange server In-Reply-To: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com> References: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com> Message-ID: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D27@mtsrv-ex004.mestekcorp.com> I also have thousands of spam messages that IMF is removing on my Exchange server. Is there a way to have SpamAssassin learn these messages? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Jette Sent: Friday, August 29, 2008 9:29 AM To: mailscanner@lists.mailscanner.info Subject: sa-learn with an Exchange server Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/d598e6c4/attachment.html From roland at inbox4u.de Fri Aug 29 14:50:13 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 14:51:17 2008 Subject: AW: sa-learn with an Exchange server In-Reply-To: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com> References: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF0@TS-DC2.ts-webarts.local> Hi Ray, You could send e-mails as attachment to a certain address and then use a script to run sa-learn for each attached e-mail. You find some instructions here: http://serversupportforum.de/forum/faqs-anleitungen/1934-sa-learn-per-email-f-ttern.html. I could translate it into English, if you want. Regards, Roland Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 15:29 An: mailscanner@lists.mailscanner.info Betreff: sa-learn with an Exchange server Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/675c56f3/attachment.html From roland at inbox4u.de Fri Aug 29 14:53:21 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 14:54:19 2008 Subject: AW: sa-learn with an Exchange server In-Reply-To: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D27@mtsrv-ex004.mestekcorp.com> References: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com> <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D27@mtsrv-ex004.mestekcorp.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF1@TS-DC2.ts-webarts.local> You should fight spam at one place only. The spam detection included in Exchange 2003/2007 is not very reliable, as it produces many false positives. See my last mail, this should give you a hint. Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 15:40 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server I also have thousands of spam messages that IMF is removing on my Exchange server. Is there a way to have SpamAssassin learn these messages? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Jette Sent: Friday, August 29, 2008 9:29 AM To: mailscanner@lists.mailscanner.info Subject: sa-learn with an Exchange server Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/a8c07f37/attachment.html From rjette at mestek.com Fri Aug 29 15:11:54 2008 From: rjette at mestek.com (Raymond Jette) Date: Fri Aug 29 15:12:06 2008 Subject: sa-learn with an Exchange server In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF1@TS-DC2.ts-webarts.local> References: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com><6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D27@mtsrv-ex004.mestekcorp.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF1@TS-DC2.ts-webarts.local> Message-ID: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D3C@mtsrv-ex004.mestekcorp.com> Thanks for the link. I'll take a look at this. I am in the process of fighting spam in only one place. I just implemented Postfix, MS, SpamAssassin a few months ago. I'm still in the process of removing IMF. You're right about all of the false positives. I host mail for 37 domains. I receive a lot of spam still (not as much as before) and I'm always looking for more ways to improve the system. Where is the correct location to put custom SA rules? I have read /etc/mail/SpamAssassin. Is this correct even when running MS? Does anyone have any good links on creating custom rules? Thanks, Ray From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ehle, Roland Sent: Friday, August 29, 2008 9:53 AM To: MailScanner discussion Subject: AW: sa-learn with an Exchange server You should fight spam at one place only. The spam detection included in Exchange 2003/2007 is not very reliable, as it produces many false positives. See my last mail, this should give you a hint. Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 15:40 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server I also have thousands of spam messages that IMF is removing on my Exchange server. Is there a way to have SpamAssassin learn these messages? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Jette Sent: Friday, August 29, 2008 9:29 AM To: mailscanner@lists.mailscanner.info Subject: sa-learn with an Exchange server Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/c381f1dd/attachment.html From campbell at cnpapers.com Fri Aug 29 16:23:52 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Aug 29 16:24:14 2008 Subject: CVD extraction failure Message-ID: <48B81488.6030807@cnpapers.com> I hate to ask a question about old version stuff, but we're in the middle of some changes here that just do not let me get around to updating MS. I'm running 4.58.9. I started updating the world of Clam/SA and got stopped before I could get to MS. I now see "ERROR: CVD extraction failure" messages in my log file. I'm assuming this has to do with new ClamAV/ old MS and did my best to try and find where the message is coming from. Couldn't find a clue in any of the update scripts, etc. Any help would be appreciated, and any explanation as to the severity of the messge would be gratefully appreciated also. Thanks Steve Campbell From alex at rtpty.com Fri Aug 29 16:54:04 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 16:54:24 2008 Subject: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? Message-ID: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ This is something you perl-speaking geniuses will probably pick through... What's your take, guys? From hvdkooij at vanderkooij.org Fri Aug 29 17:44:30 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 29 17:44:40 2008 Subject: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> Message-ID: <48B8276E.7070908@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > This is something you perl-speaking geniuses will probably pick > through... What's your take, guys? The Centos team is looking at patching this rather soon. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIuCdqBvzDRVjxmYERAjDeAJ4xcpAJj6qiJloz4lwA0SJZ3dy4ugCeLCuQ E86JJxi2bKd8qqYQaRXVUNs= =+VTM -----END PGP SIGNATURE----- From mark at msapiro.net Fri Aug 29 18:18:25 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Aug 29 18:19:18 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <48B5BC00.3050408@ecs.soton.ac.uk> References: <48B05EA8.3000508@msapiro.net> <EMEW-k7OMWxdb6053fc391f82ca346ee175c1ffbac5-g8v85n$ptj$1@ger.gmane.org> <48B5BC00.3050408@ecs.soton.ac.uk> Message-ID: <20080829171825.GA196@msapiro> On Wed, Aug 27, 2008 at 09:41:36PM +0100, Julian Field wrote: > > I am putting out a new beta as I type, with improved message/partial > code in it. This should solve this problem with bigfoot.com DSNs. > > Please try this out and let me know how you get on. > > Thanks, > > Jules > I have just installed the 4.71.8-1 beta, and this is better, but there is now a different problem. The message delivered to the recipient is fine. the message/partial part has been removed and replaced with the attachment warning which says ---------------------------------------------------------------------- The original e-mail attachment "msg-26216-5.msg" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail postmaster@sbh16.songbird.com and include the whole of this message in your request. At Fri Aug 29 10:01:35 2008 the virus scanner said: Fragmented messages cannot be scanned and are removed Note to Postmaster: Look on the GPC MailScanner in /var/spool/MailScanner/quarantine/20080829 (message 6C1E46900AA.4FC5C). However, in the quarantine, the directory 20080829/6C1E46900AA.4FC5C is created but it is empty. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at rtpty.com Fri Aug 29 18:32:16 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 18:32:37 2008 Subject: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B8276E.7070908@vanderkooij.org> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <48B8276E.7070908@vanderkooij.org> Message-ID: <AF4CC6F5-EBFB-4553-A04F-694D195645D7@rtpty.com> How much of an improvement do you believe we might see? Sent from my iPhone On Aug 29, 2008, at 11:44 AM, Hugo van der Kooij <hvdkooij@vanderkooij.org > wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alex Neuman van der Hans wrote: >> http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ >> >> This is something you perl-speaking geniuses will probably pick >> through... What's your take, guys? > > The Centos team is looking at patching this rather soon. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIuCdqBvzDRVjxmYERAjDeAJ4xcpAJj6qiJloz4lwA0SJZ3dy4ugCeLCuQ > E86JJxi2bKd8qqYQaRXVUNs= > =+VTM > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From roland at inbox4u.de Fri Aug 29 18:34:18 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 18:35:28 2008 Subject: AW: sa-learn with an Exchange server In-Reply-To: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D3C@mtsrv-ex004.mestekcorp.com> References: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com><6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D27@mtsrv-ex004.mestekcorp.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF1@TS-DC2.ts-webarts.local> <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D3C@mtsrv-ex004.mestekcorp.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF3@TS-DC2.ts-webarts.local> Raymond, all files ending in .cf located in /etc/mail/spamassassin are used by SpamAssassin. Of course you could put custom rules into /etc/MailScanner/spam.assassin.prefs.conf too, but I would not recommend to do so. Please keep in mind to do a test after implementing new rules. Regards, Roland Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 16:12 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server Thanks for the link. I'll take a look at this. I am in the process of fighting spam in only one place. I just implemented Postfix, MS, SpamAssassin a few months ago. I'm still in the process of removing IMF. You're right about all of the false positives. I host mail for 37 domains. I receive a lot of spam still (not as much as before) and I'm always looking for more ways to improve the system. Where is the correct location to put custom SA rules? I have read /etc/mail/SpamAssassin. Is this correct even when running MS? Does anyone have any good links on creating custom rules? Thanks, Ray From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ehle, Roland Sent: Friday, August 29, 2008 9:53 AM To: MailScanner discussion Subject: AW: sa-learn with an Exchange server You should fight spam at one place only. The spam detection included in Exchange 2003/2007 is not very reliable, as it produces many false positives. See my last mail, this should give you a hint. Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 15:40 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server I also have thousands of spam messages that IMF is removing on my Exchange server. Is there a way to have SpamAssassin learn these messages? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Jette Sent: Friday, August 29, 2008 9:29 AM To: mailscanner@lists.mailscanner.info Subject: sa-learn with an Exchange server Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/e08e9353/attachment-0001.html From ssilva at sgvwater.com Fri Aug 29 18:55:58 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 29 18:55:21 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: <004401c909bd$ce4b2570$6ae17050$@dk> References: <EMEW-k7RNn19f2125933e41d8b8c5d77c4ba6cea9a9-6beca9db0808281542y47eeab46kdaa64a7f48eac3b1@mail.gmail.com> <48B7C397.5010508@ecs.soton.ac.uk> <004401c909bd$ce4b2570$6ae17050$@dk> Message-ID: <g99d5h$pdo$1@ger.gmane.org> on 8-29-2008 2:58 AM Jonas Akrouh Larsen spake the following: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 29. august 2008 11:39 > To: MailScanner discussion > Subject: Re: MailScanner Watermark Plugin For Microsoft Exchange 2007 > > Can you add this to the Wiki please? It looks really useful to know. > > Mikael Syska wrote: >> Hi, >> >> For some time I have been thinking about getting our Exchange servers >> that are placed in diffenrent location than our MailScanner to add >> Watermark themselvf and also to save alot of traffic ... I come up >> with this solution, a Transport Agent for Exhcange 2007. It can >> probebly to converted to also include Exchange 2003, but thats out of >> my knowledge .... EventSinks aint my cup of tea. >> >> If there are any problems with it, please contact me so we can solve >> the problem. >> >> Ideas for more are very welcome ... :-) >> >> Link and other info is available here: >> > http://ifyoudo.net/post/2008/08/07/MailScannerWatermark-Plugin-For-Microsoft > -Exchange-2007.aspx >> best regards >> Mikael Syska > > I helped Mikael test the code a little bit, and I can confirm that it works. > > As talked about several weeks ago this is super usefull for all those of us > who suffer from backscatter but for one reason or another cant or wont send > all our outgoing mail via a MailScanner relay. > > So kudos to Mikael for coding this sweet addonf or exchange :) > > I can only hope it inspires somebody to implement the equivalent functions > as an exchange 2003 event sink. > > Best regards > > Jonas Larsen > I am surprised at how much mail I still see sent from Exchange 6.5! Isn't that from back in the NT 4.0 days? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080829/c449eb53/signature.bin From Kevin_Miller at ci.juneau.ak.us Fri Aug 29 19:02:18 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 29 19:02:31 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: <g99d5h$pdo$1@ger.gmane.org> References: <EMEW-k7RNn19f2125933e41d8b8c5d77c4ba6cea9a9-6beca9db0808281542y47eeab46kdaa64a7f48eac3b1@mail.gmail.com> <48B7C397.5010508@ecs.soton.ac.uk><004401c909bd$ce4b2570$6ae17050$@dk> <g99d5h$pdo$1@ger.gmane.org> Message-ID: <D1587DCF6294524BAFA2C9944312FCC8C7D708@city-exch-w3e.cbj.local> Scott Silva wrote: > I am surprised at how much mail I still see sent from Exchange 6.5! > > Isn't that from back in the NT 4.0 days? That would be 5.5 I think. But there's still some of those around. 6.5 is Exchange 2003. Between them was Exchange 2000, presumably 6.0. I wonder why Microsoft counts in fives? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From rpoe at plattesheriff.org Fri Aug 29 19:32:01 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Fri Aug 29 19:32:57 2008 Subject: Perl Bug on Centos -- Affect MS ?? Message-ID: <48B7FA4C.65ED.00A2.0@plattesheriff.org> http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ Does this affect MailScanner ? From alex at rtpty.com Fri Aug 29 19:40:30 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 19:40:47 2008 Subject: Perl Bug on Centos -- Affect MS ?? In-Reply-To: <48B7FA4C.65ED.00A2.0@plattesheriff.org> References: <48B7FA4C.65ED.00A2.0@plattesheriff.org> Message-ID: <2A363DF7-B683-48C1-B436-C171B8BBEE17@rtpty.com> Just posted this a while back. It seems it does, although no messages about how much have made the list yet. Someone mentioned CentOS people are on it. On Aug 29, 2008, at 1:32 PM, Rob Poe wrote: > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > Does this affect MailScanner ? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From chris at cjbuckley.net Fri Aug 29 19:54:23 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Fri Aug 29 19:54:42 2008 Subject: Perl Bug on Centos -- Affect MS ?? In-Reply-To: <2A363DF7-B683-48C1-B436-C171B8BBEE17@rtpty.com> References: <48B7FA4C.65ED.00A2.0@plattesheriff.org> <2A363DF7-B683-48C1-B436-C171B8BBEE17@rtpty.com> Message-ID: <48B845DF.6040106@cjbuckley.net> Alex Neuman van der Hans wrote: > Just posted this a while back. It seems it does, although no messages > about how much have made the list yet. Someone mentioned CentOS people > are on it. Please note: if you are a Red Hat customer you should raise this issue directly with Red Hat Support, they can direct you appropriately. -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From roland at inbox4u.de Fri Aug 29 19:50:10 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 19:58:17 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> Just did the small test, which is mentioned on the page. Result: Yes FC6 is affected. I will compile perl manually and put it into the exclude list of yum. > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Alex Neuman van der Hans > Gesendet: Freitag, 29. August 2008 17:54 > An: MailScanner discussion > Betreff: Not completely OT: Does this affect MailScanner users on > RH/FC/CentOS? > > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > This is something you perl-speaking geniuses will probably pick > through... What's your take, guys? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Aug 29 20:09:53 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 20:10:10 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> Message-ID: <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> How much of an improvement? Can you describe both the test and the manual perl compile process and put it up on the wiki? On Aug 29, 2008, at 1:50 PM, Ehle, Roland wrote: > Just did the small test, which is mentioned on the page. Result: Yes > FC6 is affected. I will compile perl manually and put it into the > exclude list of yum. From chris at cjbuckley.net Fri Aug 29 20:24:02 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Fri Aug 29 20:24:22 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> Message-ID: <48B84CD2.2030307@cjbuckley.net> Alex Neuman van der Hans wrote: > How much of an improvement? Can you describe both the test and the > manual perl compile process and put it up on the wiki? Do you really want to be encouraging people to compile their own binaries of such a critical package? I wouldn't. I would advise people to contact their vendor and obtain the hot-fix or latest *supported* package. Of course, if you wanted support, you wouldn't be running Fedora.. :-) So cest la vie. -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From roland at inbox4u.de Fri Aug 29 20:30:08 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 20:31:16 2008 Subject: AW: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF7@TS-DC2.ts-webarts.local> The test: In the thread, ritz posted the following snippet. Try it. It should take under a second if the perl is not broken and a lot longer if it is. #!/usr/bin/perl use overload q(<) => sub {}; my %h; for (my $i=0; $i<50000; $i++) { $h{$i} = bless [ ] => 'main'; print STDERR '.' if $i % 1000 == 0; } The compile process failed with an error message, I am trying to fix it and will post the results on the wiki. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Alex Neuman van der Hans > Gesendet: Freitag, 29. August 2008 21:10 > An: MailScanner discussion > Betreff: Re: AW: Not completely OT: Does this affect MailScanner users > on RH/FC/CentOS? > > How much of an improvement? Can you describe both the test and the > manual perl compile process and put it up on the wiki? > > > On Aug 29, 2008, at 1:50 PM, Ehle, Roland wrote: > > > Just did the small test, which is mentioned on the page. Result: Yes > > FC6 is affected. I will compile perl manually and put it into the > > exclude list of yum. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From richard.frovarp at sendit.nodak.edu Fri Aug 29 20:33:11 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Aug 29 20:33:26 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> Message-ID: <48B84EF7.9020601@sendit.nodak.edu> Alex Neuman van der Hans wrote: > How much of an improvement? Can you describe both the test and the > manual perl compile process and put it up on the wiki? The test doesn't use MailScanner. We have RHEL 4 and RHEL 5 boxes running MS. Doing the test RHEL 4 is fine, and RHEL5 isn't. However, we have not noticed any performance difference between the two releases when it comes to running MS. From chris at cjbuckley.net Fri Aug 29 20:40:55 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Fri Aug 29 20:41:13 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B84EF7.9020601@sendit.nodak.edu> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84EF7.9020601@sendit.nodak.edu> Message-ID: <48B850C7.1040307@cjbuckley.net> Richard Frovarp wrote: > Alex Neuman van der Hans wrote: >> How much of an improvement? Can you describe both the test and the >> manual perl compile process and put it up on the wiki? > The test doesn't use MailScanner. We have RHEL 4 and RHEL 5 boxes > running MS. Doing the test RHEL 4 is fine, and RHEL5 isn't. However, we > have not noticed any performance difference between the two releases > when it comes to running MS. If you _do_ encounter problems using MailScanner and Red Hat, please raise a support request. According to the Bugzilla for this issue, there is now a hot-fix available to supported customers. Cheers, -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From roland at inbox4u.de Fri Aug 29 20:40:25 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 20:41:20 2008 Subject: AW: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B84CD2.2030307@cjbuckley.net> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84CD2.2030307@cjbuckley.net> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF8@TS-DC2.ts-webarts.local> Partially agree, but we were not talking about encouraging people to compile their own perl. For all other cases: Read the patient information leaflet and ask your doctor or pharmacist about risks and side effects. :-) > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Christopher J. Buckley > Gesendet: Freitag, 29. August 2008 21:24 > An: MailScanner discussion > Betreff: Re: AW: Not completely OT: Does this affect MailScanner users > on RH/FC/CentOS? > > Alex Neuman van der Hans wrote: > > How much of an improvement? Can you describe both the test and the > > manual perl compile process and put it up on the wiki? > > Do you really want to be encouraging people to compile their own > binaries of such a critical package? I wouldn't. > > I would advise people to contact their vendor and obtain the hot-fix or > latest *supported* package. Of course, if you wanted support, you > wouldn't be running Fedora.. :-) So cest la vie. > > -- > Kind Regards, :: http://www.cjbuckley.net/ > Chris Buckley :: http://photos.cjbuckley.net/ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Aug 29 20:45:02 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 20:45:17 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B84CD2.2030307@cjbuckley.net> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84CD2.2030307@cjbuckley.net> Message-ID: <BE28540A-3979-4840-BEDC-EB0DBB7E3199@rtpty.com> On Aug 29, 2008, at 2:24 PM, Christopher J. Buckley wrote: > Do you really want to be encouraging people to compile their own > binaries of such a critical package? I wouldn't. > Do you really want to use that kind of tone on this list? :-) I don't want to encourage anything other than what this group has always stood for: a veritable "Library of Alexandria" on MTAs and tweaking and such. On more than one occasion I've helped (or been helped) with something that isn't directly related to MailScanner by a bunch of dedicated, caring, selfless people who learn by applying their experience towards fixing other people's problems, since it enriches their particular experience and provides the framework - and motivation, let's not forget that! - for others to help *them* in their times of need, whether it's in the form of code or, for those of us who don't program, some insight, inspiration or a localized translation that benefits even more people. > I would advise people to contact their vendor and obtain the hot-fix > or latest *supported* package. Of course, if you wanted support, > you wouldn't be running Fedora.. :-) So cest la vie. One of the great things about MailScanner is that it'll run in many platforms, giving you the freedom to choose. In that same sense I believe more than one person on this list knows how to recompile their perl binary and would like the opportunity to test it out; even more people would be able to benefit from the trail they blaze if they choose to put it up on the wiki. Please don't think I'm encouraging people to compile critical binaries (even though there are a few list members who wouldn't have it any other way) without adult supervision; I'm only suggesting that when they *do* find something that could benefit others in the future, they help by committing it to the wiki. From alex at rtpty.com Fri Aug 29 20:45:26 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Aug 29 20:45:37 2008 Subject: AW: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF7@TS-DC2.ts-webarts.local> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF7@TS-DC2.ts-webarts.local> Message-ID: <A886AFF2-B55F-44C2-84E3-34503269117D@rtpty.com> Thanks for that! On Aug 29, 2008, at 2:30 PM, Ehle, Roland wrote: > The compile process failed with an error message, I am trying to fix > it and will post the results on the wiki. From roland at inbox4u.de Fri Aug 29 20:48:52 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Fri Aug 29 20:50:16 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF9@TS-DC2.ts-webarts.local> So, finally: I have 2 boxes running, one with FC4, the other with FC6. FC6 is affected by the bug, FC4 is not affected. I did not notice any performance differences between the two boxes, regarding MailScanner. So don't panic. > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Alex Neuman van der Hans > Gesendet: Freitag, 29. August 2008 17:54 > An: MailScanner discussion > Betreff: Not completely OT: Does this affect MailScanner users on > RH/FC/CentOS? > > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > This is something you perl-speaking geniuses will probably pick > through... What's your take, guys? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From chris at cjbuckley.net Fri Aug 29 20:49:54 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Fri Aug 29 20:50:20 2008 Subject: AW: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF8@TS-DC2.ts-webarts.local> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84CD2.2030307@cjbuckley.net> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF8@TS-DC2.ts-webarts.local> Message-ID: <48B852E2.4020301@cjbuckley.net> Ehle, Roland wrote: > Partially agree, but we were not talking about encouraging > people to compile their own perl. For all other cases: > > Read the patient information leaflet and ask your doctor > or pharmacist about risks and side effects. :-) :-) I do think this should be made clear on the wiki article - ie, your vendors ability to support you *will* decrease - if you choose to re-compile. -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From ka at pacific.net Fri Aug 29 20:52:46 2008 From: ka at pacific.net (Ken A) Date: Fri Aug 29 20:52:55 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B84EF7.9020601@sendit.nodak.edu> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84EF7.9020601@sendit.nodak.edu> Message-ID: <48B8538E.5020201@pacific.net> Richard Frovarp wrote: > Alex Neuman van der Hans wrote: >> How much of an improvement? Can you describe both the test and the >> manual perl compile process and put it up on the wiki? > The test doesn't use MailScanner. We have RHEL 4 and RHEL 5 boxes > running MS. Doing the test RHEL 4 is fine, and RHEL5 isn't. However, we > have not noticed any performance difference between the two releases > when it comes to running MS. Same here, but with FC6 buggy perl. It would be nice to know if MailScanner is affected in any significant way. Why upgrade perl for new bugs when the old ones work fine? Ken -- Ken Anderson Pacific.Net From ms-list at alexb.ch Fri Aug 29 21:12:59 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Aug 29 21:13:11 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF9@TS-DC2.ts-webarts.local> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF9@TS-DC2.ts-webarts.local> Message-ID: <48B8584B.80006@alexb.ch> On 8/29/2008 9:48 PM, Ehle, Roland wrote: > So, finally: > > I have 2 boxes running, one with FC4, the other with FC6. > > FC6 is affected by the bug, FC4 is not affected. I did not notice any performance differences between the two boxes, regarding MailScanner. So don't panic. curious: both setups on exactly the same hardware? Alex From hvdkooij at vanderkooij.org Fri Aug 29 21:38:32 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 29 21:38:41 2008 Subject: AW: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF8@TS-DC2.ts-webarts.local> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84CD2.2030307@cjbuckley.net> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF8@TS-DC2.ts-webarts.local> Message-ID: <48B85E48.7010005@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ehle, Roland wrote: > Partially agree, but we were not talking about encouraging people to compile their own perl. For all other cases: > > Read the patient information leaflet and ask your doctor or pharmacist about risks and side effects. :-) If you want upstream patches. You should not be using FC6. Only Fedora 8 and above receive them. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIuF5EBvzDRVjxmYERAmgKAKCLDkiqKoJpQHAY/G5IMjIvArVIPQCfabD0 /SGqkXQ7IIL8osvA2+1u/Sg= =N/5Z -----END PGP SIGNATURE----- From richard.frovarp at sendit.nodak.edu Fri Aug 29 21:41:13 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Aug 29 21:41:24 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B8538E.5020201@pacific.net> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84EF7.9020601@sendit.nodak.edu> <48B8538E.5020201@pacific.net> Message-ID: <48B85EE9.9060909@sendit.nodak.edu> Ken A wrote: > Richard Frovarp wrote: >> Alex Neuman van der Hans wrote: >>> How much of an improvement? Can you describe both the test and the >>> manual perl compile process and put it up on the wiki? > >> The test doesn't use MailScanner. We have RHEL 4 and RHEL 5 boxes >> running MS. Doing the test RHEL 4 is fine, and RHEL5 isn't. However, >> we have not noticed any performance difference between the two >> releases when it comes to running MS. > > Same here, but with FC6 buggy perl. It would be nice to know if > MailScanner is affected in any significant way. Why upgrade perl for > new bugs when the old ones work fine? > > Ken > Well my testing and other testing reported back here, seems to indicate there isn't a problem. No one has said anything on the SA list. Run that test code and add an extra 0 onto the end. RHEL 4 finished in about 4 seconds. RHEL 5 on a beefier box was only half done after 40 minutes and was slowing down. It would appear that when this one hits, it hits very hard. Richard From chris at cjbuckley.net Fri Aug 29 22:36:19 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Fri Aug 29 22:36:39 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <BE28540A-3979-4840-BEDC-EB0DBB7E3199@rtpty.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84CD2.2030307@cjbuckley.net> <BE28540A-3979-4840-BEDC-EB0DBB7E3199@rtpty.com> Message-ID: <48B86BD3.5060603@cjbuckley.net> Alex Neuman van der Hans wrote: > Please don't think I'm encouraging people to compile critical binaries > (even though there are a few list members who wouldn't have it any > other way) without adult supervision; I'm only suggesting that when > they *do* find something that could benefit others in the future, they > help by committing it to the wiki. Good points, well made. I agree with your sentiments. :-) -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From indunil75 at gmail.com Sat Aug 30 05:04:28 2008 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Sat Aug 30 05:04:38 2008 Subject: MailScanner error (SLOVED) Message-ID: <7ed6b0aa0808292104o6fbe2cc3q2800a6211cec8507@mail.gmail.com> > this is probably happening due to the fact, that perl was updated too. Please reinstall MailScanner to solve the issue. Yeah, U R right, By now, I have solved the ISSUE. I removed NEW perl-Mailtool and reinstalled perl-Mailtool that came with MailScanner. Thanks for your idea. > Regards, > Roland > >> -----Urspr?ngliche Nachricht----- >> Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] Im Auftrag von Indunil Jayasooriya >> Gesendet: Freitag, 29. August 2008 12:30 >> An: MailScanner discussion >> Betreff: MailScanner error >> >> [root@osthub ~]# /etc/init.d/MailScanner start >> Hi, >> >> I recentlty updated to CentOS 4.6 from CentOS 4.4 with yum update my >> postfix mail server. >> >> Then, I get this error messgae, Whilt starting. >> >> I expect your ideas to solve this ISSUE. >> >> Starting MailScanner daemons: >> incoming postfix: [ OK ] >> outgoing postfix: [ OK ] >> MailScanner: Variable "$FIELD_NAME" is not imported at >> /usr/lib/MailScanner/MailScanner/Message.pm line 6895. >> Variable "$FIELD_NAME" is not imported at >> /usr/lib/MailScanner/MailScanner/Message.pm line 6898. >> Global symbol "$FIELD_NAME" requires explicit package name at >> /usr/lib/MailScanner/MailScanner/Message.pm line 6895. >> Global symbol "$FIELD_NAME" requires explicit package name at >> /usr/lib/MailScanner/MailScanner/Message.pm line 6898. >> Compilation failed in require at /usr/sbin/MailScanner line 79. >> BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 79. >> [ OK ] >> >> >> >> -- >> Thank you >> Indunil Jayasooriya >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Thank you Indunil Jayasooriya From andrew at gdcon.net Sat Aug 30 07:14:41 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Sat Aug 30 07:05:15 2008 Subject: OT - Re: Moving Mailboxes In-Reply-To: <4B61978F-5177-4A27-81FF-C5468D20CBF9@rtpty.com> References: <008f01c9096c$c1edb9b0$45c92d10$@com> <43BB89B4-ADBE-4A9F-A399-98F497FC3A33@rtpty.com> <007a86988194e93952a2b34cc0f663a1.squirrel@wm.gdcon.net> <4B61978F-5177-4A27-81FF-C5468D20CBF9@rtpty.com> Message-ID: <6695dede0466da10e4c6ad9318286f0e.squirrel@wm.gdcon.net> On Fri, August 29, 2008 12:07 pm, Alex Neuman van der Hans wrote: > Why? > > Sent from my iPhone > It was an iToy joke... -- This message was scanned by ESVA and is believed to be clean. From glenn.steen at gmail.com Sat Aug 30 09:10:33 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 30 09:10:42 2008 Subject: CVD extraction failure In-Reply-To: <48B81488.6030807@cnpapers.com> References: <48B81488.6030807@cnpapers.com> Message-ID: <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> 2008/8/29 Steve Campbell <campbell@cnpapers.com> > I hate to ask a question about old version stuff, but we're in the middle > of some changes here that just do not let me get around to updating MS. I'm > running 4.58.9. > > I started updating the world of Clam/SA and got stopped before I could get > to MS. I now see "ERROR: CVD extraction failure" messages in my log file. > I'm assuming this has to do with new ClamAV/ old MS and did my best to try > and find where the message is coming from. Couldn't find a clue in any of > the update scripts, etc. > > Any help would be appreciated, and any explanation as to the severity of > the messge would be gratefully appreciated also. > > Thanks > > Steve Campbell > Do you get the same from freshclam? The clamav-autoupdate basically just run freshclam... Perhaps you have multiple clamav installed (or "leftovers" from more than one)? Check your virus.scanners.conf for the relevant one you are using:). As always, one install of the latest stable is best. The error itself is ... pretty sever, I'd think, since you will lack proper updates until fixed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080830/36e6fe43/attachment.html From glenn.steen at gmail.com Sat Aug 30 09:44:36 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 30 09:44:47 2008 Subject: AW: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B852E2.4020301@cjbuckley.net> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84CD2.2030307@cjbuckley.net> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF8@TS-DC2.ts-webarts.local> <48B852E2.4020301@cjbuckley.net> Message-ID: <223f97700808300144w7b931f5aw1dea563ae8fae564@mail.gmail.com> 2008/8/29 Christopher J. Buckley <chris@cjbuckley.net> > Ehle, Roland wrote: > >> Partially agree, but we were not talking about encouraging >> people to compile their own perl. For all other cases: >> >> Read the patient information leaflet and ask your doctor or pharmacist >> about risks and side effects. :-) >> > > :-) > > I do think this should be made clear on the wiki article - ie, your vendors > ability to support you *will* decrease - if you choose to re-compile. > > Yes, but *your* ability to *help yourself* will increase:-D. People running CentOS and FC generally don't have expensive support contracts... So your objection on that isn't relevant (sorry:-)... For RH, the gut reaction should of course be to carp to support. But if you have the skill, I don't see why you shouldn't be able to replace your distribution perl... It's not like it's part of the OS proper;-). Yes, there will be tools that MIGHT malfunction, but then ... so it is with any update....:-) BTW, just tested on a few versions of Mandriva (including 2008.1) and none are affected by this problem. Sometimes the kinship between Rh and Mdv isn't that close anymore:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080830/33f7fe10/attachment.html From glenn.steen at gmail.com Sat Aug 30 09:48:47 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 30 09:48:57 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B8538E.5020201@pacific.net> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84EF7.9020601@sendit.nodak.edu> <48B8538E.5020201@pacific.net> Message-ID: <223f97700808300148y6857719eg501dbcde507b2faf@mail.gmail.com> 2008/8/29 Ken A <ka@pacific.net> > Richard Frovarp wrote: > >> Alex Neuman van der Hans wrote: >> >>> How much of an improvement? Can you describe both the test and the manual >>> perl compile process and put it up on the wiki? >>> >> > The test doesn't use MailScanner. We have RHEL 4 and RHEL 5 boxes running >> MS. Doing the test RHEL 4 is fine, and RHEL5 isn't. However, we have not >> noticed any performance difference between the two releases when it comes to >> running MS. >> > > Same here, but with FC6 buggy perl. It would be nice to know if MailScanner > is affected in any significant way. Why upgrade perl for new bugs when the > old ones work fine? > > Ken LOL!:-) Question is if we do anything where the affected calls would be able to dominate over the normal "slowness" of things... Like DNS/BLs etc... I'm not that sure that we would see anything significant enough to separate it from all the other latency:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080830/cdf986ca/attachment.html From glenn.steen at gmail.com Sat Aug 30 09:53:00 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 30 09:53:10 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <48B85EE9.9060909@sendit.nodak.edu> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84EF7.9020601@sendit.nodak.edu> <48B8538E.5020201@pacific.net> <48B85EE9.9060909@sendit.nodak.edu> Message-ID: <223f97700808300153y261a1750lb1b2543a567f080@mail.gmail.com> 2008/8/29 Richard Frovarp <richard.frovarp@sendit.nodak.edu> > Ken A wrote: > >> Richard Frovarp wrote: >> >>> Alex Neuman van der Hans wrote: >>> >>>> How much of an improvement? Can you describe both the test and the >>>> manual perl compile process and put it up on the wiki? >>>> >>> >> The test doesn't use MailScanner. We have RHEL 4 and RHEL 5 boxes running >>> MS. Doing the test RHEL 4 is fine, and RHEL5 isn't. However, we have not >>> noticed any performance difference between the two releases when it comes to >>> running MS. >>> >> >> Same here, but with FC6 buggy perl. It would be nice to know if >> MailScanner is affected in any significant way. Why upgrade perl for new >> bugs when the old ones work fine? >> >> Ken >> >> Well my testing and other testing reported back here, seems to indicate > there isn't a problem. No one has said anything on the SA list. Run that > test code and add an extra 0 onto the end. RHEL 4 finished in about 4 > seconds. RHEL 5 on a beefier box was only half done after 40 minutes and was > slowing down. It would appear that when this one hits, it hits very hard. > > Richard Yikes! Well then. Are we to guess there is no use of bless/overload in the MS code and all it's depended upon modules? Seems unlikely, but perhaps true. I wonder if even Jules knows:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080830/57e4a1a7/attachment-0001.html From chris at cjbuckley.net Sat Aug 30 11:51:06 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Sat Aug 30 11:51:29 2008 Subject: AW: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <223f97700808300144w7b931f5aw1dea563ae8fae564@mail.gmail.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84CD2.2030307@cjbuckley.net> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF8@TS-DC2.ts-webarts.local> <48B852E2.4020301@cjbuckley.net> <223f97700808300144w7b931f5aw1dea563ae8fae564@mail.gmail.com> Message-ID: <48B9261A.4020703@cjbuckley.net> Glenn Steen wrote: > For RH, the gut reaction should of course be to carp to support. Absolutely correct. There is now a vendor supported hotfix available for Red Hat customers. Once a SRPM is made available, CentOS can fix the problem, also. Cheers, -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From MailScanner at ecs.soton.ac.uk Sat Aug 30 12:27:55 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 30 12:28:16 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <EMEW-k7SIN609ead0bdf772e2569973ee5ce28562f9-20080829171825.GA196@msapiro> References: <48B05EA8.3000508@msapiro.net> <EMEW-k7OMWxdb6053fc391f82ca346ee175c1ffbac5-g8v85n$ptj$1@ger.gmane.org> <48B5BC00.3050408@ecs.soton.ac.uk> <EMEW-k7SIN609ead0bdf772e2569973ee5ce28562f9-20080829171825.GA196@msapiro> Message-ID: <48B92EBB.60506@ecs.soton.ac.uk> Mark Sapiro wrote: > On Wed, Aug 27, 2008 at 09:41:36PM +0100, Julian Field wrote: > >> I am putting out a new beta as I type, with improved message/partial >> code in it. This should solve this problem with bigfoot.com DSNs. >> >> Please try this out and let me know how you get on. >> >> Thanks, >> >> Jules >> >> > > > I have just installed the 4.71.8-1 beta, and this is better, but there > is now a different problem. > > The message delivered to the recipient is fine. the message/partial part > has been removed and replaced with the attachment warning which says > > ---------------------------------------------------------------------- > The original e-mail attachment "msg-26216-5.msg" > was believed to be infected by a virus and has been replaced by this warning > message. > > If you wish to receive a copy of the *infected* attachment, please > e-mail postmaster@sbh16.songbird.com and include the whole of this message > in your request. > > At Fri Aug 29 10:01:35 2008 the virus scanner said: > Fragmented messages cannot be scanned and are removed > > Note to Postmaster: Look on the GPC MailScanner in /var/spool/MailScanner/quarantine/20080829 (message 6C1E46900AA.4FC5C). > > > However, in the quarantine, the directory 20080829/6C1E46900AA.4FC5C is > created but it is empty. > That's because the part of the message isn't ever actually extracted into an attachment, it is just an "entity" in the MIME structure of the message, as opposed to being a real attachment. So I don't think there's much I can do about this. You could add some text on the end of the "Fragmented messages cannot be scanner and are removed" text that said that it was not quarantined, but I'm not quite sure what else we can do about this particular problem. When it comes down to it, bigfoot shouldn't be doing this, they are using a wholly inappropriate message structure for their DSNs. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Aug 30 12:52:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 30 12:52:49 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <EMEW-k7Y9yf384ff613973469beb63a40b09d355895-223f97700808300153y261a1750lb1b2543a567f080@mail.gmail.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84EF7.9020601@sendit.nodak.edu> <48B8538E.5020201@pacific.net> <48B85EE9.9060909@sendit.nodak.edu> <EMEW-k7Y9yf384ff613973469beb63a40b09d355895-223f97700808300153y261a1750lb1b2543a567f080@mail.gmail.com> Message-ID: <48B9347D.9010003@ecs.soton.ac.uk> Glenn Steen wrote: > > Well then. Are we to guess there is no use of bless/overload in the MS > code and all it's depended upon modules? Seems unlikely, but perhaps > true. I wonder if even Jules knows:). He doesn't :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ja at conviator.com Sat Aug 30 13:03:46 2008 From: ja at conviator.com (Jan Agermose) Date: Sat Aug 30 13:11:52 2008 Subject: rejecting mail / pattern Message-ID: <CD6321314686A64C90A1F5870AAD3D520128EBA4@MAIL031.mail.lan> Hi im not sure if this is mailscanner or a sendmail setting. I want to be able to block mails based on TO-address. I see sometimes one of my customers gets like 5000 mailer daemon mails or maybe just is hit by some spam. Often its to/from something I could easy block if I could use a perl pattern like ".+olga@blabla.com" or something like this. I know I can do this as part of the "definitly spam" setting and then its blacklisted and stored - but often I simply want to block the mail - like on the MTA level so its rejected and not stored. Can I do this in Mailscanner or is it sendmail? But if its sendmail - then I cannot use patterns, right? I mean in /etc/mail/access - I can ofcause write like "olga@blabla.com REJECT" equal to "*olga@blabla.com". That would reject 1olga@ and 2olga@ and so on so Im almost there but it would also reject "olga@..." and thats not what I want - can I use patterns somehow - stronger patterns than ? best regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080830/9d2b32cd/attachment.html From roland at inbox4u.de Sat Aug 30 14:25:04 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Sat Aug 30 14:26:22 2008 Subject: AW: rejecting mail / pattern In-Reply-To: <CD6321314686A64C90A1F5870AAD3D520128EBA4@MAIL031.mail.lan> References: <CD6321314686A64C90A1F5870AAD3D520128EBA4@MAIL031.mail.lan> Message-ID: <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BFA@TS-DC2.ts-webarts.local> Jan, no, you cannot use patterns in /etc/mail/access. You can of course do so in the rules-Files of MailScanner. You could build a blacklist based on your pattern ideas. By the way, if it were mailer daemon mails your customer received, you could easily cope with the problem by using the Watermark function of MailScanner. Regards, Roland Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Jan Agermose Gesendet: Samstag, 30. August 2008 14:04 An: MailScanner discussion Betreff: rejecting mail / pattern Hi im not sure if this is mailscanner or a sendmail setting. I want to be able to block mails based on TO-address. I see sometimes one of my customers gets like 5000 mailer daemon mails or maybe just is hit by some spam. Often its to/from something I could easy block if I could use a perl pattern like ".+olga@blabla.com" or something like this. I know I can do this as part of the "definitly spam" setting and then its blacklisted and stored - but often I simply want to block the mail - like on the MTA level so its rejected and not stored. Can I do this in Mailscanner or is it sendmail? But if its sendmail - then I cannot use patterns, right? I mean in /etc/mail/access - I can ofcause write like "olga@blabla.com REJECT" equal to "*olga@blabla.com". That would reject 1olga@ and 2olga@ and so on so Im almost there but it would also reject "olga@..." and thats not what I want - can I use patterns somehow - stronger patterns than ? best regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080830/28a98a1e/attachment.html From alex at rtpty.com Sat Aug 30 16:31:50 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Aug 30 16:32:09 2008 Subject: AW: Not completely OT: Does this affect MailScanner users on RH/FC/CentOS? In-Reply-To: <223f97700808300153y261a1750lb1b2543a567f080@mail.gmail.com> References: <0907DB5C-D091-40ED-A30C-1667D1DEB8E6@rtpty.com> <D0C18CC5B0171C419B96B1D3ADFD783108ECEF4BF6@TS-DC2.ts-webarts.local> <B6543DFD-F7E8-4B2A-A0E3-A778F53AB3A3@rtpty.com> <48B84EF7.9020601@sendit.nodak.edu> <48B8538E.5020201@pacific.net> <48B85EE9.9060909@sendit.nodak.edu> <223f97700808300153y261a1750lb1b2543a567f080@mail.gmail.com> Message-ID: <D452E175-873D-48C0-88B6-C2EB9139B7F7@rtpty.com> I did a simple grep and found at least a dozen "blessings" IIRC ... Sent from my iPhone On Aug 30, 2008, at 3:53 AM, "Glenn Steen" <glenn.steen@gmail.com> wrote: > > > 2008/8/29 Richard Frovarp <richard.frovarp@sendit.nodak.edu> > Ken A wrote: > Richard Frovarp wrote: > Alex Neuman van der Hans wrote: > How much of an improvement? Can you describe both the test and the > manual perl compile process and put it up on the wiki? > > The test doesn't use MailScanner. We have RHEL 4 and RHEL 5 boxes > running MS. Doing the test RHEL 4 is fine, and RHEL5 isn't. However, > we have not noticed any performance difference between the two > releases when it comes to running MS. > > Same here, but with FC6 buggy perl. It would be nice to know if > MailScanner is affected in any significant way. Why upgrade perl for > new bugs when the old ones work fine? > > Ken > > Well my testing and other testing reported back here, seems to > indicate there isn't a problem. No one has said anything on the SA > list. Run that test code and add an extra 0 onto the end. RHEL 4 > finished in about 4 seconds. RHEL 5 on a beefier box was only half > done after 40 minutes and was slowing down. It would appear that > when this one hits, it hits very hard. > > Richard > Yikes! > > Well then. Are we to guess there is no use of bless/overload in the > MS code and all it's depended upon modules? Seems unlikely, but > perhaps true. I wonder if even Jules knows:). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080830/04a55a0a/attachment.html From alex at rtpty.com Sat Aug 30 16:34:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Aug 30 16:34:23 2008 Subject: rejecting mail / pattern In-Reply-To: <CD6321314686A64C90A1F5870AAD3D520128EBA4@MAIL031.mail.lan> References: <CD6321314686A64C90A1F5870AAD3D520128EBA4@MAIL031.mail.lan> Message-ID: <2D756EE8-2594-4790-B6EE-ED1F5B403868@rtpty.com> Look into milter-cli from snertsoft.com - that way you can reject before it gets to MailScanner. Sent from my iPhone On Aug 30, 2008, at 7:03 AM, "Jan Agermose" <ja@conviator.com> wrote: > Hi > > im not sure if this is mailscanner or a sendmail setting. I want to > be able to block mails based on TO-address. I see sometimes one of > my customers gets like 5000 mailer daemon mails or maybe just is hit > by some spam. Often its to/from something I could easy block if I > could use a perl pattern like ".+olga@blabla.com" or something like > this. I know I can do this as part of the "definitly spam" setting > and then its blacklisted and stored - but often I simply want to > block the mail - like on the MTA level so its rejected and not stored. > > Can I do this in Mailscanner or is it sendmail? But if its sendmail > - then I cannot use patterns, right? I mean in /etc/mail/access - I > can ofcause write like "olga@blabla.com > REJECT" equal to "*olga@blabla.com". > > That would reject 1olga@ and 2olga@ and so on so Im almost there but > it would also reject "olga@..." and thats not what I want - can I > use patterns somehow - stronger patterns than ? > > best regards > > Jan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mark at msapiro.net Sun Aug 31 01:01:29 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Aug 31 01:01:45 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <48B92EBB.60506@ecs.soton.ac.uk> Message-ID: <PC18702008083017012900317bd51cbc@msapiro> Julian Field wrote: > >Mark Sapiro wrote: >> On Wed, Aug 27, 2008 at 09:41:36PM +0100, Julian Field wrote: >> >>> I am putting out a new beta as I type, with improved message/partial >>> code in it. This should solve this problem with bigfoot.com DSNs. >>> >>> Please try this out and let me know how you get on. >>> >>> Thanks, >>> >>> Jules >>> >>> >> >> >> I have just installed the 4.71.8-1 beta, and this is better, but there >> is now a different problem. >> >> The message delivered to the recipient is fine. the message/partial part >> has been removed and replaced with the attachment warning which says >> >> ---------------------------------------------------------------------- >> The original e-mail attachment "msg-26216-5.msg" >> was believed to be infected by a virus and has been replaced by this warning >> message. >> >> If you wish to receive a copy of the *infected* attachment, please >> e-mail postmaster@sbh16.songbird.com and include the whole of this message >> in your request. >> >> At Fri Aug 29 10:01:35 2008 the virus scanner said: >> Fragmented messages cannot be scanned and are removed >> >> Note to Postmaster: Look on the GPC MailScanner in /var/spool/MailScanner/quarantine/20080829 (message 6C1E46900AA.4FC5C). >> >> >> However, in the quarantine, the directory 20080829/6C1E46900AA.4FC5C is >> created but it is empty. >> >That's because the part of the message isn't ever actually extracted >into an attachment, it is just an "entity" in the MIME structure of the >message, as opposed to being a real attachment. So I don't think there's >much I can do about this. You could add some text on the end of the >"Fragmented messages cannot be scanner and are removed" text that said >that it was not quarantined, but I'm not quite sure what else we can do >about this particular problem. I'm not sure I understand the problem. It appears from the attachment warning, that perl MIME::Tools (MIME::Parser ?) may have parsed this message and stored the specific message/partial part contents in some file temporary file named msg-26216-5.msg. Is there some reason that file, if it exists, can't just be put in the quarantine directory? Also, perl MIME::Entity objects have print and print_body methods that could be used to write the part to a file. If there's some reason why this can't be done, it's not a big deal for me, but I wonder why not. >When it comes down to it, bigfoot shouldn't be doing this, they are >using a wholly inappropriate message structure for their DSNs. Inappropriate, yes, but understandable. Actually, their DSN is RFC 3464 compliant. It's just that their choice of message/partial for the Content-Type of the third part (the headers of the original message) is not RFC 2046 compliant in its use of the partial sub-type, but it's easy to see how someone not familiar with what message/partial really is could think that message/partial was an appropriate Content-Type for the headers of a message. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From hvdkooij at vanderkooij.org Sun Aug 31 09:25:48 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 31 09:25:58 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <48B05EA8.3000508@msapiro.net> References: <48B05EA8.3000508@msapiro.net> Message-ID: <48BA558C.2050301@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > DSN's from bigfoot.com have the following structure > ---------------------------------------------- I have been biothering them with a number of messages. Some smal and some large. Non of these however ever show the MIME type I see mentioned here: > --200808230226058 > Content-Type: message/partial So I am curious how you actually get these from bigfoot.com because I can not create a message that will return me such a MIME type. The whole discussion here might be a totally different problem that the original poster may need to fix. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIulWJBvzDRVjxmYERAo/5AKChitytKs5Ii/dO+0fXph7FONmsFgCeKLbS CF7shZXGEVfaKRPBpHeXLMA= =+doh -----END PGP SIGNATURE----- From paul.hutchings at mira.co.uk Sun Aug 31 11:16:47 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Aug 31 11:17:18 2008 Subject: virus detection reporting wrong scanner Message-ID: <FF689DC51C3C1640BE668A0E31182AD004DB0E13@mail03.mira.co.uk> I'm using clamd, avg and vba32. In maillog, I see the following: Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found 1 infections Aug 31 02:11:56 relay MailScanner[22637]: Infected message C5B321FC55.019F5 came from 217.76.130.123 Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 viruses Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at 1731 bytes per second In the report I see this: The following e-mails were found to have: Virus Detected Sender: skatemurcia.com@llgc793.servidoresdns.net IP Address: 217.76.130.123 Recipient: someone@ourdomain.com Subject: Security Message - Important System Notification. MessageID: C5B321FC55.019F5 Quarantine: Report: Clamd: msg-22637-48.html was infected: HTML.Phishing.Bank-1248 Any suggestions? I know last week I had to modify one of the MailScanner files to deal with the way that vba32 output changed since the last MailScanner release. Lint output: Trying to setlogsock(unix) Read 850 hostnames from the phishing whitelist Read 5262 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.70.7) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. I have found clamd avg vba32 scanners installed, and will use them all by default. Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd, vba32, avg ======================================================================== === Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections Avg: Virus identified EICAR_Test in eicar.com Virus Scanning: Avg found 1 infections /var/spool/MailScanner/incoming/23308/1/eicar.com : infected EICAR-Test-File Virus Scanning: vba32 found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses ======================================================================== === Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" Avg said "Found virus EICAR_Test in file eicar.com" vba32 said "Found virus EICAR-Test-File in eicar.com" If any of your virus scanners (clamd,vba32,avg) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Sun Aug 31 14:10:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 31 14:10:59 2008 Subject: virus detection reporting wrong scanner In-Reply-To: <EMEW-k7UBhf0b2bc851b430c519bd6cb9da5903f420-FF689DC51C3C1640BE668A0E31182AD004DB0E13@mail03.mira.co.uk> References: <EMEW-k7UBhf0b2bc851b430c519bd6cb9da5903f420-FF689DC51C3C1640BE668A0E31182AD004DB0E13@mail03.mira.co.uk> Message-ID: <48BA9848.3030402@ecs.soton.ac.uk> Please try this with the latest beta (4.71.9) and let me know if it still recurs. Paul Hutchings wrote: > I'm using clamd, avg and vba32. > > In maillog, I see the following: > > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found 1 > infections > Aug 31 02:11:56 relay MailScanner[22637]: Infected message > C5B321FC55.019F5 came from 217.76.130.123 > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 > viruses > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at > 1731 bytes per second > > In the report I see this: > > The following e-mails were found to have: Virus Detected > > Sender: skatemurcia.com@llgc793.servidoresdns.net > IP Address: 217.76.130.123 > Recipient: someone@ourdomain.com > Subject: Security Message - Important System Notification. > MessageID: C5B321FC55.019F5 > Quarantine: > Report: Clamd: msg-22637-48.html was infected: > HTML.Phishing.Bank-1248 > > Any suggestions? I know last week I had to modify one of the > MailScanner files to deal with the way that vba32 output changed since > the last MailScanner release. > > Lint output: > > Trying to setlogsock(unix) > Read 850 hostnames from the phishing whitelist > Read 5262 hostnames from the phishing blacklist > Checking version numbers... > Version number in MailScanner.conf (4.70.7) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > I have found clamd avg vba32 scanners installed, and will use them all > by default. > Using locktype = posix > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamd, vba32, avg > ======================================================================== > === > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Avg: Virus identified EICAR_Test in eicar.com > Virus Scanning: Avg found 1 infections > /var/spool/MailScanner/incoming/23308/1/eicar.com : infected > EICAR-Test-File > Virus Scanning: vba32 found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > ======================================================================== > === > Virus Scanner test reports: > Clamd said "eicar.com was infected: Eicar-Test-Signature" > Avg said "Found virus EICAR_Test in file eicar.com" > vba32 said "Found virus EICAR-Test-File in eicar.com" > > If any of your virus scanners (clamd,vba32,avg) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Cheers, > Paul > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Aug 31 16:14:54 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 31 16:15:14 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <EMEW-k7U9aKf09b9b6a2a38839f5cd5abe0f046944e-48BA558C.2050301@vanderkooij.org> References: <48B05EA8.3000508@msapiro.net> <EMEW-k7U9aKf09b9b6a2a38839f5cd5abe0f046944e-48BA558C.2050301@vanderkooij.org> Message-ID: <48BAB56E.5050300@ecs.soton.ac.uk> I have put out a new beta which should fix this problem for you, the relevant part of the message will be quarantined for you. Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mark Sapiro wrote: > >> DSN's from bigfoot.com have the following structure >> ---------------------------------------------- >> > > I have been biothering them with a number of messages. Some smal and > some large. > > Non of these however ever show the MIME type I see mentioned here: > > >> --200808230226058 >> Content-Type: message/partial >> > > So I am curious how you actually get these from bigfoot.com because I > can not create a message that will return me such a MIME type. > > The whole discussion here might be a totally different problem that the > original poster may need to fix. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIulWJBvzDRVjxmYERAo/5AKChitytKs5Ii/dO+0fXph7FONmsFgCeKLbS > CF7shZXGEVfaKRPBpHeXLMA= > =+doh > -----END PGP SIGNATURE----- > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Sun Aug 31 16:30:45 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Aug 31 16:30:55 2008 Subject: DSNs from bigfoot.com are quarantined In-Reply-To: <48BA558C.2050301@vanderkooij.org> References: <48B05EA8.3000508@msapiro.net> <48BA558C.2050301@vanderkooij.org> Message-ID: <20080831153045.GA2964@msapiro> On Sun, Aug 31, 2008 at 10:25:48AM +0200, Hugo van der Kooij wrote: > > Mark Sapiro wrote: > > DSN's from bigfoot.com have the following structure > > ---------------------------------------------- > > I have been biothering them with a number of messages. Some smal and > some large. > > Non of these however ever show the MIME type I see mentioned here: > > > --200808230226058 > > Content-Type: message/partial > > So I am curious how you actually get these from bigfoot.com because I > can not create a message that will return me such a MIME type. > > The whole discussion here might be a totally different problem that the > original poster may need to fix. > > Hugo. If you just send to a non-existent address at bigfoot.com you will not see the problem. In that case, bigfoot will reject the message at incoming SMTP time, and the DSN you see will be from your own MTA, not from bigfoot. You have to send to a valid address at bigfoot.com that forwards to some other address which is not deliverable. Then bigfoot will get rejected when it attempts the forward and the returned DSN will originate from bigfoot. In the case I have observed, I am sending to an address at bigfoot.com which forwards to earthlink.net. Earthlink is (or was) blocking all mail from bigfoot, so earthlink rejects the mail and bigfoot returns the DSN. I don't want to give the address for privacy reasons, but I have attached the bigfoot DSN with the personal addresses (other than mine) elided. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- Received: from mail-kr.bigfoot.com (mail-kr.bigfoot.com [211.115.216.252]) by sbh16.songbird.com (Postfix) with SMTP id 0DA156903C2 for <gpc-talk-bounces+xxxx=bigfoot.com@grizz.org>; Tue, 12 Aug 2008 15:25:41 -0700 (PDT) Date: Wed, 13 Aug 2008 07:29:56 +0900 From: Mail Delivery Subsystem <MAILER-DAEMON@bigfoot.com> Message-Id: <0808130729_BFLITEMAIL-KR5_1246012_1952174_5113@BFLITEMAIL-KR5.bigfoot.com> To: <gpc-talk-bounces+xxxx=bigfoot.com@grizz.org> MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="200808130756750" Subject: Returned mail: Requested action not taken: mailbox unavailable Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --200808130756750 The original message was received at Wed, 13 Aug 2008 07:11:38 +0900 EST from sbh16.songbird.com [72.52.113.16] ----- The following addresses had permanent fatal errors ----- <xxxx@earthlink.net> ----- Transcript of session follows ----- >>> MAIL FROM: <gpc-talk-bounces+xxxx=bigfoot.com@grizz.org> <<< 550 550 Dynamic/zombied/spam IPs blocked. Write blockedbyearthlink@abuse.earthlink.net --200808130756750 Content-Type: message/delivery-status Reporting-MTA: dns; bflitemail-kr5.bigfoot.com Arrival-Date: Wed, 13 Aug 2008 07:11:38 +0900 EST Final-Recipient: RFC822; <xxxx@earthlink.net> Action: failed Status: 5.1.1 Remote-MTA: DNS; mx-coward.atl.sa.earthlink.net Diagnostic-Code: SMTP; 550 550 Dynamic/zombied/spam IPs blocked. Write blockedbyearthlink@abuse.earthlink.net Last-Attempt-Date: Wed, 13 Aug 2008 07:11:38 +0900 EST --200808130756750 Content-Type: message/partial Received: from sbh16.songbird.com ([72.52.113.16]) by BFLITEMAIL-KR5.bigfoot.com (LiteMail v3.03(BFLITEMAIL-KR5)) with SMTP id 0808130711_BFLITEMAIL-KR5_1036718_11913324; Wed, 13 Aug 2008 07:11:38 +0900 EST Received: from sbh16.songbird.com (localhost.localdomain [127.0.0.1]) by sbh16.songbird.com (Postfix) with ESMTP id 3EB15690469 for <xxxx@bigfoot.com>; Fri, 8 Aug 2008 10:44:13 -0700 (PDT) X-Original-To: gpc-talk@grizz.org Delivered-To: gpc-talk@sbh16.songbird.com Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.246]) by sbh16.songbird.com (Postfix) with ESMTP id 33DCD69044C for <gpc-talk@grizz.org>; Fri, 8 Aug 2008 10:44:08 -0700 (PDT) Received: by rv-out-0708.google.com with SMTP id c5so1077754rvf.16 for <gpc-talk@grizz.org>; Fri, 08 Aug 2008 10:43:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=gpEcK9YzCXwToZ+MA2UmbhQmXU9/KUSMoqGlh/a2nAc=; b=YqeBgC+K3Y+nxAZjnB3IN0btHQbrMCZ3CIAZHjmafdSyjtcFgYM43YNAaUqDAXfSBu YGGqxlt1TOvIjBPtmAYhxCou2PIswCP/Cy1GS77uhvWLndNy6XH7j6Zwt+6kIMLKwX8M zY3hi9ilE8sMjFyIy8Low0jSFqtF7hw9NZAAo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=wj4tmvhB6tbWO08BMuT7TqIE6uoihk1ZuAsHQ6mIcVm2NkVDyc8RmEQVZGXMZ3yoNT cXr3McUesO55j94cvBq7XsmWbRwpUHUk7DbsSVABJ8VbRbC6spzY9SYRyeMlntNLju6E OcaSDdhl7xGmKj+XbEpTJgKrc0A+mvuAa4izg= Received: by 10.140.201.8 with SMTP id y8mr1575174rvf.148.1218217420478; Fri, 08 Aug 2008 10:43:40 -0700 (PDT) Received: by 10.141.115.15 with HTTP; Fri, 8 Aug 2008 10:43:40 -0700 (PDT) Message-ID: <2a51cce0808081043g4d52be1diaa9c655c277c65ad@mail.gmail.com> Date: Fri, 8 Aug 2008 10:43:40 -0700 From: "Rob ...." <xxxx@gmail.com> To: "Mark Sapiro" <mark@msapiro.net> In-Reply-To: <PC18702008080810293706098ee62706@msapiro> MIME-Version: 1.0 Content-Disposition: inline References: <000501c8f976$50734d50$6600a8c0@veronicapc> <PC18702008080810293706098ee62706@msapiro> X-GPC-MailScanner-ID: 33DCD69044C.C864B X-GPC-MailScanner: Found to be clean X-GPC-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.751, required 5, autolearn=not spam, BAYES_00 -0.75, SPF_PASS -0.00) X-GPC-MailScanner-From: xxxx@gmail.com X-Spam-Status: No Cc: gpc-talk@grizz.org Subject: Re: [GPC] New Novice page: MPH ratings are wrong for rides 1-4 X-BeenThere: gpc-talk@grizz.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: Grizzly Peak Cyclists general discussion list <gpc-talk.grizz.org> List-Unsubscribe: <http://www.grizz.org/mailman/options/gpc-talk>, <mailto:gpc-talk-request@grizz.org?subject=unsubscribe> List-Archive: <http://www.grizz.org/mailman/private/gpc-talk> List-Post: <mailto:gpc-talk@grizz.org> List-Help: <mailto:gpc-talk-request@grizz.org?subject=help> List-Subscribe: <http://www.grizz.org/mailman/listinfo/gpc-talk>, <mailto:gpc-talk-request@grizz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: gpc-talk-bounces+xxxx=bigfoot.com@grizz.org Errors-To: gpc-talk-bounces+xxxx=bigfoot.com@grizz.org --200808130756750-- From mark at msapiro.net Sun Aug 31 16:41:03 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Aug 31 16:41:12 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48B79509.8040804@vanderkooij.org> References: <PC1870200808242135190078d9acb021@msapiro> <48B247D3.6070602@vanderkooij.org> <48B29347.6000801@fsl.com> <48B79509.8040804@vanderkooij.org> Message-ID: <20080831154103.GB2964@msapiro> On Fri, Aug 29, 2008 at 08:19:53AM +0200, Hugo van der Kooij wrote: > > I think that the following header detection lines in postfix will spot > and reject this specific RFC violation for me: > > # RFC2822 violations > /^References:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT Your > MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 > /^In-Reply-To:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT > Your MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 Rejecting because of the In-Reply-To: is probably OK for what you intend, but rejecting because of the References: is likely accusing an innocent 3rd party. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From hvdkooij at vanderkooij.org Sun Aug 31 17:46:29 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Aug 31 17:46:38 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <20080831154103.GB2964@msapiro> References: <PC1870200808242135190078d9acb021@msapiro> <48B247D3.6070602@vanderkooij.org> <48B29347.6000801@fsl.com> <48B79509.8040804@vanderkooij.org> <20080831154103.GB2964@msapiro> Message-ID: <48BACAE5.4080400@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > On Fri, Aug 29, 2008 at 08:19:53AM +0200, Hugo van der Kooij wrote: >> I think that the following header detection lines in postfix will spot >> and reject this specific RFC violation for me: >> >> # RFC2822 violations >> /^References:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT Your >> MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 >> /^In-Reply-To:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT >> Your MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 > > > Rejecting because of the In-Reply-To: is probably OK for what you intend, > but rejecting because of the References: is likely accusing an innocent > 3rd party. I guess both expressions might be better if I use the non-greedy version. But with the limitations I use and each MessageID being correctly wrapped up in <> and seperated with a folding whitespace the whitespace will not be allowed as part of the regex. In fact I might be missing cases where the abused MessageID is not on the exact line where the two indicated headers are. I guess that postfix actually joins things back to one line. But that is a reasonable guess and not something I can determine for sure based on the manual page (man 5 header_check) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIusrjBvzDRVjxmYERAtAiAJ0TWf4ZQk1m3VUfiIY3uZgYuzkYPQCbBGxn I6rFXCk2+mv6YXutQ+WzYts= =CMvd -----END PGP SIGNATURE----- From mark at msapiro.net Sun Aug 31 18:41:42 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Aug 31 18:41:58 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48BACAE5.4080400@vanderkooij.org> Message-ID: <PC187020080831104142021825214b04@msapiro> Hugo van der Kooij wrote: > >Mark Sapiro wrote: >> On Fri, Aug 29, 2008 at 08:19:53AM +0200, Hugo van der Kooij wrote: >>> I think that the following header detection lines in postfix will spot >>> and reject this specific RFC violation for me: >>> >>> # RFC2822 violations >>> /^References:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT Your >>> MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 >>> /^In-Reply-To:.*<EMEW-[\-\.0-9A-Za-z]*@vanderkooij.org>/ REJECT >>> Your MessageID modifications of my MessageID violate RFC 2822 section 3.6.4 >> >> >> Rejecting because of the In-Reply-To: is probably OK for what you intend, >> but rejecting because of the References: is likely accusing an innocent >> 3rd party. > >I guess both expressions might be better if I use the non-greedy >version. But with the limitations I use and each MessageID being >correctly wrapped up in <> and seperated with a folding whitespace the >whitespace will not be allowed as part of the regex. > >In fact I might be missing cases where the abused MessageID is not on >the exact line where the two indicated headers are. I guess that postfix >actually joins things back to one line. But that is a reasonable guess >and not something I can determine for sure based on the manual page (man >5 header_check) The man page says "Note: message headers are examined one logical header at a time, even when a message header spans multiple lines." It seems clear to me that this is saying the the header is unfolded before matching against the regexp. However, are you missing my original point? The Message-Id: of your message has been munged by some agent in the delivery path to the person who generated the reply with the munged message id in the In-Reply-To: header. That person may have control over the agent that did the munging, but subsequent replies in the thread which include the munged message id in References: are generated by people who have no involvement, even indirectly, with the agent that munged the message id. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan