From garry at glendown.de Mon Dec 1 05:24:40 2008 From: garry at glendown.de (Garry Glendown) Date: Mon Dec 1 05:24:50 2008 Subject: Using other blacklists for host blocking? In-Reply-To: <4933116C.2050105@vanderkooij.org> References: <4932DCCB.1080002@glendown.de> <4933116C.2050105@vanderkooij.org> Message-ID: <49337518.6000204@glendown.de> Hugo van der Kooij wrote: > The two are totally unreleated. Most SSH session originate from unix > boxes under poor management. > > Where just about all spam originate from poorly managed windows machines. > > So what will you learn in relation to SMTP from these SSH connections? > Just about nothing. Well, the amount of unsuccessful SSH attempts seemed to vary coincidently with the McColo shutdown ... that's what got me thinking ... guess I need to do some log analysis on my main MX box and see if there's any amount of matches ... -gg From craig at csfs.co.za Mon Dec 1 10:00:46 2008 From: craig at csfs.co.za (Craig Retief) Date: Mon Dec 1 10:13:15 2008 Subject: MailScanner 4.73.4-1 missing tnef-1.4.4 in perl-tar directory Message-ID: <1228125646.6796.8.camel@cX> hi Julian, seems that the new installer for tar is missing the tnef-1.4.4 file. I see that 1.4.5 is also available. Maybe use the new version in stead of 1.4.4? Cheers Craig -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/741d2f3f/attachment.html From gregg at mochabomb.com Mon Dec 1 10:03:51 2008 From: gregg at mochabomb.com (Gregg Lain) Date: Mon Dec 1 10:58:19 2008 Subject: Using other blacklists for host blocking? In-Reply-To: <4932DCCB.1080002@glendown.de> References: <4932DCCB.1080002@glendown.de> Message-ID: <4933B687.4050606@mochabomb.com> Ever tried denyhosts? It also has a feature where other denyhosts boxes feed a central DB of failures - and those common entries are updated hourly in /etc/hosts.deny - worked well to block out those mismanaged boxes. Also, I suggest moving the ssh port - I moved mine to a port above 1500 and been over 16 months and still not one hit yet. Its in the middle of a range protected by portsentry - I am sure if some hacker tried to they could find the port, but they have not yet.. Also junkemailfilter.com ( http://www.junkemailfilter.com/spam/how_it_works.html ) is a very good read - implemented the fake MX records and spam dropped to near nil.. In fact when I broke my perl install but using both rpm and cpan, ran for 2 months on one install w/o mailscanner and barely any spam... /Gregg Garry wrote: > Seeing the rising amount of failed SSH attempts to several of the boxes > I have, I was wondering ... has anyone here tried to use some other > blacklists to block incoming MTA access? > > Assuming that a large amount of spam is delivered through botnets, which > may also be used for other types of attacks, using data from one attack > vector might be helpful in taking care of other things, too ... > especially as things like failed SSH connections are more objective than > deciding whether a mail is spam or not ... > > Any comments? > > -garry > -------------- next part -------------- A non-text attachment was scrubbed... Name: gregg.vcf Type: text/x-vcard Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/a3eef402/gregg.vcf From garry at glendown.de Mon Dec 1 11:25:50 2008 From: garry at glendown.de (Garry) Date: Mon Dec 1 11:26:07 2008 Subject: Using other blacklists for host blocking? In-Reply-To: <4933B687.4050606@mochabomb.com> References: <4932DCCB.1080002@glendown.de> <4933B687.4050606@mochabomb.com> Message-ID: <4933C9BE.4020602@glendown.de> Gregg Lain wrote: > Ever tried denyhosts? It also has a feature where other denyhosts > boxes feed a central That's why I'm asking ... my hosts.deny is nicely filled with all the hosts that attempted the login to my boxes, as well as the data from all the other sites ... if a decent percentage of those were zombies that also were used for spam delivery, it would lower the CPU cost for blocking with the MTA using that blacklist ... > Also junkemailfilter.com ( > http://www.junkemailfilter.com/spam/how_it_works.html ) > is a very good read - implemented the fake MX records Interesting setup ... -garry From Denis.Beauchemin at USherbrooke.ca Mon Dec 1 13:38:28 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Dec 1 13:38:47 2008 Subject: log files double rotate happening In-Reply-To: <49330B7D.4060300@rheel.co.nz> References: <49330B7D.4060300@rheel.co.nz> Message-ID: <4933E8D4.1080902@USherbrooke.ca> Lists a ?crit : > Hi all, > > I have set up in logrotate.conf the following (intent is to compress > the maillog files weekly) > what is happening is that i'm getting zip files created ie > maillog.1.gz but also getting the maillog.0 maillog.1 files being > created. > It is making it quite difficult to find information in them later. Kate, Use the "dateext" directive (if your logrotate supports it): dateext Archive old versions of log files adding a daily extension like YYYYM- MDD instead of simply adding a number. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From jaearick at colby.edu Mon Dec 1 13:59:03 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Dec 1 13:59:20 2008 Subject: MailScanner 4.73.4-1 missing tnef-1.4.4 in perl-tar directory In-Reply-To: <1228125646.6796.8.camel@cX> References: <1228125646.6796.8.camel@cX> Message-ID: Julian et al, I have been using tnef 1.4.5 since November 4 with MS 4.72.5 with no problems. I would urge Julian to upgrade it. Jeff Earickson Colby College On Mon, 1 Dec 2008, Craig Retief wrote: > Date: Mon, 01 Dec 2008 12:00:46 +0200 > From: Craig Retief > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: MailScanner 4.73.4-1 missing tnef-1.4.4 in perl-tar directory > > hi Julian, > > seems that the new installer for tar is missing the tnef-1.4.4 file. > > I see that 1.4.5 is also available. Maybe use the new version in stead > of 1.4.4? > > Cheers > > Craig > > From t.d.lee at durham.ac.uk Mon Dec 1 14:02:20 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Dec 1 14:05:42 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: On Sun, 30 Nov 2008, Scott Silva wrote: > on 11-27-2008 8:39 AM David Lee spake the following: >> [...] >> Is the recommendation is that we no longer use the perl ClamAV module >> and instead use "clamd"? >> >> If so, then are all the pieces in place to ensure that the "clamd" >> module is automatically invoked? (The "chkconfig ..." and "service ... >> start" >> or equivalents?) >> >> > Since you are using CentOS 5, you can enable the rpmforge repo and get > spamassassin and clamav from yum. > The yum repo has a working clamd setup, and even Julian has recommended > this way with CentOS. Many thanks for that most ueful reply. Appreciated. For my particular instance, that sounds good; I've just done a quick test to verify it. (I'm hitting a couple of "selinux" oddities, but there's a possibility that they are because of local oddities here, not necessarily in the rpmforge packages.) For the general case (e.g. not CentOS; user installing SA/ClamAV package) might there still be a case for the SA/ClamAV to be able to install the "init.d" script (and other things) to provide a consistent installation? Thanks again. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From MailScanner at ecs.soton.ac.uk Mon Dec 1 16:44:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 1 16:44:36 2008 Subject: MailScanner 4.73.4-1 missing tnef-1.4.4 in perl-tar directory In-Reply-To: References: <1228125646.6796.8.camel@cX> Message-ID: <4934145E.40107@ecs.soton.ac.uk> I'm not going to switch the new version to 1.4.5 right now, without a chance to test it first. But I have released 4.73.4-2 with the tnef 1.4.4 in the tarball distribution. Thanks for spotting the omission! Jules. P.S. Sorry not enough energy to do the announcement today, I'll get it out tomorrow, and I'll do the PGP sigs then too. On 1/12/08 13:59, Jeff A. Earickson wrote: > Julian et al, > > I have been using tnef 1.4.5 since November 4 with MS 4.72.5 with no > problems. I would urge Julian to upgrade it. > > Jeff Earickson > Colby College > > On Mon, 1 Dec 2008, Craig Retief wrote: > >> Date: Mon, 01 Dec 2008 12:00:46 +0200 >> From: Craig Retief >> Reply-To: MailScanner discussion >> To: mailscanner@lists.mailscanner.info >> Subject: MailScanner 4.73.4-1 missing tnef-1.4.4 in perl-tar directory >> >> hi Julian, >> >> seems that the new installer for tar is missing the tnef-1.4.4 file. >> >> I see that 1.4.5 is also available. Maybe use the new version in stead >> of 1.4.4? >> >> Cheers >> >> Craig >> >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Dec 1 16:46:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 1 16:46:39 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: <493414D8.9090705@ecs.soton.ac.uk> On 1/12/08 14:02, David Lee wrote: > On Sun, 30 Nov 2008, Scott Silva wrote: > >> on 11-27-2008 8:39 AM David Lee spake the following: >>> [...] >>> Is the recommendation is that we no longer use the perl ClamAV module >>> and instead use "clamd"? >>> >>> If so, then are all the pieces in place to ensure that the "clamd" >>> module is automatically invoked? (The "chkconfig ..." and "service ... >>> start" >>> or equivalents?) >>> >>> >> Since you are using CentOS 5, you can enable the rpmforge repo and >> get spamassassin and clamav from yum. >> The yum repo has a working clamd setup, and even Julian has >> recommended this way with CentOS. > > Many thanks for that most ueful reply. Appreciated. > > For my particular instance, that sounds good; I've just done a quick > test to verify it. (I'm hitting a couple of "selinux" oddities, but > there's a possibility that they are because of local oddities here, > not necessarily in the rpmforge packages.) > > > For the general case (e.g. not CentOS; user installing SA/ClamAV > package) might there still be a case for the SA/ClamAV to be able to > install the "init.d" script (and other things) to provide a consistent > installation? The reason I haven't done it in the past is that the init.d script has to be totally different for every major Linux distro, let alone Solaris and other Unices. So I would have to write half a dozen for it to be any use. The current SA+ClamAV package is Unix-independent. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ecasarero at gmail.com Mon Dec 1 16:50:30 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Mon Dec 1 16:50:41 2008 Subject: Virus action: Fwd emails to 1 address Message-ID: <7d9b3cf20812010850i74fa8c47g813c1ef459b72a2@mail.gmail.com> hi! first of all, this is a request from my users... They requested me, if there is any way to forward all emails with virus(detected with clamav) to one specified email address. I know, if it's virus what would you do with that, but you know, they're users... Can anyone give me some tip's? I've been looking in mailscanner.conf but i didn't find anything. thanks! Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/068941f4/attachment.html From ms-list at alexb.ch Mon Dec 1 17:00:11 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Dec 1 17:00:21 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: <493414D8.9090705@ecs.soton.ac.uk> References: <493414D8.9090705@ecs.soton.ac.uk> Message-ID: <4934181B.7040305@alexb.ch> On 12/1/2008 5:46 PM, Julian Field wrote: >> >> For the general case (e.g. not CentOS; user installing SA/ClamAV >> package) might there still be a case for the SA/ClamAV to be able to >> install the "init.d" script (and other things) to provide a consistent >> installation? > The reason I haven't done it in the past is that the init.d script has > to be totally different for every major Linux distro, let alone Solaris > and other Unices. So I would have to write half a dozen for it to be any > use. The current SA+ClamAV package is Unix-independent. Jules It may be time to drop ClamavModule support althogether. or is there are real good reason to keep on using it? Alex From devonharding at gmail.com Mon Dec 1 19:02:27 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Dec 1 19:02:35 2008 Subject: Retry delays Message-ID: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> If my Mail server is not available for some time(ie. maintenance), how can I configure MailScanner to hold the message for a period of time instead of rejecting it and sending it back to the sender? -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/cf0f17d5/attachment.html From agross at gcpsite.com Mon Dec 1 19:27:48 2008 From: agross at gcpsite.com (Adam Gross) Date: Mon Dec 1 19:28:07 2008 Subject: Retry delays In-Reply-To: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> References: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> Message-ID: <826D5FDFCF76F6499D59755D401D6A8601293A@gcpads01.gcpsite.local> What has worked for me is stopping MailScanner (killall -9 MailScanner) and leaving the MTA running. When I'm done with the mailbox server I run check_mailscanner to start it back up and it starts chugging away. Adam Gross | agross@gcpsite.com | 859-630-8722 From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Devon Harding Sent: Monday, December 01, 2008 2:02 PM To: MailScanner discussion Subject: Retry delays If my Mail server is not available for some time(ie. maintenance), how can I configure MailScanner to hold the message for a period of time instead of rejecting it and sending it back to the sender? -Devon -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. Processed by GCPMS01. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by GCPMS01. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/07569e4c/attachment.html From steve.freegard at fsl.com Mon Dec 1 19:43:06 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Dec 1 19:43:16 2008 Subject: Retry delays In-Reply-To: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> References: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> Message-ID: <49343E4A.5040303@fsl.com> Hi Devon, Devon Harding wrote: > If my Mail server is not available for some time(ie. maintenance), how > can I configure MailScanner to hold the message for a period of time > instead of rejecting it and sending it back to the sender? MailScanner doesn't have anything to do with message delivery - that's the job of your MTA. Provided the mailboxes are not on the same box as MailScanner; you don't need to do anything. Your MTA will automatically queue mail to the destination system if it is down or not responding. Cheers, Steve. From mmcintosh at infowall.com Mon Dec 1 19:56:20 2008 From: mmcintosh at infowall.com (mmcintosh Infowall) Date: Mon Dec 1 19:56:55 2008 Subject: Retry delays In-Reply-To: <49343E4A.5040303@fsl.com> References: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> <49343E4A.5040303@fsl.com> Message-ID: <49344164.9070803@infowall.com> Steve Freegard wrote: > Hi Devon, > > Devon Harding wrote: >> If my Mail server is not available for some time(ie. maintenance), >> how can I configure MailScanner to hold the message for a period of >> time instead of rejecting it and sending it back to the sender? > > MailScanner doesn't have anything to do with message delivery - that's > the job of your MTA. > > Provided the mailboxes are not on the same box as MailScanner; you > don't need to do anything. Your MTA will automatically queue mail to > the destination system if it is down or not responding. > > Cheers, > Steve. Hi Devon, FYI I have used Zone Edits service for this type of event in the past. May not be what you are looking for but it has helped us during past issues. It is inexpensive and has been around for sometime. http://www.zoneedit.com/ Backup Mail Service (Store and Forward Service) When you sign up for the backup mail service, we automatically add our backup mail server in an MX record to your zone. This causes all incoming mail to attempt your primary server first, and if that fails, to try our backup server. When our backup server gets mail for you, it looks up your primary server, and periodically attempts to redeliver your mail to the primary. It will attempt redelivery for 10 days before returning the mail to the sender as undeliverable Mark McIntosh Infowall Technologies -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gesbbb at yahoo.com Mon Dec 1 19:59:42 2008 From: gesbbb at yahoo.com (Jerry) Date: Mon Dec 1 20:00:03 2008 Subject: Virus action: Fwd emails to 1 address In-Reply-To: <7d9b3cf20812010850i74fa8c47g813c1ef459b72a2@mail.gmail.com> References: <7d9b3cf20812010850i74fa8c47g813c1ef459b72a2@mail.gmail.com> Message-ID: <20081201145942.2438ff1a@scorpio> On Mon, 1 Dec 2008 14:50:30 -0200 "Eduardo Casarero" wrote: >first of all, this is a request from my users... They requested me, if >there is any way to forward all emails with virus(detected with >clamav) to one specified email address. > >I know, if it's virus what would you do with that, but you know, >they're users... No virus scanner is 100% perfect. One way or another, they all screw up occasionally. There is nothing worse than losing an important email to the bit bucket do to an errant virus detection. All emails, regardless of type, should be forwarded onto the intended recipient unless you have their permission to discard them. From my own personal experience, end users want to receive them, abet in a separate folder or however their system is configured. -- Jerry gesbbb@yahoo.com Why do they call it baby-SITTING when all you do is run after them? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/b630710e/signature.bin From devonharding at gmail.com Mon Dec 1 20:30:19 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Dec 1 20:30:30 2008 Subject: Retry delays In-Reply-To: <826D5FDFCF76F6499D59755D401D6A8601293A@gcpads01.gcpsite.local> References: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> <826D5FDFCF76F6499D59755D401D6A8601293A@gcpads01.gcpsite.local> Message-ID: <2baac6140812011230s50a0e160ya9c59140a9a04436@mail.gmail.com> On Mon, Dec 1, 2008 at 2:27 PM, Adam Gross wrote: > What has worked for me is stopping MailScanner (killall -9 MailScanner) > and leaving the MTA running. When I'm done with the mailbox server I run > check_mailscanner to start it back up and it starts chugging away. > > > Yea...but I didn't want to stop MS from receiving mail. just not forward to my Exchange server till it was ready. Were are the delay settings in send mail? How can I increase them? -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/57c05b1c/attachment.html From craig at csfs.co.za Mon Dec 1 20:45:13 2008 From: craig at csfs.co.za (Craig Retief) Date: Mon Dec 1 20:46:03 2008 Subject: MailScanner 4.73.4-1 missing tnef-1.4.4 in perl-tar directory In-Reply-To: <4934145E.40107@ecs.soton.ac.uk> References: <1228125646.6796.8.camel@cX> <4934145E.40107@ecs.soton.ac.uk> Message-ID: <1228164313.16668.4.camel@cX> On Mon, 2008-12-01 at 16:44 +0000, Julian Field wrote: > I'm not going to switch the new version to 1.4.5 right now, without a > chance to test it first. But I have released 4.73.4-2 with the tnef > 1.4.4 in the tarball distribution. > > Thanks for spotting the omission! Thats why we are here ;) to assist you when you are not up to it. get well soon Jules!! Craig > > Jules. > > P.S. Sorry not enough energy to do the announcement today, I'll get it > out tomorrow, and I'll do the PGP sigs then too. > > On 1/12/08 13:59, Jeff A. Earickson wrote: > > Julian et al, > > > > I have been using tnef 1.4.5 since November 4 with MS 4.72.5 with no > > problems. I would urge Julian to upgrade it. > > > > Jeff Earickson > > Colby College > > > > On Mon, 1 Dec 2008, Craig Retief wrote: > > > >> Date: Mon, 01 Dec 2008 12:00:46 +0200 > >> From: Craig Retief > >> Reply-To: MailScanner discussion > >> To: mailscanner@lists.mailscanner.info > >> Subject: MailScanner 4.73.4-1 missing tnef-1.4.4 in perl-tar directory > >> > >> hi Julian, > >> > >> seems that the new installer for tar is missing the tnef-1.4.4 file. > >> > >> I see that 1.4.5 is also available. Maybe use the new version in stead > >> of 1.4.4? > >> > >> Cheers > >> > >> Craig > >> > >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From ecasarero at gmail.com Tue Dec 2 00:24:41 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Dec 2 00:24:52 2008 Subject: Virus action: Fwd emails to 1 address In-Reply-To: <20081201145942.2438ff1a@scorpio> References: <7d9b3cf20812010850i74fa8c47g813c1ef459b72a2@mail.gmail.com> <20081201145942.2438ff1a@scorpio> Message-ID: <7d9b3cf20812011624u31ab81d7r4483cfddfcaf943@mail.gmail.com> 2008/12/1 Jerry > On Mon, 1 Dec 2008 14:50:30 -0200 > "Eduardo Casarero" wrote: > > >first of all, this is a request from my users... They requested me, if > >there is any way to forward all emails with virus(detected with > >clamav) to one specified email address. > > > >I know, if it's virus what would you do with that, but you know, > >they're users... > > No virus scanner is 100% perfect. One way or another, they all screw up > occasionally. There is nothing worse than losing an important email to > the bit bucket do to an errant virus detection. All emails, regardless > of type, should be forwarded onto the intended recipient unless you > have their permission to discard them. From my own personal experience, > end users want to receive them, abet in a separate folder or however > their system is configured. > Ok, but any idea of how to configure MailScanner to send virus to a specific address? > > -- > Jerry > gesbbb@yahoo.com > > Why do they call it baby-SITTING when all you do is run after them? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/82e56d7a/attachment.html From ssilva at sgvwater.com Tue Dec 2 00:33:40 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 2 00:34:09 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: > > > For the general case (e.g. not CentOS; user installing SA/ClamAV > package) might there still be a case for the SA/ClamAV to be able to > install the "init.d" script (and other things) to provide a consistent > installation? > > > Thanks again. > When I first experimented with clamd, there were several versions of init scripts in the tarball. I don't remember if they install to the docs directory or not, but it is easy enough to untar the clamav source and get them. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/4844f786/signature.bin From ssilva at sgvwater.com Tue Dec 2 00:45:04 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 2 00:45:29 2008 Subject: Retry delays In-Reply-To: <2baac6140812011230s50a0e160ya9c59140a9a04436@mail.gmail.com> References: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> <826D5FDFCF76F6499D59755D401D6A8601293A@gcpads01.gcpsite.local> <2baac6140812011230s50a0e160ya9c59140a9a04436@mail.gmail.com> Message-ID: on 12-1-2008 12:30 PM Devon Harding spake the following: > > > On Mon, Dec 1, 2008 at 2:27 PM, Adam Gross > wrote: > > What has worked for me is stopping MailScanner (killall -9 > MailScanner) and leaving the MTA running. When I'm done with the > mailbox server I run check_mailscanner to start it back up and it > starts chugging away. > > > > Yea...but I didn't want to stop MS from receiving mail. just not > forward to my Exchange server till it was ready. Were are the delay > settings in send mail? How can I increase them? > > -Devon > Sendmail defaults to 4 days. Is that long enough? If not, look in sendmail.mc for define(`confTO_QUEUERETURN', `4d')dnl and change the 4d to whatever you need. Then recompile to your sendmail.cf -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/4a1627bb/signature.bin From michael at huntley.net Tue Dec 2 02:22:57 2008 From: michael at huntley.net (Michael Huntley) Date: Tue Dec 2 02:23:20 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: <49349C01.5050805@huntley.net> Scott Silva wrote: > > > >> For the general case (e.g. not CentOS; user installing SA/ClamAV >> package) might there still be a case for the SA/ClamAV to be able to >> install the "init.d" script (and other things) to provide a consistent >> installation? >> >> >> Thanks again. >> >> > When I first experimented with clamd, there were several versions of init > scripts in the tarball. I don't remember if they install to the docs directory > or not, but it is easy enough to untar the clamav source and get them. > > I use the ATRPMS repository for ClamAV and CentOS 5.x. Source RPM: http://dl.atrpms.net/all/clamav-0.94.2-41.src.rpm I then use Julian's package for Spamassassin. I never have had a problem. Give it a try. mph vinum vesco valens viscus From devonharding at gmail.com Tue Dec 2 02:44:20 2008 From: devonharding at gmail.com (Devon Harding) Date: Tue Dec 2 02:44:29 2008 Subject: Retry delays In-Reply-To: References: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> <826D5FDFCF76F6499D59755D401D6A8601293A@gcpads01.gcpsite.local> <2baac6140812011230s50a0e160ya9c59140a9a04436@mail.gmail.com> Message-ID: <2baac6140812011844i6b42603bpc3831eaedac873b0@mail.gmail.com> On Mon, Dec 1, 2008 at 7:45 PM, Scott Silva wrote: > on 12-1-2008 12:30 PM Devon Harding spake the following: > > > > > > On Mon, Dec 1, 2008 at 2:27 PM, Adam Gross > > wrote: > > > > What has worked for me is stopping MailScanner (killall -9 > > MailScanner) and leaving the MTA running. When I'm done with the > > mailbox server I run check_mailscanner to start it back up and it > > starts chugging away. > > > > > > > > Yea...but I didn't want to stop MS from receiving mail. just not > > forward to my Exchange server till it was ready. Were are the delay > > settings in send mail? How can I increase them? > > > > -Devon > > > Sendmail defaults to 4 days. Is that long enough? > If not, look in sendmail.mc for > define(`confTO_QUEUERETURN', `4d')dnl > and change the 4d to whatever you need. > Then recompile to your sendmail.cf > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > Just what I was looking for! Anyway to disable the warnings that get sent to the sender when the server is not available? I think it sends after like two days. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081201/ac666845/attachment.html From traced at xpear.de Tue Dec 2 10:34:15 2008 From: traced at xpear.de (traced@xpear.de) Date: Tue Dec 2 10:34:28 2008 Subject: Can I inform recipients about a quarantined virus? Message-ID: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> Hi, I found several ways to inform the sender of a virus, but, maybe Im blind, but how can i inform the recipient instead of the sender? Thank you & Regards, Bastian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081202/f3a16607/attachment.html From ugob at lubik.ca Tue Dec 2 13:09:35 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Dec 2 13:09:57 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> Message-ID: traced@xpear.de a ?crit : > Hi, > > I found several ways to inform the sender of a virus, but, maybe I?m blind, > > but how can i inform the recipient instead of the sender? You can do it but it is a very bad idea, as a lot of viruses are sent with forged address. If you really want to do it, you must check the silent viruses parameter. From maillists at conactive.com Tue Dec 2 14:33:34 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 2 14:33:43 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> Message-ID: Ugo Bellavance wrote on Tue, 02 Dec 2008 08:09:35 -0500: > You can do it but it is a very bad idea, as a lot of viruses are sent > with forged address. It might be a bad idea, but I can't see why it should be a bad idea for this reason. It's obvious that you don't want to alert faked *senders*, but he asked about recipients. In my eyes it doesn't make sense to inform recipients of a *detected* virus either, but it may make sense to notify *recipients* of "other bad content" (only if it didn't get detected as a virus at the same time) as it may actually be something they wanted to receive. Actually, I wouldn't be sure how to handle that if I wanted to. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From john at tradoc.fr Tue Dec 2 15:11:43 2008 From: john at tradoc.fr (John Wilcock) Date: Tue Dec 2 15:11:56 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> Message-ID: <4935502F.2000605@tradoc.fr> Kai Schaetzl a ?crit : > Ugo Bellavance wrote on Tue, 02 Dec 2008 08:09:35 -0500: > >> You can do it but it is a very bad idea, as a lot of viruses are sent >> with forged address. > > It might be a bad idea, but I can't see why it should be a bad idea for > this reason. It's obvious that you don't want to alert faked *senders*, > but he asked about recipients. In my eyes it doesn't make sense to inform > recipients of a *detected* virus either, but it may make sense to notify > *recipients* of "other bad content" (only if it didn't get detected as a > virus at the same time) as it may actually be something they wanted to > receive. Actually, I wouldn't be sure how to handle that if I wanted to. In some organisations it might make sense to notify *in-house* senders of viruses, which can be done with a ruleset on Notify Senders and/or on Notify Senders of Viruses. Likewise, Julian has provided options for notifying of various types of bad content separately from viruses: Notify Senders = %rules-dir%/notify.senders.rules Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = yes Notify Senders Of Blocked Size Attachments = no Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From alex at rtpty.com Tue Dec 2 15:30:26 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Dec 2 15:30:39 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: <4935502F.2000605@tradoc.fr> References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> <4935502F.2000605@tradoc.fr> Message-ID: And by "in-house" you'd mean (of course) From:xxx.yyy.zzz. where xxx.yyy.zzz. are IP addresses under your direct control - otherwise you'd potentially notify in-house users of address-forging viruses they didn't actually send. On Dec 2, 2008, at 10:11 AM, John Wilcock wrote: > In some organisations it might make sense to notify *in-house* > senders of viruses, which can be done with a ruleset on Notify > Senders and/or on Notify Senders of Viruses. From maillists at conactive.com Tue Dec 2 15:51:05 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 2 15:51:15 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: <4935502F.2000605@tradoc.fr> References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> <4935502F.2000605@tradoc.fr> Message-ID: John Wilcock wrote on Tue, 02 Dec 2008 16:11:43 +0100: > In some organisations it might make sense to notify *in-house* senders > of viruses, I'd rather say it makes sense to alert an admin ;-) > Likewise, Julian has provided options for notifying of various types of > bad content separately from viruses: John, that's all for *senders*. There's no such stuff for recipients that i know of. This thread is about recipients. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Tue Dec 2 16:54:09 2008 From: traced at xpear.de (traced) Date: Tue Dec 2 16:54:24 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> Message-ID: <49356831.3020308@xpear.de> Hi Guys, thanks a lot for all your replys. I think it would be the best way only to inform an admin about a virus, and the users about blocked content. I think this is the default idea behind the MS defaults. Sometimes I need a little time to think about the best solution :-) Regards, Bastian From ssilva at sgvwater.com Tue Dec 2 17:17:12 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 2 17:17:34 2008 Subject: Retry delays In-Reply-To: <2baac6140812011844i6b42603bpc3831eaedac873b0@mail.gmail.com> References: <2baac6140812011102x2e3e6614u67e080eee3f7d835@mail.gmail.com> <826D5FDFCF76F6499D59755D401D6A8601293A@gcpads01.gcpsite.local> <2baac6140812011230s50a0e160ya9c59140a9a04436@mail.gmail.com> <2baac6140812011844i6b42603bpc3831eaedac873b0@mail.gmail.com> Message-ID: > > Just what I was looking for! Anyway to disable the warnings that get > sent to the sender when the server is not available? I think it sends > after like two days. > > -Devon > Look for define(`confTO_QUEUEWARN', `4h')dnl Defaults to 4 hours. If you set it higher then the queuereturn it will never warn. , defaults to -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081202/6fda481b/signature.bin From MailScanner at ecs.soton.ac.uk Tue Dec 2 18:48:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 2 18:48:48 2008 Subject: MailScanner Gold Production yum repository released Message-ID: <493582FA.8090709@ecs.soton.ac.uk> We?re very happy to announce the availability of our new MailScanner Gold Production yum repository subscription service for Red Hat and CentOS 5.x operating systems. This FSL yum repository system provides all of the 70+ applications and Perl modules required to install and maintain MailScanner, SpamAssassin, ClamAV, Razor, DCC and a MySQL Bayes database in easy to use rpm formats. All of the Perl modules required by MailScanner, SpamAssassin and Razor have been carefully designed to: 1. Be built with and kept up to date with all of the proper Perl module dependencies, including dependencies of dependencies 2. Co-exist with the Operating System?s Perl modules. It is now possible to safely update the Operating System and all MailScanner related applications without fear of creating Perl module dependency problems. Quickly and safely updating the Operating System, MailScanner and all applications is simply a `yum update` command. And we have tried to provide this service at a price that makes it affordable. Standard pricing will be $40 per month for the first server and $30 per month for each additional server if paid yearly in advance. A quarterly payment plan will also be available for a small additional surcharge. But for the next 30 days there will be special pricing for members of any official MailScanner mailing list; just $30 per month for the first server and $20 per month for each additional server if paid yearly in advance. And there are other, not so obvious benefits to using the repository. The repository provides the ability to quickly install or restore a gateway without needing a full backup. Start with a minimal OS load (20 minutes), restoring a few critical directories (well you have to backup something, 15 minutes) and then run `yum groupinstall MailScannerGold` (5 minutes!). You can be back up and running or easily install an additional gateway in less than an hour. The production repository will be updated with new rpms after one month of testing by the FSL team and our beta MailScannerGold testers. Any security or urgent patches will be applied as they become available and can be tested. Announcements of upgrades and patches will be made via the FSL repository subscriber?s mailing list. And the FSL team is available to provide any level of support you need to install the subscription or assist with day to day problems at reduced hourly rates for MailScanner Gold Customers. Please contact info@FSL.com for more information or to sign up. -- Julian Field MEng CITP CEng Chief Technology Officer Fort Systems Ltd www.FSL.com -- Steve Swaney CEO Fort Systems Ltd. steve@fsl.com www.fsl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Tue Dec 2 20:20:51 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Dec 2 20:21:08 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> Message-ID: Kai Schaetzl a ?crit : > Ugo Bellavance wrote on Tue, 02 Dec 2008 08:09:35 -0500: > >> You can do it but it is a very bad idea, as a lot of viruses are sent >> with forged address. > > It might be a bad idea, but I can't see why it should be a bad idea for > this reason. It's obvious that you don't want to alert faked *senders*, > but he asked about recipients. In my eyes it doesn't make sense to inform > recipients of a *detected* virus either, but it may make sense to notify > *recipients* of "other bad content" (only if it didn't get detected as a > virus at the same time) as it may actually be something they wanted to > receive. Actually, I wouldn't be sure how to handle that if I wanted to. Oh, my bad. I thought he was asking about sender notification. Ugo From lists at rheel.co.nz Tue Dec 2 20:31:54 2008 From: lists at rheel.co.nz (Lists) Date: Tue Dec 2 20:30:41 2008 Subject: MailScanner Reload error Message-ID: <49359B3A.3020202@rheel.co.nz> Hi, When I run service MailScanner reload I get the following: Reloading MailScanner workers: MailScanner: kill -10449: No such process kill 9570: No such process Does this indicate an error that I need to sort out? Thanks Kate From alex at rtpty.com Tue Dec 2 21:33:23 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Dec 2 21:33:36 2008 Subject: MailScanner Reload error In-Reply-To: <49359B3A.3020202@rheel.co.nz> References: <49359B3A.3020202@rheel.co.nz> Message-ID: Only if it was supposed to be running in the first place. It's basically saying "Hey, I tried going through the list of process id (pid) numbers on this text file to tell the MailScanner processes to reload, but one (or more) of them aren't there!". On Dec 2, 2008, at 3:31 PM, Lists wrote: > Reloading MailScanner workers: > MailScanner: kill -10449: No such process > kill 9570: No such process > > Does this indicate an error that I need to sort out? From dominian at slackadelic.com Tue Dec 2 21:33:54 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Dec 2 21:34:07 2008 Subject: MailScanner Reload error In-Reply-To: <49359B3A.3020202@rheel.co.nz> References: <49359B3A.3020202@rheel.co.nz> Message-ID: <4935A9C2.8090206@slackadelic.com> Lists wrote: > Hi, > When I run service MailScanner reload I get the following: > > Reloading MailScanner workers: > MailScanner: kill -10449: No such process > kill 9570: No such process > > Does this indicate an error that I need to sort out? > > Thanks > Kate > It appears that the process ID that the script knew either was already shutdown or crashed of some kind. Hard to say really. Did you do an update or something? -Matt From lists at rheel.co.nz Tue Dec 2 23:19:06 2008 From: lists at rheel.co.nz (Lists) Date: Tue Dec 2 23:17:41 2008 Subject: MailScanner Reload error In-Reply-To: <4935A9C2.8090206@slackadelic.com> References: <49359B3A.3020202@rheel.co.nz> <4935A9C2.8090206@slackadelic.com> Message-ID: <4935C26A.80407@rheel.co.nz> Matt Hayes wrote: > Lists wrote: > >> Hi, >> When I run service MailScanner reload I get the following: >> >> Reloading MailScanner workers: >> MailScanner: kill -10449: No such process >> kill 9570: No such process >> >> Does this indicate an error that I need to sort out? >> >> Thanks >> Kate >> >> > > It appears that the process ID that the script knew either was already > shutdown or crashed of some kind. > > Hard to say really. > > Did you do an update or something? > > -Matt > Yes I did do an update a week or so ago to MailScanner version 4.72.5 (I was running version only one version earlier) Kate From Kevin_Miller at ci.juneau.ak.us Wed Dec 3 01:15:43 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Dec 3 01:15:57 2008 Subject: OT: Why I love MailScanner & open source Message-ID: http://isc.sans.org/diary.html?storyid=5419 Ouch... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From RWeiss at bhs-corrugated.de Wed Dec 3 09:18:48 2008 From: RWeiss at bhs-corrugated.de (Ronald Weiss) Date: Wed Dec 3 09:19:02 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: <492DA09D.1000208@ptera.net> References: <492DA09D.1000208@ptera.net> Message-ID: Hello @all, in my setup i am not able to view the virii reports in mailwatch. i'm not sure if it is a mailwatch or mailscanner issue, so i post here before i sign in to the mailwatch list... (perhaps someone has got a similar setup?) my setup: SLES 10 SP2 Mailscanner 4.71.10 Mailwatch 1.0.4 clamav ClamAV 0.94.1 (will be updated) mysql 5.0.18 so, in the report page, if i chose "top viruses" i only get a empty page, with an image of 0x0. (no errors in apache errorlog!) Virus report is also empty, but the headings... anyone an idea about that? thx in advance ________________________________________ _ ?v? Mit freundlichen Gruessen/Kind regards, /(_)\ Ronny Wei? ^ ^ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081203/8df63120/attachment.html From maxsec at gmail.com Wed Dec 3 10:21:19 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Dec 3 10:21:28 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: References: <492DA09D.1000208@ptera.net> Message-ID: <72cf361e0812030221l34bcafa3qa14786f3da0cde70@mail.gmail.com> 2008/12/3 Ronald Weiss : > Hello @all, > > in my setup i am not able to view the virii reports in mailwatch. > i'm not sure if it is a mailwatch or mailscanner issue, > so i post here before i sign in to the mailwatch list... > (perhaps someone has got a similar setup?) > > > > my setup: > SLES 10 SP2 > Mailscanner 4.71.10 > Mailwatch 1.0.4 > clamav ClamAV 0.94.1 (will be updated) > mysql 5.0.18 > > > so, in the report page, if i chose "top viruses" i only get a empty page, > with an image of 0x0. > (no errors in apache errorlog!) > > Virus report is also empty, but the headings... > > anyone an idea about that? > > thx in advance > > > ________________________________________ > _ > ?v? Mit freundlichen Gruessen/Kind regards, > /(_)\ Ronny Wei? > ^ ^ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > What have you got for "Virus Scanners =" in MailScanner.conf? -- Martin Hepworth Oxford, UK From maillists at conactive.com Wed Dec 3 10:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 3 10:31:28 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: References: <492DA09D.1000208@ptera.net> Message-ID: Ronald Weiss wrote on Wed, 3 Dec 2008 10:18:48 +0100: > so, in the report page, if i chose "top viruses" i only get a empty page, > with an image of 0x0. This is a mailwatch issue, most likely something wrong with the jpgraph setup which produces the pictures. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From RWeiss at bhs-corrugated.de Wed Dec 3 10:43:08 2008 From: RWeiss at bhs-corrugated.de (Ronald Weiss) Date: Wed Dec 3 10:43:23 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: <72cf361e0812030221l34bcafa3qa14786f3da0cde70@mail.gmail.com> References: <492DA09D.1000208@ptera.net> <72cf361e0812030221l34bcafa3qa14786f3da0cde70@mail.gmail.com> Message-ID: Martin, Virus Scanners = clamd ________________________________________ _ ?v? Mit freundlichen Gruessen/Kind regards, /(_)\ Ronny Wei? ^ ^ Internet/Security / IT Management BHS Corrugated Maschinen- und Anlagenbau GmbH Phone +49 9605 919-125 Fax +49 9605 919-7125 rweiss@bhs-corrugated.de http://www.bhs-corrugated.de This message is intended for the addressee only as it contains private and/or privileged and confidential information. The contents are not to be disclosed to anyone else than the addressee. Unauthorized recipients are requested to comply with the above and to inform the sender immediately of any errors in transmission and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly prohibited. BHS Corrugated Maschinen- und Anlagenbau GmbH Paul-Engel-Stra?e 1, 92729 Weiherhammer, Germany Management: Christian Engel, Lars Engel, Norbert St?dele Registered at Amtsgericht Weiden, HR B 1320 www.bhs-corrugated.de From: "Martin Hepworth" To: "MailScanner discussion" Date: 03.12.2008 11:26 Subject: Re: Mailscanner-Mailwatch Virii report Sent by: mailscanner-bounces@lists.mailscanner.info 2008/12/3 Ronald Weiss : > Hello @all, > > in my setup i am not able to view the virii reports in mailwatch. > i'm not sure if it is a mailwatch or mailscanner issue, > so i post here before i sign in to the mailwatch list... > (perhaps someone has got a similar setup?) > > > > my setup: > SLES 10 SP2 > Mailscanner 4.71.10 > Mailwatch 1.0.4 > clamav ClamAV 0.94.1 (will be updated) > mysql 5.0.18 > > > so, in the report page, if i chose "top viruses" i only get a empty page, > with an image of 0x0. > (no errors in apache errorlog!) > > Virus report is also empty, but the headings... > > anyone an idea about that? > > thx in advance > > > ________________________________________ > _ > ?v? Mit freundlichen Gruessen/Kind regards, > /(_)\ Ronny Wei? > ^ ^ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > What have you got for "Virus Scanners =" in MailScanner.conf? -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. If you believe this mail is SPAM, and it's not tagged in the Subject Or This mail is NO-SPAM, but is tagged as SPAM, report this ID 80DC518E46.B6C04 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081203/c96b7b88/attachment.html From RWeiss at bhs-corrugated.de Wed Dec 3 11:01:20 2008 From: RWeiss at bhs-corrugated.de (Ronald Weiss) Date: Wed Dec 3 11:01:34 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: References: <492DA09D.1000208@ptera.net> Message-ID: Kai, seems not to be the jpgraph setup, as the other graphics show up... ________________________________________ _ ?v? Mit freundlichen Gruessen/Kind regards, /(_)\ Ronny Wei? ^ ^ From: Kai Schaetzl To: mailscanner@lists.mailscanner.info Date: 03.12.2008 11:34 Subject: Re: Mailscanner-Mailwatch Virii report Sent by: mailscanner-bounces@lists.mailscanner.info Ronald Weiss wrote on Wed, 3 Dec 2008 10:18:48 +0100: > so, in the report page, if i chose "top viruses" i only get a empty page, > with an image of 0x0. This is a mailwatch issue, most likely something wrong with the jpgraph setup which produces the pictures. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. If you believe this mail is SPAM, and it's not tagged in the Subject Or This mail is NO-SPAM, but is tagged as SPAM, report this ID 7BB4317C24.4C97C -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081203/e9e90240/attachment.html From maillists at conactive.com Wed Dec 3 11:31:26 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 3 11:31:38 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: References: <492DA09D.1000208@ptera.net> Message-ID: Ronald Weiss wrote on Wed, 3 Dec 2008 12:01:20 +0100: > seems not to be the jpgraph setup, as the other graphics show up... whatever, it's for the mailwatch list ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Wed Dec 3 11:48:24 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Dec 3 11:48:33 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: References: <492DA09D.1000208@ptera.net> <72cf361e0812030221l34bcafa3qa14786f3da0cde70@mail.gmail.com> Message-ID: <72cf361e0812030348l40ba11cwb5fc1b5f0c1f125e@mail.gmail.com> 2008/12/3 Ronald Weiss : > Martin, > > Virus Scanners = clamd > > > ________________________________________ > _ > ?v? Mit freundlichen Gruessen/Kind regards, > /(_)\ Ronny Wei? > ^ ^ Internet/Security / IT Management > > BHS Corrugated > Maschinen- und Anlagenbau GmbH > Phone +49 9605 919-125 > Fax +49 9605 919-7125 > rweiss@bhs-corrugated.de > http://www.bhs-corrugated.de > > > This message is intended for the addressee only as it contains private > and/or privileged and confidential information. The contents are not to be > disclosed to anyone else than the addressee. Unauthorized recipients are > requested to comply with the above and to inform the sender immediately of > any errors in transmission and destroy this e-mail. Any unauthorized > copying, disclosure or distribution of the material in this e-mail is > strictly prohibited. > > BHS Corrugated Maschinen- und Anlagenbau GmbH > Paul-Engel-Stra?e 1, 92729 Weiherhammer, Germany > Management: Christian Engel, Lars Engel, Norbert St?dele > Registered at Amtsgericht Weiden, HR B 1320 > www.bhs-corrugated.de > > > From: "Martin Hepworth" > To: "MailScanner discussion" > Date: 03.12.2008 11:26 > Subject: Re: Mailscanner-Mailwatch Virii report > Sent by: mailscanner-bounces@lists.mailscanner.info > ________________________________ > > > 2008/12/3 Ronald Weiss : >> Hello @all, >> >> in my setup i am not able to view the virii reports in mailwatch. >> i'm not sure if it is a mailwatch or mailscanner issue, >> so i post here before i sign in to the mailwatch list... >> (perhaps someone has got a similar setup?) >> >> >> >> my setup: >> SLES 10 SP2 >> Mailscanner 4.71.10 >> Mailwatch 1.0.4 >> clamav ClamAV 0.94.1 (will be updated) >> mysql 5.0.18 >> >> >> so, in the report page, if i chose "top viruses" i only get a empty page, >> with an image of 0x0. >> (no errors in apache errorlog!) >> >> Virus report is also empty, but the headings... >> >> anyone an idea about that? >> >> thx in advance >> >> >> ________________________________________ >> _ >> ?v? Mit freundlichen Gruessen/Kind regards, >> /(_)\ Ronny Wei? >> ^ ^ >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > What have you got for "Virus Scanners =" in MailScanner.conf? > > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > If you believe this mail is SPAM, and it's not tagged in the Subject > Or > This mail is NO-SPAM, but is tagged as SPAM, > report this ID 80DC518E46.B6C04 > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > As I thought. You'll need the edit functions.php so it knows about clamd as well as clamscan etc. Basically as a new 'case' into the case statement thats the same as the other clam, but uses the clamd as the 'switch'. If you need more detailed info let me know and I'll give you line numbers etc to start at -- Martin Hepworth Oxford, UK From matteo.filippetto at gmail.com Wed Dec 3 12:23:07 2008 From: matteo.filippetto at gmail.com (matteo filippetto) Date: Wed Dec 3 12:23:17 2008 Subject: archive emails Message-ID: Hi all, I have recently installed mailscanner with mailwatch in a debian server. I would like to know if there is a parameter to set the numbers of day that mailscanner archive the mails as it can do with quarantine? Thank you very much, Best regards -- Matteo Filippetto From martelm at quark.vsc.edu Wed Dec 3 13:24:50 2008 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Wed Dec 3 13:25:12 2008 Subject: MailScanner Blocking WMF Files ... Message-ID: <758DD6AFF947E1AD7EF16444@sherlockholmes.vsc.edu> Greetings! So this is simple, but I don't know the _right_ fix. We currently are blocking WMF files with MailScanner. So that's why they get blocked. Now that we're rolling out Office 2007, Office 2007 embeds these in the .docx files. I could allow WMF files, but that seems wrong. How are other people handling Office 2007 files ? Thanks! Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From alex at rtpty.com Wed Dec 3 13:38:30 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Dec 3 13:38:43 2008 Subject: MailScanner Blocking WMF Files ... In-Reply-To: <758DD6AFF947E1AD7EF16444@sherlockholmes.vsc.edu> References: <758DD6AFF947E1AD7EF16444@sherlockholmes.vsc.edu> Message-ID: Avoiding them? In any case, unless your users have stopped updating their machines for years now, they should be protected enough against the wmf vulnerability. You can always tell MailScanner not to scan within "archives", since .???x files are treated as such. The antivirus will pick it up if it's infected. On Dec 3, 2008, at 8:24 AM, Michael H. Martel wrote: > How are other people handling Office 2007 files ? From nikolaos.pavlidis at beds.ac.uk Wed Dec 3 13:49:56 2008 From: nikolaos.pavlidis at beds.ac.uk (nikolaos pavlidis) Date: Wed Dec 3 13:50:13 2008 Subject: MailScanner Gold Production yum repository released In-Reply-To: <49368E8402000027000263C1@gwiadom.oes.beds.ac.uk> References: <493584C5020000D400044F47@gwiadom.oes.beds.ac.uk> <49368E8402000027000263C1@gwiadom.oes.beds.ac.uk> Message-ID: <49368E8402000027000263C1@gwiadom.oes.beds.ac.uk> Hello Julian, Will the rpms contain a trained out-of-the-box baysian database or are we going to have to train it ourselves? I hope that either way the updates will not effect an already trained db. Regards, Nik On Tue, 2008-12-02 at 18:48 +0000, Julian Field wrote: > We?re very happy to announce the availability of our new MailScanner > Gold Production yum repository subscription service for Red Hat and > CentOS 5.x operating systems. This FSL yum repository system provides > all of the 70+ applications and Perl modules required to install and > maintain MailScanner, SpamAssassin, ClamAV, Razor, DCC and a MySQL Bayes > database in easy to use rpm formats. > > All of the Perl modules required by MailScanner, SpamAssassin and Razor > have been carefully designed to: > 1. Be built with and kept up to date with all of the proper Perl module > dependencies, including dependencies of dependencies > 2. Co-exist with the Operating System?s Perl modules. > > It is now possible to safely update the Operating System and all > MailScanner related applications without fear of creating Perl module > dependency problems. > Quickly and safely updating the Operating System, MailScanner and all > applications is simply a `yum update` command. > > And we have tried to provide this service at a price that makes it > affordable. Standard pricing will be $40 per month for the first server > and $30 per month for each additional server if paid yearly in advance. > A quarterly payment plan will also be available for a small additional > surcharge. > > But for the next 30 days there will be special pricing for members of > any official MailScanner mailing list; just $30 per month for the first > server and $20 per month for each additional server if paid yearly in > advance. > > And there are other, not so obvious benefits to using the repository. > The repository provides the ability to quickly install or restore a > gateway without needing a full backup. Start with a minimal OS load (20 > minutes), restoring a few critical directories (well you have to backup > something, 15 minutes) and then run `yum groupinstall MailScannerGold` > (5 minutes!). You can be back up and running or easily install an > additional gateway in less than an hour. > > The production repository will be updated with new rpms after one month > of testing by the FSL team and our beta MailScannerGold testers. Any > security or urgent patches will be applied as they become available and > can be tested. Announcements of upgrades and patches will be made via > the FSL repository subscriber?s mailing list. > > And the FSL team is available to provide any level of support you need > to install the subscription or assist with day to day problems at > reduced hourly rates for MailScanner Gold Customers. > Please contact info@FSL.com for more information or to sign up. > > -- > Julian Field MEng CITP CEng > Chief Technology Officer > Fort Systems Ltd > www.FSL.com > > -- > Steve Swaney > CEO > Fort Systems Ltd. > steve@fsl.com > www.fsl.com > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From jase at sensis.com Wed Dec 3 14:01:07 2008 From: jase at sensis.com (Desai, Jason) Date: Wed Dec 3 14:02:40 2008 Subject: Debian and the latest perl security updates Message-ID: <1951DC816E1A9F469307B05FA183F4380151E28D@corpatsmail1.corp.sensis.com> For those who use Debian and Julian's tar.gz install package: Debian just released a perl security update. After installing the update, MailScanner will not start (for me anyways), giving the following error: Starting MailScanner...File::Temp version 0.18 required--this is only version 0.16 at /usr/local/share/perl/5.8.8/MIME/Tools.pm line 14. I suspect the update is overwriting something. I haven't take a lot of time to investigate, but to work around it, I renamed my existing MailScanner folder, re-ran install.sh (to get the required perl modules installed), deleted the new MailScanner folder, and then renamed the old one back. mv /opt/MailScanner-4.72.5-1 /opt/MailScanner-4.72.5-1.tmp cd MailScanner-install-4.72.5 ./install.sh rm -rf /opt/MailScanner-4.72.5-1 mv /opt/MailScanner-4.72.5-1.tmp /opt/MailScanner-4.72.5-1 Hope this helps someone. At the very least, restart MailScanner after you do the perl update to make sure it will start back up. Jase From t.d.lee at durham.ac.uk Wed Dec 3 14:13:10 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Wed Dec 3 14:16:58 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: <493414D8.9090705@ecs.soton.ac.uk> References: <493414D8.9090705@ecs.soton.ac.uk> Message-ID: On Mon, 1 Dec 2008, Julian Field wrote: > On 1/12/08 14:02, David Lee wrote: >> >> [..] >> For the general case (e.g. not CentOS; user installing SA/ClamAV package) >> might there still be a case for the SA/ClamAV to be able to install the >> "init.d" script (and other things) to provide a consistent installation? > The reason I haven't done it in the past is that the init.d script has to be > totally different for every major Linux distro, let alone Solaris and other > Unices. So I would have to write half a dozen for it to be any use. The > current SA+ClamAV package is Unix-independent. OK. Fair enough. Thanks. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From traced at xpear.de Wed Dec 3 14:23:27 2008 From: traced at xpear.de (traced@xpear.de) Date: Wed Dec 3 14:23:38 2008 Subject: Fwd: Re: [Mailwatch-users] Users DB Message-ID: <61b580ab24d00f3a0e52cafff90e878f@localhost> > >Hello Bastian: > >>On 27/11/08 20:58, traced wrote: >> looks like you loose the ability to use the per user/domain >> spam- and highspamscores, or am i missing something? > >In our experience, the default scores are sufficient for 99% of the users. > >If there is a better way to merge PFA and MailWatch information, I would >be happy to hear about it. Problem is that SQL JOINs do not work on life >data, and probably have to run as a frequent CRON job. > >Any further suggestions are welcome. > >Best regards, Hello Achim, wouldn?t it be possible to add the fields of the spamscores to the pfadmin tables, and link them in that view? When you create a new entry it would automatically enter "0" to the values, but you can still change them then in the Mailwatch interface. Then everything is in the pfadmin table, and Mailwatch gets everything it needs with the view written here before?! Regards, Bastian From steve at fsl.com Wed Dec 3 14:48:52 2008 From: steve at fsl.com (Stephen Swaney) Date: Wed Dec 3 14:49:03 2008 Subject: MailScanner Gold Production yum repository released In-Reply-To: <49368E8402000027000263C1@gwiadom.oes.beds.ac.uk> References: <493584C5020000D400044F47@gwiadom.oes.beds.ac.uk> <49368E8402000027000263C1@gwiadom.oes.beds.ac.uk> <49368E8402000027000263C1@gwiadom.oes.beds.ac.uk> Message-ID: <49369C54.5030706@fsl.com> nikolaos pavlidis wrote: > Hello Julian, > > Will the rpms contain a trained out-of-the-box baysian database or are > we going to have to train it ourselves? I hope that either way the > updates will not effect an already trained db. > > Regards, > > Nik > > The initial MailScanner Gold rpm installation installs a Bayes Postgres Database. Bayes autolearn is configured as ON so it should learn from your site's spam. This will be changed soon to provide and install a "starter" Bayes database. If you already have a Bayes installation using local files or a MySQL database , you can manually import that data into the Postgres Database if you like Best regards, Steve -- Steve Swaney CEO Fort Systems Ltd. steve@fsl.com www.fsl.com From jonas at vrt.dk Wed Dec 3 14:51:13 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Wed Dec 3 14:51:27 2008 Subject: Debian and the latest perl security updates In-Reply-To: <1951DC816E1A9F469307B05FA183F4380151E28D@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4380151E28D@corpatsmail1.corp.sensis.com> Message-ID: <002701c95556$96a3dec0$c3eb9c40$@dk> Hi Jason Yep its normal that mailscanner breaks when debian do perl realted updates. My normal solution is always to do the debian upgrades, run a Mailscanner -V and see if anything looks wrong. If anything is missing or an older version (you can compare with the list before the perl modules upgrade) then install the newest perl module via cpan. This is something those of us who's chosen the combo of MailScanner and debian have to live with. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Desai, Jason Sent: 3. december 2008 15:01 To: mailscanner@lists.mailscanner.info Subject: Debian and the latest perl security updates For those who use Debian and Julian's tar.gz install package: Debian just released a perl security update. After installing the update, MailScanner will not start (for me anyways), giving the following error: Starting MailScanner...File::Temp version 0.18 required--this is only version 0.16 at /usr/local/share/perl/5.8.8/MIME/Tools.pm line 14. I suspect the update is overwriting something. I haven't take a lot of time to investigate, but to work around it, I renamed my existing MailScanner folder, re-ran install.sh (to get the required perl modules installed), deleted the new MailScanner folder, and then renamed the old one back. mv /opt/MailScanner-4.72.5-1 /opt/MailScanner-4.72.5-1.tmp cd MailScanner-install-4.72.5 ./install.sh rm -rf /opt/MailScanner-4.72.5-1 mv /opt/MailScanner-4.72.5-1.tmp /opt/MailScanner-4.72.5-1 Hope this helps someone. At the very least, restart MailScanner after you do the perl update to make sure it will start back up. Jase -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Dec 3 16:17:53 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 3 16:20:15 2008 Subject: archive emails In-Reply-To: References: Message-ID: on 12-3-2008 4:23 AM matteo filippetto spake the following: > Hi all, > > I have recently installed mailscanner with mailwatch in a debian server. > > I would like to know if there is a parameter to set the numbers of day > that mailscanner archive the mails as it can do with quarantine? > > Thank you very much, > Best regards > It is all in the docs. First you need to decide if you want mailscanner to do it or mailwatch. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081203/1abc82b2/signature.bin From ssilva at sgvwater.com Wed Dec 3 16:20:19 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 3 16:25:11 2008 Subject: Debian and the latest perl security updates In-Reply-To: <002701c95556$96a3dec0$c3eb9c40$@dk> References: <1951DC816E1A9F469307B05FA183F4380151E28D@corpatsmail1.corp.sensis.com> <002701c95556$96a3dec0$c3eb9c40$@dk> Message-ID: on 12-3-2008 6:51 AM Jonas Akrouh Larsen spake the following: > Hi Jason > > Yep its normal that mailscanner breaks when debian do perl realted updates. > > My normal solution is always to do the debian upgrades, run a Mailscanner -V > and see if anything looks wrong. > > If anything is missing or an older version (you can compare with the list > before the perl modules upgrade) then install the newest perl module via > cpan. > > This is something those of us who's chosen the combo of MailScanner and > debian have to live with. > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Desai, > Jason > Sent: 3. december 2008 15:01 > To: mailscanner@lists.mailscanner.info > Subject: Debian and the latest perl security updates > > For those who use Debian and Julian's tar.gz install package: > > Debian just released a perl security update. After installing the > update, MailScanner will not start (for me anyways), giving the > following error: > > Starting MailScanner...File::Temp version 0.18 required--this is only > version 0.16 at /usr/local/share/perl/5.8.8/MIME/Tools.pm line 14. > > I suspect the update is overwriting something. I haven't take a lot of > time to investigate, but to work around it, I renamed my existing > MailScanner folder, re-ran install.sh (to get the required perl modules > installed), deleted the new MailScanner folder, and then renamed the old > one back. > > mv /opt/MailScanner-4.72.5-1 /opt/MailScanner-4.72.5-1.tmp > cd MailScanner-install-4.72.5 > ./install.sh > rm -rf /opt/MailScanner-4.72.5-1 > mv /opt/MailScanner-4.72.5-1.tmp /opt/MailScanner-4.72.5-1 > > Hope this helps someone. At the very least, restart MailScanner after > you do the perl update to make sure it will start back up. > > Jase > It isn't just Debian. CentOS also had a perl update a few months back that broke things. It all comes down to testing things after an update to make sure that it still functions. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081203/a359ebcc/signature.bin From matteo.filippetto at gmail.com Wed Dec 3 16:41:15 2008 From: matteo.filippetto at gmail.com (matteo filippetto) Date: Wed Dec 3 16:41:23 2008 Subject: archive emails In-Reply-To: References: Message-ID: Sorry, I read the pdf manual and I also searched the wiki pages but I did not find an answer on how to set this. Can you please tell me where you find documentation about this configuration? Thank you very much. Matteo 2008/12/3 Scott Silva : > on 12-3-2008 4:23 AM matteo filippetto spake the following: >> Hi all, >> >> I have recently installed mailscanner with mailwatch in a debian server. >> >> I would like to know if there is a parameter to set the numbers of day >> that mailscanner archive the mails as it can do with quarantine? >> >> Thank you very much, >> Best regards >> > It is all in the docs. First you need to decide if you want mailscanner to do > it or mailwatch. > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Matteo Filippetto From matteo.filippetto at gmail.com Wed Dec 3 17:05:30 2008 From: matteo.filippetto at gmail.com (matteo filippetto) Date: Wed Dec 3 17:05:39 2008 Subject: archive emails In-Reply-To: References: Message-ID: Finally I find it in MailScanner.conf Thank you very much. Bye Matteo 2008/12/3 matteo filippetto : > Sorry, I read the pdf manual and I also searched the wiki pages but I > did not find an answer on how to set this. > > Can you please tell me where you find documentation about this configuration? > > Thank you very much. > > Matteo > > 2008/12/3 Scott Silva : >> on 12-3-2008 4:23 AM matteo filippetto spake the following: >>> Hi all, >>> >>> I have recently installed mailscanner with mailwatch in a debian server. >>> >>> I would like to know if there is a parameter to set the numbers of day >>> that mailscanner archive the mails as it can do with quarantine? >>> >>> Thank you very much, >>> Best regards >>> >> It is all in the docs. First you need to decide if you want mailscanner to do >> it or mailwatch. >> >> -- >> MailScanner is like deodorant... >> You hope everybody uses it, and >> you notice quickly if they don't!!!! >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > > -- > Matteo Filippetto > -- Matteo Filippetto From bbdokken at dokkenengineering.com Wed Dec 3 19:51:48 2008 From: bbdokken at dokkenengineering.com (Brad Dokken) Date: Wed Dec 3 19:52:04 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: References: <492DA09D.1000208@ptera.net> <72cf361e0812030221l34bcafa3qa14786f3da0cde70@mail.gmail.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ronald Weiss > Sent: Wednesday, December 03, 2008 2:43 AM > To: MailScanner discussion > Subject: Re: Mailscanner-Mailwatch Virii report > > Martin, > > Virus Scanners = clamd > > You need to make some changes to the mailwatch files in /var/www/html/mailscanner/ as follows: functions.php case 'clamd': define(VIRUS_REGEX, '/(.+) was infected: (\S+)/'); break; rep_viruses.php case("clamd"): $scanner[$vscanner]['name'] = "ClamD"; $scanner[$vscanner]['regexp'] = "/(.+) was infected: (\S+)/"; break; In the above I only had to change to "was infected" from the original "contains". This will depend on how old your MailWatch files are, older versions don't have the ClamD entries. Brad From astephens at ptera.net Wed Dec 3 21:47:52 2008 From: astephens at ptera.net (Arthur Stephens) Date: Wed Dec 3 21:48:03 2008 Subject: Emails on HOLD not processed and delivered Still! Message-ID: <4936FE88.9000702@ptera.net> OK I am about to shut off MailScanner - Before it was a customers emails that were disappearing. There are a lot of these in my logs. :-( Now emails to support@ptera.net - which I understandably NEED to get are disappearing also. Here is the trace in the logs showing that the email is received ( I sent this one myself) and put on hold and that is the last we see of it. [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: client=daffy.ptera.net[69.28.32.8] Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: header Received: from daffy.ptera.net (daffy.ptera.net [69.28.32.8])??by mailgate.ptera.net (Postfix) with ESMTP id A4B9B6FB140??for ; Wed, 3 Dec 2008 12:53:59 -0800 (PST) from daffy.ptera.net[69.28.32.8]; from= to= proto=ESMTP helo= Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: message-id=<4936F88F.9070105@ptera.net> [root@mailgate ~]# I have upgraded MailScanner to This is MailScanner version 4.72.5 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.21 bignum 1.04 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 0.19 Math::BigRat 3.05 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.03 MIME::QuotedPrint 5.427 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 2.15 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.26 Test::Pod 0.7 Test::Simple 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: missing Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.56 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 2.36 Getopt::Long missing Inline missing IO::String missing IO::Zlib missing IP::Country missing Mail::ClamAV 3.001000 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query missing Module::Build missing Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.56 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML I went over the config files again, trying to find stuff not configured etc. My postfix is version Postfix version 2.3.8 with this config... command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix inet_interfaces = localhost, 69.28.32.25 mydestination = mailgate.ptera.net myorigin = localhost smtpd_banner = mailgate.ptera.net NO UCE ESMTP unknown_local_recipient_reject_code = 550 relay_domains = ptera.net, tylite.com, pdi-inc.com, avistaadvantage.com, 134.39.173.11 transport_maps = hash:/etc/postfix/transport alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases header_checks = regexp:/etc/postfix/header_checks debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = /usr/share/doc/postfix-2.3.8-documentation/html manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.2.8/samples readme_directory = /usr/share/doc/postfix-2.3.8-documentation/readme smtpd_recipient_restrictions = reject_invalid_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_rbl_client domain-name,reject_unauth_destination,check_policy_service inet:127.0.0.1:2501 receive_override_options = no_address_mappings message_size_limit = 46080000 maximal_queue_lifetime = 1d bounce_queue_lifetime = 1d smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit luser_relay = address_mapped_to_dev_null disable_vrfy_command = yes biff = no smtpd_delay_reject = yes strict_rfc821_envelopes = yes queue_directory = /var/spool/postfix mail_owner = postfix -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From Denis.Beauchemin at USherbrooke.ca Wed Dec 3 21:59:19 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Dec 3 21:59:40 2008 Subject: Emails on HOLD not processed and delivered Still! In-Reply-To: <4936FE88.9000702@ptera.net> References: <4936FE88.9000702@ptera.net> Message-ID: <49370137.2080801@USherbrooke.ca> Arthur Stephens a ?crit : > OK I am about to shut off MailScanner - > Before it was a customers emails that were disappearing. There are a > lot of these in my logs. :-( > Now emails to support@ptera.net - which I understandably NEED to get > are disappearing also. > Here is the trace in the logs showing that the email is received ( I > sent this one myself) and put on hold and that is the last we see of it. > > [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog > Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: > client=daffy.ptera.net[69.28.32.8] > Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: > header Received: from daffy.ptera.net (daffy.ptera.net > [69.28.32.8])??by mailgate.ptera.net (Postfix) with ESMTP id > A4B9B6FB140??for ; Wed, 3 Dec 2008 12:53:59 -0800 > (PST) from daffy.ptera.net[69.28.32.8]; from= > to= proto=ESMTP helo= > Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: > message-id=<4936F88F.9070105@ptera.net> > [root@mailgate ~]# Arthur, I don't see any log from MailScanner. Are you sure it is running? If so, do you get any error messages from "MailScanner --lint" ? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From simon.walter at hp-factory.de Wed Dec 3 22:46:46 2008 From: simon.walter at hp-factory.de (Simon Walter) Date: Wed Dec 3 22:47:04 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks Message-ID: <87tz9kho6h.fsf@hp-factory.de> Hi, I send this through the mailinglist because I can't send it to Julian directly because of the following: mailscanner@ecs.soton.ac.uk SMTP error from remote mail server after MAIL FROM:: host mx.ecs.soton.ac.uk [152.78.68.137]: 553 5.1.8 sender from hp-factory.de MX invalid #439 (kB2Lcm295123146500) I don't know what's causing this... Anyway, here is the mail in which some of you should be interested too. -------------------- Start of forwarded message -------------------- To: Mark Purcell Cc: 506353@bugs.debian.org, Raphael Geissert , mailscanner@ecs.soton.ac.uk BCC: control@bugs.debian.org Subject: Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks X-Draft-From: ("nnml:debian.bugs" 284) References: <200811201524.52353.atomo64@gmail.com> <200812032338.02957.msp@debian.org> From: Simon Walter Date: Wed, 03 Dec 2008 22:28:09 +0100 In-Reply-To: <200812032338.02957.msp@debian.org> (Mark Purcell's message of "Wed\, 3 Dec 2008 23\:38\:02 +1100") Message-ID: <877i6hhrti.fsf@hp-factory.de> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) Lines: 51 Xref: tharlab others.sent:737 package mailscanner tags 506353 help upstream confirmed thanks Hello, Mark Purcell writes: > On Friday 21 November 2008 08:24:46 Raphael Geissert wrote: >> I'm using severity grave as this package should definitely not be shipped >> in any release as is. > > Simon, > > This RC bug was reported almost two weeks ago without any comment from you. > > Are you in a position to investigate and propose a way forward for your > package in lenny? I have looked at the code-segments Raphael pointed out and I'm totally agree with him. In the current state the package should not be part of the lenny release. I'm in no position to fix all this. I'm not familiar enough with the MailScanner sourcecode and I'm not able to test the changes I would have to make, in particular to all the virusscanner scripts. I have put Julian Field (upstream author) in CC to inform him about all this. (@Julian: the full bugreport is here [1]) If he is willing and able to fix the problems in a feature release before lenny is released I will try to backport the fixes to the current package in lenny. Otherwise this package should be removed. I'm also wondering why [2] marks CVE-2008-5140 as fixed for sid+lenny. It claims the bug was fix with 4.57.6-1, but there is no difference between 4.55.10-3 and 4.57.6-1. Sorry for the late reply. -- Regards Simon Walter [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353 [2] http://security-tracker.debian.net/tracker/CVE-2008-5140 -------------------- End of forwarded message -------------------- -- Regards Simon Walter From astephens at ptera.net Wed Dec 3 22:50:44 2008 From: astephens at ptera.net (Arthur Stephens) Date: Wed Dec 3 22:50:55 2008 Subject: Emails on HOLD not processed and delivered Still! In-Reply-To: <49370137.2080801@USherbrooke.ca> References: <4936FE88.9000702@ptera.net> <49370137.2080801@USherbrooke.ca> Message-ID: <49370D44.7070109@ptera.net> Denis Beauchemin wrote: > Arthur Stephens a ?crit : >> OK I am about to shut off MailScanner - >> Before it was a customers emails that were disappearing. There are a >> lot of these in my logs. :-( >> Now emails to support@ptera.net - which I understandably NEED to get >> are disappearing also. >> Here is the trace in the logs showing that the email is received ( I >> sent this one myself) and put on hold and that is the last we see of it. >> >> [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog >> Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: >> client=daffy.ptera.net[69.28.32.8] >> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: >> header Received: from daffy.ptera.net (daffy.ptera.net >> [69.28.32.8])??by mailgate.ptera.net (Postfix) with ESMTP id >> A4B9B6FB140??for ; Wed, 3 Dec 2008 12:53:59 -0800 >> (PST) from daffy.ptera.net[69.28.32.8]; from= >> to= proto=ESMTP helo= >> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: >> message-id=<4936F88F.9070105@ptera.net> >> [root@mailgate ~]# > > > Arthur, > > I don't see any log from MailScanner. Are you sure it is running? If > so, do you get any error messages from "MailScanner --lint" ? > > Denis > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-Ptera-MailScanner-From I fixed that only one that showed up from running "MailScanner --lint" Yes MailScanner is running - that is just a trace for that email (A4B9B6FB140:) [root@mailgate ~]# tail -f /var/log/maillog | grep MailScanner Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Found 34 messages waiting Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Scanning 2 messages, 21644 bytes Dec 3 14:21:25 mailgate MailScanner[27025]: Virus and Content Scanning: Starting Dec 3 14:21:26 mailgate MailScanner[27021]: Content Checks: Detected and have disarmed web bug tags in HTML message in EAC526FB1A4.8D9A5 from 417.4.63163490-559395@uninterestedactivity.com Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 9067B6FB0D3.7652B to 2584E6FB1B7 Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 0A3F56FB1AF.5DCD8 to 39E696FB0D3 Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: E94806FB1B1.D44E0 to 520136FB1AF Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: EAC526FB1A4.8D9A5 to 50A286FB1B1 Dec 3 14:21:26 mailgate MailScanner[27021]: Uninfected: Delivered 4 messages Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Found 31 messages waiting Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Scanning 1 messages, 18590 bytes Dec 3 14:21:31 mailgate MailScanner[27033]: Virus and Content Scanning: Starting Dec 3 14:21:31 mailgate MailScanner[27013]: Spam Checks: Found 1 spam messages Dec 3 14:21:31 mailgate MailScanner[27013]: Virus and Content Scanning: Starting Dec 3 14:21:32 mailgate MailScanner[27058]: Virus and Content Scanning: Starting -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From sandrews at andrewscompanies.com Wed Dec 3 23:10:15 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Dec 3 23:10:25 2008 Subject: clam update Message-ID: <1964AAFBC212F742958F9275BF63DBB0907A34@winchester.andrewscompanies.com> Just noticed one of my boxes saying that 0.94.2 is now out. Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081203/105e5720/attachment.html From steve at fsl.com Wed Dec 3 23:52:32 2008 From: steve at fsl.com (Stephen Swaney) Date: Wed Dec 3 23:52:43 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <87tz9kho6h.fsf@hp-factory.de> References: <87tz9kho6h.fsf@hp-factory.de> Message-ID: <49371BC0.7010404@fsl.com> Simon Walter wrote: > > Hi, > > I send this through the mailinglist because I can't send it to > Julian directly because of the following: > > mailscanner@ecs.soton.ac.uk > SMTP error from remote mail server after MAIL FROM:: > host mx.ecs.soton.ac.uk [152.78.68.137]: 553 5.1.8 sender from hp-factory.de MX invalid #439 (kB2Lcm295123146500) > > I don't know what's causing this... > > Anyway, here is the mail in which some of you should be interested too. > > -------------------- Start of forwarded message -------------------- > To: Mark Purcell > Cc: 506353@bugs.debian.org, Raphael Geissert , mailscanner@ecs.soton.ac.uk > BCC: control@bugs.debian.org > Subject: Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks > X-Draft-From: ("nnml:debian.bugs" 284) > References: <200811201524.52353.atomo64@gmail.com> > <200812032338.02957.msp@debian.org> > From: Simon Walter > Date: Wed, 03 Dec 2008 22:28:09 +0100 > In-Reply-To: <200812032338.02957.msp@debian.org> (Mark Purcell's message of "Wed\, 3 Dec 2008 23\:38\:02 +1100") > Message-ID: <877i6hhrti.fsf@hp-factory.de> > User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) > Lines: 51 > Xref: tharlab others.sent:737 > > > Simon, > > You been caught out by Julian's smtpf / BarricadeMX installation. Anytime you spot a messageID like kB2Lcm295123146500, starts with "k" and 18 characters long, smtpf has probably been the application that accepted, and in this case, blocked, your e-mail But please notice that it was nice enough to send you an NDR. > > To see exactly what tripped it up I would need access to Julian's logs or configuration file. > > Best regards, > > Steve > > Steve Swaney > steve@fsl.com > www.fsl.com From ssilva at sgvwater.com Thu Dec 4 00:28:40 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Dec 4 00:29:00 2008 Subject: archive emails In-Reply-To: References: Message-ID: on 12-3-2008 8:41 AM matteo filippetto spake the following: > Sorry, I read the pdf manual and I also searched the wiki pages but I > did not find an answer on how to set this. > > Can you please tell me where you find documentation about this configuration? > > Thank you very much. > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install about halfway down the page in the section titled "Install & Configure MailWatch" This is almost word for word like the INSTALL doc in the mailwatch tarball that you read. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081203/d66071e5/signature.bin From lists at rheel.co.nz Thu Dec 4 01:29:44 2008 From: lists at rheel.co.nz (Lists) Date: Thu Dec 4 01:29:09 2008 Subject: MailScanner Reload error In-Reply-To: References: <49359B3A.3020202@rheel.co.nz> Message-ID: <49373288.3090300@rheel.co.nz> Alex Neuman van der Hans wrote: > Only if it was supposed to be running in the first place. It's > basically saying "Hey, I tried going through the list of process id > (pid) numbers on this text file to tell the MailScanner processes to > reload, but one (or more) of them aren't there!". > > On Dec 2, 2008, at 3:31 PM, Lists wrote: > >> Reloading MailScanner workers: >> MailScanner: kill -10449: No such process >> kill 9570: No such process >> >> Does this indicate an error that I need to sort out? > MailScanner is definately running at the time I do the reload so its a problem that its not finding the process to reload isn't it? Kate From alex at rtpty.com Thu Dec 4 02:12:43 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Dec 4 02:13:04 2008 Subject: Mailscanner-Mailwatch Virii report In-Reply-To: References: <492DA09D.1000208@ptera.net> <72cf361e0812030221l34bcafa3qa14786f3da0cde70@mail.gmail.com> Message-ID: <07114ECC-78BA-4AE0-A5A5-714D970421C5@rtpty.com> On a lighter note, although there is little consensus on the virus vs viruses dilemma, pretty much everyone agrees virii means "of the male" or words to that effect... On Dec 3, 2008, at 2:51 PM, "Brad Dokken" wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Ronald Weiss >> Sent: Wednesday, December 03, 2008 2:43 AM >> To: MailScanner discussion >> Subject: Re: Mailscanner-Mailwatch Virii report >> >> Martin, >> >> Virus Scanners = clamd >> >> > > You need to make some changes to the mailwatch files in > /var/www/html/mailscanner/ as follows: > > functions.php > case 'clamd': > define(VIRUS_REGEX, '/(.+) was infected: (\S+)/'); > break; > > rep_viruses.php > case("clamd"): > $scanner[$vscanner]['name'] = "ClamD"; > $scanner[$vscanner]['regexp'] = "/(.+) was infected: (\S+)/"; > break; > > In the above I only had to change to "was infected" from the original > "contains". This will depend on how old your MailWatch files are, > older > versions don't have the ClamD entries. > > Brad > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maxsec at gmail.com Thu Dec 4 08:21:00 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Dec 4 08:21:09 2008 Subject: MailScanner Reload error In-Reply-To: <49373288.3090300@rheel.co.nz> References: <49359B3A.3020202@rheel.co.nz> <49373288.3090300@rheel.co.nz> Message-ID: <72cf361e0812040021l24ba1f35lebd751d4c668e86b@mail.gmail.com> 2008/12/4 Lists : > Alex Neuman van der Hans wrote: >> >> Only if it was supposed to be running in the first place. It's basically >> saying "Hey, I tried going through the list of process id (pid) numbers on >> this text file to tell the MailScanner processes to reload, but one (or >> more) of them aren't there!". >> >> On Dec 2, 2008, at 3:31 PM, Lists wrote: >> >>> Reloading MailScanner workers: >>> MailScanner: kill -10449: No such process >>> kill 9570: No such process >>> >>> Does this indicate an error that I need to sort out? >> > MailScanner is definately running at the time I do the reload so its a > problem that its not finding the process to reload isn't it? > Kate > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > kate do the processes with those id's actually exist or has mailscanner got itself confused somewhere. I guess a ps before and after the reload to check. -- Martin Hepworth Oxford, UK From maxsec at gmail.com Thu Dec 4 08:28:58 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Dec 4 08:29:07 2008 Subject: Emails on HOLD not processed and delivered Still! In-Reply-To: <49370D44.7070109@ptera.net> References: <4936FE88.9000702@ptera.net> <49370137.2080801@USherbrooke.ca> <49370D44.7070109@ptera.net> Message-ID: <72cf361e0812040028p280d451cube8c778f93a8e467@mail.gmail.com> 2008/12/3 Arthur Stephens : > Denis Beauchemin wrote: >> >> Arthur Stephens a ?crit : >>> >>> OK I am about to shut off MailScanner - >>> Before it was a customers emails that were disappearing. There are a lot >>> of these in my logs. :-( >>> Now emails to support@ptera.net - which I understandably NEED to get are >>> disappearing also. >>> Here is the trace in the logs showing that the email is received ( I sent >>> this one myself) and put on hold and that is the last we see of it. >>> >>> [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog >>> Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: >>> client=daffy.ptera.net[69.28.32.8] >>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: >>> header Received: from daffy.ptera.net (daffy.ptera.net [69.28.32.8])??by >>> mailgate.ptera.net (Postfix) with ESMTP id A4B9B6FB140??for >>> ; Wed, 3 Dec 2008 12:53:59 -0800 (PST) from >>> daffy.ptera.net[69.28.32.8]; from= >>> to= proto=ESMTP helo= >>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: >>> message-id=<4936F88F.9070105@ptera.net> >>> [root@mailgate ~]# >> >> >> Arthur, >> >> I don't see any log from MailScanner. Are you sure it is running? If so, >> do you get any error messages from "MailScanner --lint" ? >> >> Denis >> > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-Ptera-MailScanner-From > > I fixed that only one that showed up from running "MailScanner --lint" > > Yes MailScanner is running - that is just a trace for that email > (A4B9B6FB140:) > [root@mailgate ~]# tail -f /var/log/maillog | grep MailScanner > Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Found 34 messages > waiting > Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Scanning 2 messages, > 21644 bytes > Dec 3 14:21:25 mailgate MailScanner[27025]: Virus and Content Scanning: > Starting > Dec 3 14:21:26 mailgate MailScanner[27021]: Content Checks: Detected and > have disarmed web bug tags in HTML message in EAC526FB1A4.8D9A5 from > 417.4.63163490-559395@uninterestedactivity.com > Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 9067B6FB0D3.7652B to > 2584E6FB1B7 > Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 0A3F56FB1AF.5DCD8 to > 39E696FB0D3 > Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: E94806FB1B1.D44E0 to > 520136FB1AF > Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: EAC526FB1A4.8D9A5 to > 50A286FB1B1 > Dec 3 14:21:26 mailgate MailScanner[27021]: Uninfected: Delivered 4 > messages > Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Found 31 messages > waiting > Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Scanning 1 messages, > 18590 bytes > Dec 3 14:21:31 mailgate MailScanner[27033]: Virus and Content Scanning: > Starting > Dec 3 14:21:31 mailgate MailScanner[27013]: Spam Checks: Found 1 spam > messages > Dec 3 14:21:31 mailgate MailScanner[27013]: Virus and Content Scanning: > Starting > Dec 3 14:21:32 mailgate MailScanner[27058]: Virus and Content Scanning: > Starting > > > -- > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet Service > PO Box 135 > Liberty Lake, WA 99019 > 509-927-7837 > For technical support visit http://www.ptera.net/support > ----------------------------------------------------------------------------- > "This message may contain confidential and/or propriety information, > and is intended for the person/entity to whom it was originally > addressed. Any use by others is strictly prohibited. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company." > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Arthur is this email still in the hold or just disappeared from the queue? Anything else in the hold/incoming queues other than queue files? (check hidden or . files as well). -- Martin Hepworth Oxford, UK From marcel-ml at irc-addicts.de Thu Dec 4 08:29:23 2008 From: marcel-ml at irc-addicts.de (Marcel Blenkers) Date: Thu Dec 4 08:30:34 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: <49356831.3020308@xpear.de> References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> <49356831.3020308@xpear.de> Message-ID: Hi Folks, maybe i am wrong here but my MailScanner-Setup sends to the recipient the Mail with the Virus deleted and inserted the "Warning-TXT"-File instead. And within the Mail, right under the Mailtext from the original Mail, the user will find the Text that File xyz got deleted because of whatever the Virus-Scanners do have to say. Also included within this message, there is the original Message-ID, so that the User can a) lock into MailWatch-Website, type the Message-ID and release the Message (which does not work, if the Attachment really is tagged as Virus) or b) send the Message-ID to the Mail-Admin, so that he (or she) could release this Mail if wanted to. Marcel On Tue, 2 Dec 2008, traced wrote: > Hi Guys, > > thanks a lot for all your replys. I think it would be the best > way only to inform an admin about a virus, and the users about > blocked content. I think this is the default idea behind the MS defaults. > > Sometimes I need a little time to think about the best solution :-) > > Regards, > Bastian > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maillists at conactive.com Thu Dec 4 10:31:15 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 4 10:31:32 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <87tz9kho6h.fsf@hp-factory.de> References: <87tz9kho6h.fsf@hp-factory.de> Message-ID: Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100: > MX invalid > I don't know what's causing this... The answer is here. Your MX is a CNAME. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From simon.walter at hp-factory.de Thu Dec 4 11:44:45 2008 From: simon.walter at hp-factory.de (simon.walter@hp-factory.de) Date: Thu Dec 4 11:41:23 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> Message-ID: <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> > Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100: > >> MX invalid > >> I don't know what's causing this... > > The answer is here. Your MX is a CNAME. which points to an A record... ... like CNAMEs are dangerous. Thanks for the information. I'll tell the server-admin. Perhaps he will change it. -- Regards Simon Walter From glenn.steen at gmail.com Thu Dec 4 12:05:07 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 4 12:05:18 2008 Subject: Emails on HOLD not processed and delivered Still! In-Reply-To: <4936FE88.9000702@ptera.net> References: <4936FE88.9000702@ptera.net> Message-ID: <223f97700812040405h33d20decu2298c8e2cae3b150@mail.gmail.com> 2008/12/3 Arthur Stephens : > OK I am about to shut off MailScanner - Please don't.... I'm sure we can get this working for you...:). > Before it was a customers emails that were disappearing. There are a lot of > these in my logs. :-( > Now emails to support@ptera.net - which I understandably NEED to get are > disappearing also. > Here is the trace in the logs showing that the email is received ( I sent > this one myself) and put on hold and that is the last we see of it. And it doesn't somehow end up in the quarantine or somesuch? Is A4B9B6FB140 still in the hold queue? > > [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog > Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: > client=daffy.ptera.net[69.28.32.8] > Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: header > Received: from daffy.ptera.net (daffy.ptera.net [69.28.32.8])??by > mailgate.ptera.net (Postfix) with ESMTP id A4B9B6FB140??for > ; Wed, 3 Dec 2008 12:53:59 -0800 (PST) from > daffy.ptera.net[69.28.32.8]; from= > to= proto=ESMTP helo= > Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: > message-id=<4936F88F.9070105@ptera.net> > [root@mailgate ~]# > > I have upgraded MailScanner to > This is MailScanner version 4.72.5 This version has a know bug. Do you see any MailScanner process(es) eating 100% CPU, and ... staying there? If so, you need upgrade to the latest beta, or find/use the fixed Message.pm file Jules posted rather recently. I suspect that bug would _not_ affect whatever is making things ... not work... for you. (snip) > Optional module versions are: > missing Archive::Tar > 0.21 bignum > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > 1.814 DB_File > 1.13 DBD::SQLite > 1.56 DBI > 1.14 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > 2.36 Getopt::Long > missing Inline > missing IO::String > missing IO::Zlib > missing IP::Country > missing Mail::ClamAV > 3.001000 Mail::SpamAssassin > missing Mail::SPF > missing Mail::SPF::Query > missing Module::Build > missing Net::CIDR::Lite > 0.63 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.56 Test::Harness > missing Test::Manifest > 1.95 Text::Balanced > 1.35 URI > missing version > missing YAML > I usually make sure all tge optional (except SAVI, since I don't use that) modules are there too, just in case they weren't as optional as they seem:-). Might be worth doing for you too. > I went over the config files again, trying to find stuff not configured etc. > > My postfix is version Postfix version 2.3.8 > with this config... > command_directory = /usr/sbin > daemon_directory = /usr/libexec/postfix > inet_interfaces = localhost, 69.28.32.25 > mydestination = mailgate.ptera.net > myorigin = localhost Ok... not "ptera.net" then? > smtpd_banner = mailgate.ptera.net NO UCE ESMTP > unknown_local_recipient_reject_code = 550 > relay_domains = ptera.net, tylite.com, pdi-inc.com, avistaadvantage.com, > 134.39.173.11 > transport_maps = hash:/etc/postfix/transport > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > header_checks = regexp:/etc/postfix/header_checks > debug_peer_level = 2 > debugger_command = > PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin > xxgdb $daemon_directory/$process_name $process_id & sleep 5 > sendmail_path = /usr/sbin/sendmail.postfix > newaliases_path = /usr/bin/newaliases.postfix > mailq_path = /usr/bin/mailq.postfix > setgid_group = postdrop > html_directory = /usr/share/doc/postfix-2.3.8-documentation/html > manpage_directory = /usr/share/man > sample_directory = /usr/share/doc/postfix-2.2.8/samples > readme_directory = /usr/share/doc/postfix-2.3.8-documentation/readme > smtpd_recipient_restrictions = > reject_invalid_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_rbl_client > domain-name,reject_unauth_destination,check_policy_service > inet:127.0.0.1:2501 > receive_override_options = no_address_mappings > message_size_limit = 46080000 > maximal_queue_lifetime = 1d > bounce_queue_lifetime = 1d > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, permit > luser_relay = address_mapped_to_dev_null > disable_vrfy_command = yes > biff = no > smtpd_delay_reject = yes > strict_rfc821_envelopes = yes > queue_directory = /var/spool/postfix > mail_owner = postfix > You could do some helo checks and possibly a few other things, and I wonder about the luser relay... Shouldn't be a problem, but...:-). Try make that an actual local mailbox and see what lands there... If anything. Gut feeling, this is something very local to your setup/machines, but probably relatively insidous....:-). If you look beyond the mail, do you have anything suspicious in your syslog? And BTW, greping the log for a specific queue ID isn't really enough when it comes to PF and MS. You likely need read the complete log rather thoroughly. Also, If you do split logs, don't just look at the info part, but also look at the warnings and error logs (syslog usually carry it all). If you try follow the flow of one message through the log, via queue ID and PIDs etc, do you see anything ... of interrest? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Dec 4 12:14:08 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 4 12:14:18 2008 Subject: Can I inform recipients about a quarantined virus? In-Reply-To: References: <77c6c77beab7f06f7c9f03c73f0772a3@localhost> <49356831.3020308@xpear.de> Message-ID: <223f97700812040414y12f9c1cer78d064d3bb5100be@mail.gmail.com> 2008/12/4 Marcel Blenkers : > Hi Folks, > > maybe i am wrong here but my MailScanner-Setup sends to the recipient the > Mail with the Virus deleted and inserted the "Warning-TXT"-File instead. > > And within the Mail, right under the Mailtext from the original Mail, the > user will find the Text that File xyz got deleted because of whatever the > Virus-Scanners do have to say. > > Also included within this message, there is the original Message-ID, so > that the User can > > a) lock into MailWatch-Website, type the Message-ID and release the > Message (which does not work, if the Attachment really is tagged as Virus) > or > b) send the Message-ID to the Mail-Admin, so that he (or she) could > release this Mail if wanted to. > > Marcel > This depend on your setting of "Silent Viruses" and "Still Deliver Silent Viruses", more than anything. Cheers -- -- Glenn > On Tue, 2 Dec 2008, traced wrote: > >> Hi Guys, >> >> thanks a lot for all your replys. I think it would be the best >> way only to inform an admin about a virus, and the users about >> blocked content. I think this is the default idea behind the MS defaults. >> >> Sometimes I need a little time to think about the best solution :-) >> >> Regards, >> Bastian >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Dec 4 12:29:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 4 12:29:55 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> Message-ID: <223f97700812040429v4786f2dcnb2a359dcf4b302c7@mail.gmail.com> 2008/12/4 : >> Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100: >> >>> MX invalid >> >>> I don't know what's causing this... >> >> The answer is here. Your MX is a CNAME. > > which points to an A record... > ... like CNAMEs are dangerous. So ...? They aren't allowed for MXs. One could likely say pretty much the same about the "scary tmp/symlink" things:-). One thing to note... If you run something that don't run as root, the vulnerability is more or less completely nullified. So we PF users are safe from our users, AFAICS:-). Or was there more to the attack vector than that? > Thanks for the information. I'll tell the server-admin. Perhaps he will > change it. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Thu Dec 4 13:31:29 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 4 13:31:40 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> Message-ID: Simon.walter@hp-factory.de wrote on Thu, 4 Dec 2008 11:44:45 -0000 (UTC): > which points to an A record... > ... like CNAMEs are dangerous. It doesn't matter what it is. The point is that RFC doesn't like it for MX records. That should be very well known to any server admin. And so some mailservers don't accept mail from such sources. I personally cannot see any connection between this and the chance of getting spam from that source. It's a good example of an anti-spam measure that is counter-productive. But you have to live with it and it's easy to fix it. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Thu Dec 4 14:07:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 4 14:07:58 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> Message-ID: <223f97700812040607r7b4514e7g9a894ba595643fdc@mail.gmail.com> 2008/12/4 Kai Schaetzl : > Simon.walter@hp-factory.de wrote on Thu, 4 Dec 2008 11:44:45 -0000 (UTC): > >> which points to an A record... >> ... like CNAMEs are dangerous. > > It doesn't matter what it is. The point is that RFC doesn't like it for MX > records. That should be very well known to any server admin. And so some > mailservers don't accept mail from such sources. > I personally cannot see any connection between this and the chance of > getting spam from that source. It's a good example of an anti-spam measure > that is counter-productive. But you have to live with it and it's easy to > fix it. I don't agree that it is counterproductive, nor really an anti-spam measure. What it comes down to is that BMX is strict about the letter of the law (the RFCs). Since it is, it has to be strict about it all. There is no such thing as "half-way strict":-). If you want to be strict about things that do matter (like the actual format of the EHLO/HELO string), it would be a double standard to NOT be strict about the "no CNAME MX" rule. Now, some may argue that the RFCs prohibit a lookup from being the basis of a rejection, but ... the RFCs also state that blatant errors are to be rejected... One can play "devils advocate" with it, but ... I'm all for rejecting all errors. Leniency == acceptance of bad behavior == problems in the future...:-). Anyway, I guess all are entiteled to their own views:-) > Kai > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve at fsl.com Thu Dec 4 14:11:26 2008 From: steve at fsl.com (Stephen Swaney) Date: Thu Dec 4 14:11:47 2008 Subject: adhere to all of the RFCs In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> Message-ID: <4937E50E.70207@fsl.com> Kai Schaetzl wrote: > Simon.walter@hp-factory.de wrote on Thu, 4 Dec 2008 11:44:45 -0000 (UTC): > > >> which points to an A record... >> ... like CNAMEs are dangerous. >> > > It doesn't matter what it is. The point is that RFC doesn't like it for MX > records. That should be very well known to any server admin. And so some > mailservers don't accept mail from such sources. > I personally cannot see any connection between this and the chance of > getting spam from that source. It's a good example of an anti-spam measure > that is counter-productive. But you have to live with it and it's easy to > fix it. > > Kai > > Sorry I changed the thread subject but it was so far off topic that . . . . There is a principal here that most sites and programs that attempt to stop spam have been adopting. Simply put, it is: Sites that send email should understand and adhere to all of the RFCs which address email transmission and delivery. It's one of the ways a receiving site can use to determine if the sender is someone that you want to accept email from. I expect this trend to continue. And it's not unreasonable, when over 90% of all email is spam, that you should know how to correctly set up and administer an email system if you want people to accept your messages. Steve Steve Swaney steve@fsl.com www.fsl.com From simon.walter at hp-factory.de Thu Dec 4 14:22:44 2008 From: simon.walter at hp-factory.de (simon.walter@hp-factory.de) Date: Thu Dec 4 14:19:22 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <223f97700812040429v4786f2dcnb2a359dcf4b302c7@mail.gmail.com> References: <87tz9kho6h.fsf@hp-factory.de> <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> <223f97700812040429v4786f2dcnb2a359dcf4b302c7@mail.gmail.com> Message-ID: <42216.62.128.6.83.1228400564.squirrel@mail.lksoft.com> > 2008/12/4 : >>> Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100: >>>> MX invalid >>>> I don't know what's causing this... >>> The answer is here. Your MX is a CNAME. >> which points to an A record... >> ... like CNAMEs are dangerous. > So ...? They aren't allowed for MXs. Didn't know that, but the RFC seems quite clear on this. > One could likely say pretty much the same about the "scary > tmp/symlink" things:-). One thing to note... If you run something that > don't run as root, the vulnerability is more or less completely > nullified. So we PF users are safe from our users, AFAICS:-). > Or was there more to the attack vector than that? Running MailScanner or anything else as root is the worst-case-scenario for the "scary tmp/symlink" thing. If you don't run it as root you run probably run it as a user who has access to the mailserver spool-directory and I'm certain you don't want any other user be able to gain this privileg. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5313 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5312 -- Regards Simon Walter From glenn.steen at gmail.com Thu Dec 4 15:15:36 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 4 15:15:48 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <42216.62.128.6.83.1228400564.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> <223f97700812040429v4786f2dcnb2a359dcf4b302c7@mail.gmail.com> <42216.62.128.6.83.1228400564.squirrel@mail.lksoft.com> Message-ID: <223f97700812040715m1a0d91eftd7f689ae135d6fef@mail.gmail.com> 2008/12/4 : >> 2008/12/4 : >>>> Simon Walter wrote on Wed, 03 Dec 2008 23:46:46 +0100: >>>>> MX invalid >>>>> I don't know what's causing this... >>>> The answer is here. Your MX is a CNAME. >>> which points to an A record... >>> ... like CNAMEs are dangerous. >> So ...? They aren't allowed for MXs. > > Didn't know that, but the RFC seems quite clear on this. > > >> One could likely say pretty much the same about the "scary >> tmp/symlink" things:-). One thing to note... If you run something that >> don't run as root, the vulnerability is more or less completely >> nullified. So we PF users are safe from our users, AFAICS:-). >> Or was there more to the attack vector than that? > > Running MailScanner or anything else as root is the worst-case-scenario > for the "scary tmp/symlink" thing. If you don't run it as root you run > probably run it as a user who has access to the mailserver spool-directory > and I'm certain you don't want any other user be able to gain this > privileg. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5313 > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5312 > Yes, I do agree that you can make MailScanner do silly things with this. But it isn't an attack vector to "bypass" any file level security though. You can make it "shit" where it eats, or fubar any file the Run As user has write permissions for, but you cannot really make it "write arbitrary data"... Anyway, that is neither here nor there. To make these "go away"... I suppose one would either need do - priv separation and jailing (complex, pesky...:-), or - Not use tmp space (or rather ... commonly writable directories)... Might be workable, or - safeguard against uses of symlinks for these files. A simple stat would likely be all needed... In a myriad places:-). And some clever way to ... fail... or amend the situation. Oh well. I suppose Jules will know what to do ... or not do... once he feels up to it. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From astephens at ptera.net Thu Dec 4 16:37:07 2008 From: astephens at ptera.net (Arthur Stephens) Date: Thu Dec 4 16:37:24 2008 Subject: Emails on HOLD not processed and delivered Still! In-Reply-To: <72cf361e0812040028p280d451cube8c778f93a8e467@mail.gmail.com> References: <4936FE88.9000702@ptera.net> <49370137.2080801@USherbrooke.ca> <49370D44.7070109@ptera.net> <72cf361e0812040028p280d451cube8c778f93a8e467@mail.gmail.com> Message-ID: <49380733.3030808@ptera.net> Martin Hepworth wrote: > 2008/12/3 Arthur Stephens : > >> Denis Beauchemin wrote: >> >>> Arthur Stephens a ?crit : >>> >>>> OK I am about to shut off MailScanner - >>>> Before it was a customers emails that were disappearing. There are a lot >>>> of these in my logs. :-( >>>> Now emails to support@ptera.net - which I understandably NEED to get are >>>> disappearing also. >>>> Here is the trace in the logs showing that the email is received ( I sent >>>> this one myself) and put on hold and that is the last we see of it. >>>> >>>> [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog >>>> Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: >>>> client=daffy.ptera.net[69.28.32.8] >>>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: >>>> header Received: from daffy.ptera.net (daffy.ptera.net [69.28.32.8])??by >>>> mailgate.ptera.net (Postfix) with ESMTP id A4B9B6FB140??for >>>> ; Wed, 3 Dec 2008 12:53:59 -0800 (PST) from >>>> daffy.ptera.net[69.28.32.8]; from= >>>> to= proto=ESMTP helo= >>>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: >>>> message-id=<4936F88F.9070105@ptera.net> >>>> [root@mailgate ~]# >>>> >>> Arthur, >>> >>> I don't see any log from MailScanner. Are you sure it is running? If so, >>> do you get any error messages from "MailScanner --lint" ? >>> >>> Denis >>> >>> >> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf >> ERROR: is not correct, it should match X-Ptera-MailScanner-From >> >> I fixed that only one that showed up from running "MailScanner --lint" >> >> Yes MailScanner is running - that is just a trace for that email >> (A4B9B6FB140:) >> [root@mailgate ~]# tail -f /var/log/maillog | grep MailScanner >> Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Found 34 messages >> waiting >> Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Scanning 2 messages, >> 21644 bytes >> Dec 3 14:21:25 mailgate MailScanner[27025]: Virus and Content Scanning: >> Starting >> Dec 3 14:21:26 mailgate MailScanner[27021]: Content Checks: Detected and >> have disarmed web bug tags in HTML message in EAC526FB1A4.8D9A5 from >> 417.4.63163490-559395@uninterestedactivity.com >> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 9067B6FB0D3.7652B to >> 2584E6FB1B7 >> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 0A3F56FB1AF.5DCD8 to >> 39E696FB0D3 >> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: E94806FB1B1.D44E0 to >> 520136FB1AF >> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: EAC526FB1A4.8D9A5 to >> 50A286FB1B1 >> Dec 3 14:21:26 mailgate MailScanner[27021]: Uninfected: Delivered 4 >> messages >> Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Found 31 messages >> waiting >> Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Scanning 1 messages, >> 18590 bytes >> Dec 3 14:21:31 mailgate MailScanner[27033]: Virus and Content Scanning: >> Starting >> Dec 3 14:21:31 mailgate MailScanner[27013]: Spam Checks: Found 1 spam >> messages >> Dec 3 14:21:31 mailgate MailScanner[27013]: Virus and Content Scanning: >> Starting >> Dec 3 14:21:32 mailgate MailScanner[27058]: Virus and Content Scanning: >> Starting >> >> >> -- >> Arthur Stephens >> Senior Sales Technician >> Ptera Wireless Internet Service >> PO Box 135 >> Liberty Lake, WA 99019 >> 509-927-7837 >> For technical support visit http://www.ptera.net/support >> ----------------------------------------------------------------------------- >> "This message may contain confidential and/or propriety information, >> and is intended for the person/entity to whom it was originally >> addressed. Any use by others is strictly prohibited. >> Please note that any views or opinions presented in this email are solely >> those of the author and are not intended to represent those of the company." >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > Arthur > is this email still in the hold or just disappeared from the queue? > > Anything else in the hold/incoming queues other than queue files? > (check hidden or . files as well). > > I double checked - the file is never in the queue -just disappeared. I also checked the other files also and there are just queue files there. I have been trying to come up with a way to track in real time one of these messages but I have to coordinate it with an email sender. I need to do a list on the queue directory while watching the log similar to the -f flag of tail command. Thanks Arthur -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081204/01ae53b4/attachment.html From nikolaos.pavlidis at beds.ac.uk Thu Dec 4 17:25:17 2008 From: nikolaos.pavlidis at beds.ac.uk (nikolaos pavlidis) Date: Thu Dec 4 17:25:33 2008 Subject: MailScanner + Sys:Syslog problem Message-ID: <4938127D0200002700026535@gwiadom.oes.beds.ac.uk> Hello all, I have stumbled upon a problem with MailScanner, and I cannot seem to get around it. It would be greatly appreciated if someone could provide me with some help on this. The OS is Solaris 10 (10/08), it has clamd installed and running as root; razor and DCC also installed. MailScanner shows an unreasonable behaviour, immediately forking out "Max Children" processes without ANY traffic going to the box. I have set MS to run in debug mode, SA on debug as well and play out on foreground. The result was: [2109] dbg: bayes: files locked, now unlocking lock [2109] dbg: locker: safe_unlock: unlocked /var/spool/MailScanner/spamassassin/bayes.mutex [2109] dbg: learn: initializing learner File checker failed with real error: no connection to syslog available - udp connect: nobody listening at /opt/MailScanner/lib/MailScanner/Log.pm line 170 at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 386 Failed. my Sys::Syslog version is 0.27 which I have installed using perlgcc -MCPAN -e 'install Sys::Syslog' and the only perl modules I haven't installed are: missing Business::ISBN missing Data::Dump missing ExtUtils::ParseXS missing Mail::ClamAV missing Mail::SPF ( i have Mail::SPF::Query missing Net::LDAP missing NetAddr::IP missing SAVI I would think by the looks of it there seems to be a problem with Sys:Syslog. I run this perl script example to check the module: use Sys::Syslog; syslog('notice', 'fooprogram: this is really done'); and it produced no logs at all. If you need more information about the system I would be glad to provide it. Any help will be greatly appreciated. Thank you in advance. Regards, Nik -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From maillists at conactive.com Thu Dec 4 17:31:24 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 4 17:31:33 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <223f97700812040607r7b4514e7g9a894ba595643fdc@mail.gmail.com> References: <87tz9kho6h.fsf@hp-factory.de> <54148.62.128.6.83.1228391085.squirrel@mail.lksoft.com> <223f97700812040607r7b4514e7g9a894ba595643fdc@mail.gmail.com> Message-ID: Glenn Steen wrote on Thu, 4 Dec 2008 15:07:48 +0100: > Now, some may argue that the RFCs prohibit a lookup from being the > basis of a rejection, but ... the RFCs also state that blatant errors > are to be rejected... No. They explicitely tell to be lenient on the receiving (client) side. Anyway, we don't need to discuss this here. I just wanted to point out that this specific feature is one of the few things where you can shoot yourself in the foot without gaining any extra revenue (blocking by HELO gives you lots of revenue although you may loose your foot as well ...). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Denis.Beauchemin at USherbrooke.ca Thu Dec 4 18:26:53 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Dec 4 18:27:11 2008 Subject: MailScanner + Sys:Syslog problem In-Reply-To: <4938127D0200002700026535@gwiadom.oes.beds.ac.uk> References: <4938127D0200002700026535@gwiadom.oes.beds.ac.uk> Message-ID: <493820ED.1080503@USherbrooke.ca> nikolaos pavlidis a ?crit : > Hello all, > > I have stumbled upon a problem with MailScanner, and I cannot seem to > get around it. It would be greatly appreciated if someone could provide > me with some help on this. > > The OS is Solaris 10 (10/08), it has clamd installed and running as > root; razor and DCC also installed. > > MailScanner shows an unreasonable behaviour, immediately forking out > "Max Children" processes without ANY traffic going to the box. I have > set MS to run in debug mode, SA on debug as well and play out on > foreground. The result was: > > [2109] dbg: bayes: files locked, now unlocking lock > [2109] dbg: locker: safe_unlock: > unlocked /var/spool/MailScanner/spamassassin/bayes.mutex > [2109] dbg: learn: initializing learner > File checker failed with real error: no connection to syslog available > - udp connect: nobody listening > at /opt/MailScanner/lib/MailScanner/Log.pm line 170 > at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 386 > Failed. > > my Sys::Syslog version is 0.27 which I have installed using > perlgcc -MCPAN -e 'install Sys::Syslog' > > and the only perl modules I haven't installed are: > > missing Business::ISBN > missing Data::Dump > missing ExtUtils::ParseXS > missing Mail::ClamAV > missing Mail::SPF ( i have Mail::SPF::Query > missing Net::LDAP > missing NetAddr::IP > missing SAVI > > I would think by the looks of it there seems to be a problem with > Sys:Syslog. I run this perl script example to check the module: > > > use Sys::Syslog; > syslog('notice', 'fooprogram: this is really done'); > > and it produced no logs at all. > > > If you need more information about the system I would be glad to provide > it. Any help will be greatly appreciated. Thank you in advance. > > Regards, > > Nik > Nik, MS always start all its children on startup. This is its normal behaviour. As for your syslog problem, are you sure you have a syslogd running on your server? On Linux, if I use the following command I can see there is a process listening on syslog's port: netstat -upa|grep syslog udp 0 0 *:syslog *:* 4908/syslogd I could also use: lsof -i udp:syslog COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME syslogd 4908 root 10u IPv4 8018 UDP *:syslog I don't know if Solaris has similar commands... Hope this helps. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From shuttlebox at gmail.com Thu Dec 4 18:43:08 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Dec 4 18:43:17 2008 Subject: MailScanner + Sys:Syslog problem In-Reply-To: <4938127D0200002700026535@gwiadom.oes.beds.ac.uk> References: <4938127D0200002700026535@gwiadom.oes.beds.ac.uk> Message-ID: <625385e30812041043m32dfd863t8c81de67069d1348@mail.gmail.com> On Thu, Dec 4, 2008 at 6:25 PM, nikolaos pavlidis wrote: > File checker failed with real error: no connection to syslog available > - udp connect: nobody listening Syslog in Solaris 10 normally doesn't listen for remote requests. You can test with: # netstat -a | grep syslog You should get something like this: *.syslog Idle Also check your /etc/default/syslogd file for the LOG_FROM_REMOTE setting, there's other ways of controlling it as well. Which version of MailScanner do you use? Since 4.66 you are able to try different settings of Syslog Socket Type. -- /peter From AHKAPLAN at PARTNERS.ORG Thu Dec 4 20:36:05 2008 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Thu Dec 4 20:36:15 2008 Subject: Easy Installation Package for ClamAV 0.92.2 Message-ID: Hi there -- ClamAV has version 0.92.2 available for download. Is there an expected date when the Easy Installation package for ClamAV and SpamAssassin will available? Thanks. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081204/da3ff8b0/attachment.html From spamlists at coders.co.uk Thu Dec 4 20:57:25 2008 From: spamlists at coders.co.uk (Matt) Date: Thu Dec 4 20:57:57 2008 Subject: MailScanner + Sys:Syslog problem In-Reply-To: <4938127D0200002700026535@gwiadom.oes.beds.ac.uk> References: <4938127D0200002700026535@gwiadom.oes.beds.ac.uk> Message-ID: <49384435.5020800@coders.co.uk> nikolaos pavlidis wrote: > [2109] dbg: bayes: files locked, now unlocking lock > [2109] dbg: locker: safe_unlock: > unlocked /var/spool/MailScanner/spamassassin/bayes.mutex > [2109] dbg: learn: initializing learner > File checker failed with real error: no connection to syslog available > - udp connect: nobody listening > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You don't appear to have syslog running on localhost -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Dec 4 23:24:17 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Dec 4 23:24:43 2008 Subject: Emails on HOLD not processed and delivered Still! In-Reply-To: <49380733.3030808@ptera.net> References: <4936FE88.9000702@ptera.net> <49370137.2080801@USherbrooke.ca> <49370D44.7070109@ptera.net> <72cf361e0812040028p280d451cube8c778f93a8e467@mail.gmail.com> <49380733.3030808@ptera.net> Message-ID: on 12-4-2008 8:37 AM Arthur Stephens spake the following: > Martin Hepworth wrote: >> 2008/12/3 Arthur Stephens : >> >>> Denis Beauchemin wrote: >>> >>>> Arthur Stephens a ?crit : >>>> >>>>> OK I am about to shut off MailScanner - >>>>> Before it was a customers emails that were disappearing. There are a lot >>>>> of these in my logs. :-( >>>>> Now emails to support@ptera.net - which I understandably NEED to get are >>>>> disappearing also. >>>>> Here is the trace in the logs showing that the email is received ( I sent >>>>> this one myself) and put on hold and that is the last we see of it. >>>>> >>>>> [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog >>>>> Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: >>>>> client=daffy.ptera.net[69.28.32.8] >>>>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: >>>>> header Received: from daffy.ptera.net (daffy.ptera.net [69.28.32.8])??by >>>>> mailgate.ptera.net (Postfix) with ESMTP id A4B9B6FB140??for >>>>> ; Wed, 3 Dec 2008 12:53:59 -0800 (PST) from >>>>> daffy.ptera.net[69.28.32.8]; from= >>>>> to= proto=ESMTP helo= >>>>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: >>>>> message-id=<4936F88F.9070105@ptera.net> >>>>> [root@mailgate ~]# >>>>> >>>> Arthur, >>>> >>>> I don't see any log from MailScanner. Are you sure it is running? If so, >>>> do you get any error messages from "MailScanner --lint" ? >>>> >>>> Denis >>>> >>>> >>> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf >>> ERROR: is not correct, it should match X-Ptera-MailScanner-From >>> >>> I fixed that only one that showed up from running "MailScanner --lint" >>> >>> Yes MailScanner is running - that is just a trace for that email >>> (A4B9B6FB140:) >>> [root@mailgate ~]# tail -f /var/log/maillog | grep MailScanner >>> Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Found 34 messages >>> waiting >>> Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Scanning 2 messages, >>> 21644 bytes >>> Dec 3 14:21:25 mailgate MailScanner[27025]: Virus and Content Scanning: >>> Starting >>> Dec 3 14:21:26 mailgate MailScanner[27021]: Content Checks: Detected and >>> have disarmed web bug tags in HTML message in EAC526FB1A4.8D9A5 from >>> 417.4.63163490-559395@uninterestedactivity.com >>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 9067B6FB0D3.7652B to >>> 2584E6FB1B7 >>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 0A3F56FB1AF.5DCD8 to >>> 39E696FB0D3 >>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: E94806FB1B1.D44E0 to >>> 520136FB1AF >>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: EAC526FB1A4.8D9A5 to >>> 50A286FB1B1 >>> Dec 3 14:21:26 mailgate MailScanner[27021]: Uninfected: Delivered 4 >>> messages >>> Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Found 31 messages >>> waiting >>> Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Scanning 1 messages, >>> 18590 bytes >>> Dec 3 14:21:31 mailgate MailScanner[27033]: Virus and Content Scanning: >>> Starting >>> Dec 3 14:21:31 mailgate MailScanner[27013]: Spam Checks: Found 1 spam >>> messages >>> Dec 3 14:21:31 mailgate MailScanner[27013]: Virus and Content Scanning: >>> Starting >>> Dec 3 14:21:32 mailgate MailScanner[27058]: Virus and Content Scanning: >>> Starting >>> >>> >>> -- >>> Arthur Stephens >>> Senior Sales Technician >>> Ptera Wireless Internet Service >>> PO Box 135 >>> Liberty Lake, WA 99019 >>> 509-927-7837 >>> For technical support visit http://www.ptera.net/support >>> ----------------------------------------------------------------------------- >>> "This message may contain confidential and/or propriety information, >>> and is intended for the person/entity to whom it was originally >>> addressed. Any use by others is strictly prohibited. >>> Please note that any views or opinions presented in this email are solely >>> those of the author and are not intended to represent those of the company." >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> Arthur >> is this email still in the hold or just disappeared from the queue? >> >> Anything else in the hold/incoming queues other than queue files? >> (check hidden or . files as well). >> >> > I double checked - the file is never in the queue -just disappeared. > I also checked the other files also and there are just queue files there. > I have been trying to come up with a way to track in real time one of > these messages but I have to coordinate it with an email sender. > I need to do a list on the queue directory while watching the log > similar to the -f flag of tail command. > Are all the queues on the same filesystem? Under the same mountpoint? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081204/e348f2ee/signature.bin From ssilva at sgvwater.com Thu Dec 4 23:31:40 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Dec 4 23:32:05 2008 Subject: Easy Installation Package for ClamAV 0.92.2 In-Reply-To: References: Message-ID: on 12-4-2008 12:36 PM Kaplan, Andrew H. spake the following: > Hi there -- > > ClamAV has version 0.92.2 available for download. Is there an expected > date when the Easy Installation > package for ClamAV and SpamAssassin will available? Thanks. > > The information in this e-mail is intended only for the person to whom it is > addressed. If you believe this e-mail was sent to you in error and the e-mail > contains patient information, please contact the Partners Compliance HelpLine at > http://www.partners.org/complianceline . If the e-mail was sent to you in error > but does not contain patient information, please contact the sender and properly > dispose of the e-mail. > I have heard that Julian is ill right now. It might be a few days or more. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081204/12b8b0bb/signature.bin From astephens at ptera.net Fri Dec 5 01:00:10 2008 From: astephens at ptera.net (Arthur Stephens) Date: Fri Dec 5 01:00:30 2008 Subject: Emails on HOLD not processed and delivered Still! In-Reply-To: References: <4936FE88.9000702@ptera.net> <49370137.2080801@USherbrooke.ca> <49370D44.7070109@ptera.net> <72cf361e0812040028p280d451cube8c778f93a8e467@mail.gmail.com> <49380733.3030808@ptera.net> Message-ID: <49387D1A.301@ptera.net> Scott Silva wrote: > on 12-4-2008 8:37 AM Arthur Stephens spake the following: > >> Martin Hepworth wrote: >> >>> 2008/12/3 Arthur Stephens : >>> >>> >>>> Denis Beauchemin wrote: >>>> >>>> >>>>> Arthur Stephens a ?crit : >>>>> >>>>> >>>>>> OK I am about to shut off MailScanner - >>>>>> Before it was a customers emails that were disappearing. There are a lot >>>>>> of these in my logs. :-( >>>>>> Now emails to support@ptera.net - which I understandably NEED to get are >>>>>> disappearing also. >>>>>> Here is the trace in the logs showing that the email is received ( I sent >>>>>> this one myself) and put on hold and that is the last we see of it. >>>>>> >>>>>> [root@mailgate ~]# grep A4B9B6FB140: /var/log/maillog >>>>>> Dec 3 12:53:59 mailgate postfix/smtpd[10424]: A4B9B6FB140: >>>>>> client=daffy.ptera.net[69.28.32.8] >>>>>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: hold: >>>>>> header Received: from daffy.ptera.net (daffy.ptera.net [69.28.32.8])??by >>>>>> mailgate.ptera.net (Postfix) with ESMTP id A4B9B6FB140??for >>>>>> ; Wed, 3 Dec 2008 12:53:59 -0800 (PST) from >>>>>> daffy.ptera.net[69.28.32.8]; from= >>>>>> to= proto=ESMTP helo= >>>>>> Dec 3 12:53:59 mailgate postfix/cleanup[12082]: A4B9B6FB140: >>>>>> message-id=<4936F88F.9070105@ptera.net> >>>>>> [root@mailgate ~]# >>>>>> >>>>>> >>>>> Arthur, >>>>> >>>>> I don't see any log from MailScanner. Are you sure it is running? If so, >>>>> do you get any error messages from "MailScanner --lint" ? >>>>> >>>>> Denis >>>>> >>>>> >>>>> >>>> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf >>>> ERROR: is not correct, it should match X-Ptera-MailScanner-From >>>> >>>> I fixed that only one that showed up from running "MailScanner --lint" >>>> >>>> Yes MailScanner is running - that is just a trace for that email >>>> (A4B9B6FB140:) >>>> [root@mailgate ~]# tail -f /var/log/maillog | grep MailScanner >>>> Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Found 34 messages >>>> waiting >>>> Dec 3 14:21:23 mailgate MailScanner[27067]: New Batch: Scanning 2 messages, >>>> 21644 bytes >>>> Dec 3 14:21:25 mailgate MailScanner[27025]: Virus and Content Scanning: >>>> Starting >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: Content Checks: Detected and >>>> have disarmed web bug tags in HTML message in EAC526FB1A4.8D9A5 from >>>> 417.4.63163490-559395@uninterestedactivity.com >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 9067B6FB0D3.7652B to >>>> 2584E6FB1B7 >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: 0A3F56FB1AF.5DCD8 to >>>> 39E696FB0D3 >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: E94806FB1B1.D44E0 to >>>> 520136FB1AF >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: Requeue: EAC526FB1A4.8D9A5 to >>>> 50A286FB1B1 >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: Uninfected: Delivered 4 >>>> messages >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Found 31 messages >>>> waiting >>>> Dec 3 14:21:26 mailgate MailScanner[27021]: New Batch: Scanning 1 messages, >>>> 18590 bytes >>>> Dec 3 14:21:31 mailgate MailScanner[27033]: Virus and Content Scanning: >>>> Starting >>>> Dec 3 14:21:31 mailgate MailScanner[27013]: Spam Checks: Found 1 spam >>>> messages >>>> Dec 3 14:21:31 mailgate MailScanner[27013]: Virus and Content Scanning: >>>> Starting >>>> Dec 3 14:21:32 mailgate MailScanner[27058]: Virus and Content Scanning: >>>> Starting >>>> >>>> >>>> -- >>>> Arthur Stephens >>>> Senior Sales Technician >>>> Ptera Wireless Internet Service >>>> PO Box 135 >>>> Liberty Lake, WA 99019 >>>> 509-927-7837 >>>> For technical support visit http://www.ptera.net/support >>>> ----------------------------------------------------------------------------- >>>> "This message may contain confidential and/or propriety information, >>>> and is intended for the person/entity to whom it was originally >>>> addressed. Any use by others is strictly prohibited. >>>> Please note that any views or opinions presented in this email are solely >>>> those of the author and are not intended to represent those of the company." >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>> Arthur >>> is this email still in the hold or just disappeared from the queue? >>> >>> Anything else in the hold/incoming queues other than queue files? >>> (check hidden or . files as well). >>> >>> >>> >> I double checked - the file is never in the queue -just disappeared. >> I also checked the other files also and there are just queue files there. >> I have been trying to come up with a way to track in real time one of >> these messages but I have to coordinate it with an email sender. >> I need to do a list on the queue directory while watching the log >> similar to the -f flag of tail command. >> >> > Are all the queues on the same filesystem? > Under the same mountpoint? > > > > Yes /var/spool/postfix/hold -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081204/8dcdf588/attachment.html From alex at rtpty.com Fri Dec 5 01:17:39 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Dec 5 01:17:57 2008 Subject: Easy Installation Package for ClamAV 0.92.2 In-Reply-To: References: Message-ID: <4C898D4B-4871-4C66-AB06-4418F123A422@rtpty.com> Note: I'm doing this in honor of Julian's work, and not to "upstage" him in any way... That being said, I'd like to help out by giving you an idea of what *I* would do in order to "roll my own" version of the "easy installation package". 1. Download the one we already have. Unpack. 2. Download clamav-0.94.2 from the Clam website 3. move the .tar.gz file from step 2 into ./install-Clam-0.94.1- SA-3.2.5/perl-tar/ created by step 1. 4. Edit line 3 to say CLAMAVVERSION=0.94.2 5. Run ./install.sh as usual. Those of you who *really* know what you're doing may chip in any time... Cheers, Alex PS: You may want, before you run ./install.sh, to remove ./install- Clam-0.94.1-SA-3.2.5/perl-tar/clamav-0.94.1.tar.gz and repackage the thing for use on other servers. On Dec 4, 2008, at 6:31 PM, Scott Silva wrote: > on 12-4-2008 12:36 PM Kaplan, Andrew H. spake the following: >> Hi there -- >> >> ClamAV has version 0.92.2 available for download. Is there an >> expected >> date when the Easy Installation >> package for ClamAV and SpamAssassin will available? Thanks. >> >> The information in this e-mail is intended only for the person to >> whom it is >> addressed. If you believe this e-mail was sent to you in error and >> the e-mail >> contains patient information, please contact the Partners >> Compliance HelpLine at >> http://www.partners.org/complianceline . If the e-mail was sent to >> you in error >> but does not contain patient information, please contact the sender >> and properly >> dispose of the e-mail. >> > I have heard that Julian is ill right now. It might be a few days or > more. > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Nikolaos.Pavlidis at beds.ac.uk Fri Dec 5 08:52:11 2008 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Fri Dec 5 08:52:24 2008 Subject: MailScanner + Sys:Syslog problem In-Reply-To: <4938EBBB0200002700026576@gwiadom.oes.beds.ac.uk> References: <493845670200003000016ED7@gwiadom.oes.beds.ac.uk> <4938EBBB0200002700026576@gwiadom.oes.beds.ac.uk> Message-ID: <4938EBBB0200002700026576@gwiadom.oes.beds.ac.uk> Hello Matt, Thank you for your swift reply, the unreasonable thing in this situation is that syslogd is running... and not just running, logging too! (from other sources in this case). Regards, Nik On Thu, 2008-12-04 at 20:57 +0000, Matt wrote: > nikolaos pavlidis wrote: > > [2109] dbg: bayes: files locked, now unlocking lock > > [2109] dbg: locker: safe_unlock: > > unlocked /var/spool/MailScanner/spamassassin/bayes.mutex > > [2109] dbg: learn: initializing learner > > File checker failed with real error: no connection to syslog available > > - udp connect: nobody listening > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > You don't appear to have syslog running on localhost > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From Nikolaos.Pavlidis at beds.ac.uk Fri Dec 5 09:01:50 2008 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Fri Dec 5 09:02:02 2008 Subject: MailScanner + Sys:Syslog problem In-Reply-To: <4938EDFE0200002700026580@gwiadom.oes.beds.ac.uk> References: <493825F402000087000233DB@gwiadom.oes.beds.ac.uk> <4938EDFE0200002700026580@gwiadom.oes.beds.ac.uk> Message-ID: <4938EDFE0200002700026580@gwiadom.oes.beds.ac.uk> Hello Peter, Thank you all for the swift replies, I am currently running the latest version of MailScanner (?4.73.4-2). As for netstat no, my syslog is not allowing remote connections to it, since on the Logging section nothing of the sort is mentioned. For the Syslog Socket Type, I have it set to blank as recommended for now. My belief so far is that there could be trouble with the whole of Sys::Syslog module which is unexpected since it compiles without errors. The perl code example that I tried out with Sys::Syslog works and produces logs on a linux box but wont produce any logs on the Solaris box. Thank you all again, Regards, Nik On Thu, 2008-12-04 at 19:43 +0100, shuttlebox wrote: > On Thu, Dec 4, 2008 at 6:25 PM, nikolaos pavlidis > wrote: > > File checker failed with real error: no connection to syslog available > > - udp connect: nobody listening > > Syslog in Solaris 10 normally doesn't listen for remote requests. You > can test with: > > # netstat -a | grep syslog > > You should get something like this: > > *.syslog Idle > > Also check your /etc/default/syslogd file for the LOG_FROM_REMOTE > setting, there's other ways of controlling it as well. > > Which version of MailScanner do you use? Since 4.66 you are able to > try different settings of Syslog Socket Type. > > -- > /peter -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From Nikolaos.Pavlidis at beds.ac.uk Fri Dec 5 09:19:00 2008 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Fri Dec 5 09:19:14 2008 Subject: MailScanner + Sys:Syslog problem In-Reply-To: <4938F2040200002700026588@gwiadom.oes.beds.ac.uk> References: <493825F402000087000233DB@gwiadom.oes.beds.ac.uk> <4938F2040200002700026588@gwiadom.oes.beds.ac.uk> Message-ID: <4938F2040200002700026588@gwiadom.oes.beds.ac.uk> Hello again Peter, You were wise to point out the Syslog Socket Type value! I left it blank and missed it afterwards, I should have tried it already to be honest. The "native" setting works great, although it wont explain why the perl program produced logs on linux and not on Solars but we are not here to debug that in any case. MS seems to be working great now. Thank you all again, your help is much appreciated. Regards, Nik On Thu, 2008-12-04 at 19:43 +0100, shuttlebox wrote: > On Thu, Dec 4, 2008 at 6:25 PM, nikolaos pavlidis > wrote: > > File checker failed with real error: no connection to syslog available > > - udp connect: nobody listening > > Syslog in Solaris 10 normally doesn't listen for remote requests. You > can test with: > > # netstat -a | grep syslog > > You should get something like this: > > *.syslog Idle > > Also check your /etc/default/syslogd file for the LOG_FROM_REMOTE > setting, there's other ways of controlling it as well. > > Which version of MailScanner do you use? Since 4.66 you are able to > try different settings of Syslog Socket Type. > > -- > /peter -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From MailScanner at ecs.soton.ac.uk Fri Dec 5 09:53:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 5 09:53:57 2008 Subject: Easy Installation Package for ClamAV 0.92.2 In-Reply-To: References: Message-ID: <4938FA19.8010104@ecs.soton.ac.uk> It's up there for you now. Sorry for the delay. Jules. On 4/12/08 20:36, Kaplan, Andrew H. wrote: > > Hi there -- > > ClamAV has version 0.92.2 available for download. Is there an expected > date when the Easy Installation > package for ClamAV and SpamAssassin will available? Thanks. > > The information in this e-mail is intended only for the person to whom it is > addressed. If you believe this e-mail was sent to you in error and the e-mail > contains patient information, please contact the Partners Compliance HelpLine at > http://www.partners.org/complianceline . If the e-mail was sent to you in error > but does not contain patient information, please contact the sender and properly > dispose of the e-mail. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gesbbb at yahoo.com Fri Dec 5 12:04:39 2008 From: gesbbb at yahoo.com (Jerry) Date: Fri Dec 5 12:05:01 2008 Subject: clam update In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907A34@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0907A34@winchester.andrewscompanies.com> Message-ID: <20081205070439.0766b1e3@scorpio> On Wed, 3 Dec 2008 18:10:15 -0500 "Steven Andrews" wrote: >Just noticed one of my boxes saying that 0.94.2 is now out. It has been for awhile. Depending on the version you are presently using, if you do decide to update, be sure to check out the changes to the 'clamd.conf' file. -- Jerry gesbbb@yahoo.com The things that interest people most are usually none of their business. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081205/0619f8b8/signature.bin From alex at rtpty.com Fri Dec 5 16:19:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Dec 5 16:19:23 2008 Subject: Easy Installation Package for ClamAV 0.94.2 In-Reply-To: <4938FA19.8010104@ecs.soton.ac.uk> References: <4938FA19.8010104@ecs.soton.ac.uk> Message-ID: <9033DFEE-CF51-42B4-8AC4-433A0F205A2F@rtpty.com> Did the reasoning behind my proposed changes to the script in order to "roll my own" update package make sense? On Dec 5, 2008, at 4:53 AM, Julian Field wrote: > It's up there for you now. Sorry for the delay. > > Jules. > > On 4/12/08 20:36, Kaplan, Andrew H. wrote: >> >> Hi there -- >> >> ClamAV has version 0.92.2 available for download. Is there an >> expected date when the Easy Installation >> package for ClamAV and SpamAssassin will available? Thanks. >> >> The information in this e-mail is intended only for the person to >> whom it is >> addressed. If you believe this e-mail was sent to you in error and >> the e-mail >> contains patient information, please contact the Partners >> Compliance HelpLine at >> http://www.partners.org/complianceline . If the e-mail was sent to >> you in error >> but does not contain patient information, please contact the sender >> and properly >> dispose of the e-mail. >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From AHKAPLAN at PARTNERS.ORG Fri Dec 5 16:50:07 2008 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Dec 5 16:50:17 2008 Subject: Easy Installation Package for ClamAV 0.92.2 In-Reply-To: <4938FA19.8010104@ecs.soton.ac.uk> Message-ID: No apologies necessary...hope you're feeling better, and that all is well. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, December 05, 2008 4:53 AM To: MailScanner discussion Subject: Re: Easy Installation Package for ClamAV 0.92.2 It's up there for you now. Sorry for the delay. Jules. On 4/12/08 20:36, Kaplan, Andrew H. wrote: > > Hi there -- > > ClamAV has version 0.92.2 available for download. Is there an expected > date when the Easy Installation > package for ClamAV and SpamAssassin will available? Thanks. > > The information in this e-mail is intended only for the person to whom it is > addressed. If you believe this e-mail was sent to you in error and the e-mail > contains patient information, please contact the Partners Compliance HelpLine at > http://www.partners.org/complianceline . If the e-mail was sent to you in error > but does not contain patient information, please contact the sender and properly > dispose of the e-mail. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Fri Dec 5 18:25:00 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Dec 5 18:25:16 2008 Subject: Easy Installation Package for ClamAV 0.94.2 In-Reply-To: <9033DFEE-CF51-42B4-8AC4-433A0F205A2F@rtpty.com> References: <4938FA19.8010104@ecs.soton.ac.uk> <9033DFEE-CF51-42B4-8AC4-433A0F205A2F@rtpty.com> Message-ID: <493971FC.1070004@USherbrooke.ca> Alex Neuman van der Hans a ?crit : > Did the reasoning behind my proposed changes to the script in order to > "roll my own" update package make sense? Alex, Before I switched to clamd through rpmforge I was doing what you described. I went one step further and modified the install.sh script so it would only install Clam and not the other modules by inserting an "exit" right before the following lines: > echo > echo Rebuilding all the Perl modules for your version of Perl > echo Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From alex at rtpty.com Fri Dec 5 18:35:31 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Dec 5 18:35:45 2008 Subject: Easy Installation Package for ClamAV 0.94.2 In-Reply-To: <493971FC.1070004@USherbrooke.ca> References: <4938FA19.8010104@ecs.soton.ac.uk> <9033DFEE-CF51-42B4-8AC4-433A0F205A2F@rtpty.com> <493971FC.1070004@USherbrooke.ca> Message-ID: Thanks for the tips Denis. On Dec 5, 2008, at 1:25 PM, Denis Beauchemin wrote: > Alex Neuman van der Hans a ?crit : >> Did the reasoning behind my proposed changes to the script in order >> to "roll my own" update package make sense? > > > Alex, > > Before I switched to clamd through rpmforge I was doing what you > described. I went one step further and modified the install.sh > script so it would only install Clam and not the other modules by > inserting an "exit" right before the following lines: >> echo >> echo Rebuilding all the Perl modules for your version of Perl >> echo > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Fri Dec 5 19:18:09 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Dec 5 19:18:38 2008 Subject: Easy Installation Package for ClamAV 0.92.2 In-Reply-To: <4C898D4B-4871-4C66-AB06-4418F123A422@rtpty.com> References: <4C898D4B-4871-4C66-AB06-4418F123A422@rtpty.com> Message-ID: on 12-4-2008 5:17 PM Alex Neuman van der Hans spake the following: > Note: I'm doing this in honor of Julian's work, and not to "upstage" him > in any way... > > That being said, I'd like to help out by giving you an idea of what *I* > would do in order to "roll my own" version of the "easy installation > package". > > 1. Download the one we already have. Unpack. > 2. Download clamav-0.94.2 from the Clam website > 3. move the .tar.gz file from step 2 into > ./install-Clam-0.94.1-SA-3.2.5/perl-tar/ created by step 1. > 4. Edit line 3 to say CLAMAVVERSION=0.94.2 > 5. Run ./install.sh as usual. > > Those of you who *really* know what you're doing may chip in any time... > And be prepared for the perl clam module to not work. It has been breaking almost with every clam release lately. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081205/7e86c646/signature.bin From paulo-m-roncon at ptinovacao.pt Fri Dec 5 19:34:25 2008 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Fri Dec 5 19:34:38 2008 Subject: Problem with remote restart of service In-Reply-To: <200812051201.mB5C0QWe025566@safir.blacknight.ie> References: <200812051201.mB5C0QWe025566@safir.blacknight.ie> Message-ID: Hello, I'm having a problem starting/restarting mailscanner with ssh. When I do: ssh root@machine1 /etc/init.d/MailScanner restart it does restart the service but i have to crtl+c to get back the bash... This is a bit of a problem with some remote scripts i have implemented. This problem doesnt exist in older versions of MailScanner (4.66.5) Any ideias? thanks Paulo Roncon From ssilva at sgvwater.com Fri Dec 5 19:55:27 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Dec 5 19:55:49 2008 Subject: Problem with remote restart of service In-Reply-To: References: <200812051201.mB5C0QWe025566@safir.blacknight.ie> Message-ID: on 12-5-2008 11:34 AM Paulo Roncon spake the following: > Hello, > > I'm having a problem starting/restarting mailscanner with ssh. > When I do: > ssh root@machine1 /etc/init.d/MailScanner restart > it does restart the service but i have to crtl+c to get back the bash... > This is a bit of a problem with some remote scripts i have implemented. > This problem doesnt exist in older versions of MailScanner (4.66.5) > > Any ideias? > > thanks > > > Paulo Roncon > Would ssh root@machine1 /etc/init.d/MailScanner restart & work? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081205/fa88045e/signature.bin From glenn.steen at gmail.com Fri Dec 5 20:02:59 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Dec 5 20:03:09 2008 Subject: Problem with remote restart of service In-Reply-To: References: <200812051201.mB5C0QWe025566@safir.blacknight.ie> Message-ID: <223f97700812051202j598a9b53pbe16e34eef2859b@mail.gmail.com> 2008/12/5 Paulo Roncon : > > Hello, > > I'm having a problem starting/restarting mailscanner with ssh. > When I do: > ssh root@machine1 /etc/init.d/MailScanner restart > it does restart the service but i have to crtl+c to get back the bash... > This is a bit of a problem with some remote scripts i have implemented. > This problem doesnt exist in older versions of MailScanner (4.66.5) > > Any ideias? > > thanks > > > Paulo Roncon > How long do you wait? There's a fairly substantial sleep in there...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at rtpty.com Sat Dec 6 01:15:51 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Dec 6 01:16:14 2008 Subject: Easy Installation Package for ClamAV 0.92.2 In-Reply-To: References: <4C898D4B-4871-4C66-AB06-4418F123A422@rtpty.com> Message-ID: <82FEAA46-08CA-4C0D-9D95-F24524203377@rtpty.com> I've been switching to clamd for some time now, but it's definitely something to watch out for. On Dec 5, 2008, at 2:18 PM, Scott Silva wrote: > on 12-4-2008 5:17 PM Alex Neuman van der Hans spake the following: >> Note: I'm doing this in honor of Julian's work, and not to >> "upstage" him >> in any way... >> >> That being said, I'd like to help out by giving you an idea of what >> *I* >> would do in order to "roll my own" version of the "easy installation >> package". >> >> 1. Download the one we already have. Unpack. >> 2. Download clamav-0.94.2 from the Clam website >> 3. move the .tar.gz file from step 2 into >> ./install-Clam-0.94.1-SA-3.2.5/perl-tar/ created by step 1. >> 4. Edit line 3 to say CLAMAVVERSION=0.94.2 >> 5. Run ./install.sh as usual. >> >> Those of you who *really* know what you're doing may chip in any >> time... >> > And be prepared for the perl clam module to not work. It has been > breaking > almost with every clam release lately. > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ramiblanco at gmail.com Sat Dec 6 01:18:32 2008 From: ramiblanco at gmail.com (Ramiro Blanco) Date: Sat Dec 6 01:18:41 2008 Subject: MailScanner restarts continuosly after OOM Message-ID: <713aecdf0812051718p24645e74kcac87e6289a2bd9e@mail.gmail.com> Hi, yesterday i had to deactivate MailScanner and move the queue manually (with postsuper -r ALL) from the postfix "hold" queue. The problem was that MailScanner stopped processing mails, after checking logs i found that it was restarting all the time so i proceeded to start it manually by issuing MailScanner --debug and there i saw that the problem was "Out of memory". Weird as the server has memory left, no swap used and doesn't process a huge amount of mails per day. I've tried to set "Max Children = 5" and even "Max Children = 1", but it made no difference... Here you have more details of my setup and the info i found on logs and the output of MailScanner --debug: OS: Centos 5.1 CPU: AMD X2 3600 MEM: 4gb DDR2 HDD: SATA 160 Gb, 119 Gb Available (13% used) [root@host ~]#cat /var/log/maillog Dec 4 01:00:29 host MailScanner[4400]: MailScanner E-Mail Virus Scanner version 4.71.10 starting... Dec 4 01:00:29 host MailScanner[4400]: Read 848 hostnames from the phishing whitelist Dec 4 01:00:29 host MailScanner[4400]: Read 7732 hostnames from the phishing blacklist Dec 4 01:00:29 host MailScanner[4400]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Dec 4 01:00:29 host MailScanner[4400]: Using SpamAssassin results cache Dec 4 01:00:29 host MailScanner[4400]: Connected to SpamAssassin cache database Dec 4 01:00:29 host MailScanner[4400]: Enabling SpamAssassin auto-whitelist functionality... Dec 4 01:00:31 host MailScanner[4400]: I have found clamav scanners installed, and will use them all by default. Dec 4 01:00:31 host MailScanner[4400]: Using locktype = flock Dec 4 01:00:31 host MailScanner[4400]: New Batch: Found 766 messages waiting Dec 4 01:00:31 host MailScanner[4400]: New Batch: Scanning 30 messages, 180845 bytes Dec 4 01:00:31 host MailScanner[4400]: SpamAssassin cache hit for message DEEC61728429.576CB Dec 4 01:00:31 host MailScanner[4400]: SpamAssassin cache hit for message 836DA172841E.1F065 Dec 4 01:00:31 host MailScanner[4400]: SpamAssassin cache hit for message 7C9EF1728485.3D237 Dec 4 01:00:31 host MailScanner[4400]: SpamAssassin cache hit for message BC4F11728469.8E5BA ... Dec 4 01:00:31 host MailScanner[4400]: SpamAssassin cache hit for message 99FA617284C4.82E51 Dec 4 01:00:34 host MailScanner[4441]: MailScanner E-Mail Virus Scanner version 4.71.10 starting... Dec 4 01:00:34 host MailScanner[4441]: Read 848 hostnames from the phishing whitelist Dec 4 01:00:34 host MailScanner[4441]: Read 7732 hostnames from the phishing blacklist Dec 4 01:00:34 host MailScanner[4441]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Dec 4 01:00:34 host MailScanner[4441]: Using SpamAssassin results cache Dec 4 01:00:34 host MailScanner[4441]: Connected to SpamAssassin cache database Dec 4 01:00:34 host MailScanner[4441]: Enabling SpamAssassin auto-whitelist functionality... Dec 4 01:00:36 host MailScanner[4441]: I have found clamav scanners installed, and will use them all by default. Dec 4 01:00:36 host MailScanner[4441]: Using locktype = flock Dec 4 01:00:36 host MailScanner[4441]: New Batch: Found 766 messages waiting Dec 4 01:00:36 host MailScanner[4441]: New Batch: Scanning 30 messages, 180845 bytes Dec 4 01:00:36 host MailScanner[4441]: SpamAssassin cache hit for message 4F368172848D.9F379 Dec 4 01:00:36 host MailScanner[4441]: SpamAssassin cache hit for message 1A3211728443.A9C4E Dec 4 01:00:36 host MailScanner[4441]: SpamAssassin cache hit for message F058317284CF.7716C Dec 4 01:00:36 host MailScanner[4441]: SpamAssassin cache hit for message DEEC61728429.63AAA [root@host ~]#MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 30 messages. max message size is '200k' max message size is '200k' max message size is '200k' max message size is '200k' max message size is '200k' max message size is '200k' ... max message size is '200k' max message size is '200k' max message size is '200k' Out of memory! Cheers, -- Ramiro Blanco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081205/0e5c753a/attachment.html From hvdkooij at vanderkooij.org Sat Dec 6 09:54:49 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Dec 6 09:54:58 2008 Subject: MailScanner restarts continuosly after OOM In-Reply-To: <713aecdf0812051718p24645e74kcac87e6289a2bd9e@mail.gmail.com> References: <713aecdf0812051718p24645e74kcac87e6289a2bd9e@mail.gmail.com> Message-ID: <493A4BE9.6090302@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ramiro Blanco wrote: > Hi, yesterday i had to deactivate MailScanner and move the queue > manually (with postsuper -r ALL) from the postfix "hold" queue. The > problem was that MailScanner stopped processing mails, after checking > logs i found that it was restarting all the time so i proceeded to > start it manually by issuing MailScanner --debug and there i saw that > the problem was "Out of memory". Weird as the server has memory left, no > swap used and doesn't process a huge amount of mails per day. I've tried > to set "Max Children = 5" and even "Max Children = 1", but it made no > difference... > Here you have more details of my setup and the info i found on logs and > the output of MailScanner --debug: > > OS: Centos 5.1 > CPU: AMD X2 3600 > MEM: 4gb DDR2 > HDD: SATA 160 Gb, 119 Gb Available (13% used) Centos 5.1 indicates that not all the latest patches are applied. I guess it is a rogue message eating away memory due to a perl bug. Check out the other related threads on this mailinglist of the last few weeks. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJOkvnBvzDRVjxmYERAmksAJ9GfWsDeMY1BmzPdKsnli5jfByOMwCeJts/ n6RqPnnuLMZMVSL4vKZ3xeM= =gLiU -----END PGP SIGNATURE----- From paul at welshfamily.com Sat Dec 6 12:59:51 2008 From: paul at welshfamily.com (Paul Welsh) Date: Sat Dec 6 13:00:12 2008 Subject: MailScanner Gold Production yum repository released In-Reply-To: <200810310913.m9V9D4rN010151@safir.blacknight.ie> Message-ID: <200812061300.mB6D04nq017980@safir.blacknight.ie> > -----Original Message----- > From: mailscanner-announce-bounces@lists.mailscanner.info > [mailto:mailscanner-announce-bounces@lists.mailscanner.info] > On Behalf Of Julian Field > Sent: 02 December 2008 18:48 > To: MailScanner-Announce mailing list list > Subject: MailScanner Gold Production yum repository released > > We're very happy to announce the availability of our new MailScanner > Gold Production yum repository subscription service for Red Hat and > CentOS 5.x operating systems. This FSL yum repository system provides > all of the 70+ applications and Perl modules required to install and > maintain MailScanner, SpamAssassin, ClamAV, Razor, DCC and a > MySQL Bayes > database in easy to use rpm formats. Has anyone tried this? I was expecting some comments on this list but haven't seen any since the release announcement. Personally, I've not had problems with "Perl module dependency problems" but perhaps I've just been lucky. Upgrading MailScanner can be a bit time consuming having to rejig MailScanner.conf with new settings etc but presumably if new settings are added in a release I'll still have to do this - the yum repository can't make the changes for me. Mailwatch is something I've had issues with in the past so having this in the repository would have been good. From what I can see though, it isn't included. From steve at fsl.com Sat Dec 6 16:33:57 2008 From: steve at fsl.com (Stephen Swaney) Date: Sat Dec 6 16:34:13 2008 Subject: MailScanner Gold Production yum repository released In-Reply-To: <200812061300.mB6D04nq017980@safir.blacknight.ie> References: <200812061300.mB6D04nq017980@safir.blacknight.ie> Message-ID: <493AA975.5050505@fsl.com> Paul Welsh wrote: >> -----Original Message----- >> From: mailscanner-announce-bounces@lists.mailscanner.info >> [mailto:mailscanner-announce-bounces@lists.mailscanner.info] >> On Behalf Of Julian Field >> Sent: 02 December 2008 18:48 >> To: MailScanner-Announce mailing list list >> Subject: MailScanner Gold Production yum repository released >> >> We're very happy to announce the availability of our new MailScanner >> Gold Production yum repository subscription service for Red Hat and >> CentOS 5.x operating systems. This FSL yum repository system provides >> all of the 70+ applications and Perl modules required to install and >> maintain MailScanner, SpamAssassin, ClamAV, Razor, DCC and a >> MySQL Bayes >> database in easy to use rpm formats. >> > > Has anyone tried this? I was expecting some comments on this list but > haven't seen any since the release announcement. Personally, I've not had > problems with "Perl module dependency problems" but perhaps I've just been > lucky. Upgrading MailScanner can be a bit time consuming having to rejig > MailScanner.conf with new settings etc but presumably if new settings are > added in a release I'll still have to do this - the yum repository can't > make the changes for me. > > Mailwatch is something I've had issues with in the past so having this in > the repository would have been good. From what I can see though, it isn't > included. > Paul, We have over 20 subscribers to the Fsl-mailscanner-beta list (free) and paid subscriptions are coming in at a faster rate than we had anticipated. The whole intent of this product is to simplify the installation and maintenance of a MailScanner gateway. By doing so we're hoping to attract new users who might accept a simpler approach to installing and running a MailScanner gateway and to simplify life for more experienced users. My guess is that it's about 50-50; 50% less experienced Linux users and 50% pros who prefer the convenience of running fully rpm systems. MailWatch version 2 will be out soon. It's part our DefenderMX 2.0 product that's in initial testing right now. The rpm version of MailWatch 2.0 will available as part of the MailScanner Gold subscription as soon as it's released. Best regards, Steve Steve Swaney steve@fsl.com Cell: 202 352.3262 Office: 202 595.7760, ext 601 www.fsl.com From MailScanner at ecs.soton.ac.uk Sun Dec 7 19:43:53 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Dec 7 19:44:15 2008 Subject: MailScanner Gold Production yum repository released In-Reply-To: <200812061300.mB6D04nq017980@safir.blacknight.ie> References: <200812061300.mB6D04nq017980@safir.blacknight.ie> Message-ID: <493C2779.6030008@ecs.soton.ac.uk> On 6/12/08 12:59, Paul Welsh wrote: >> -----Original Message----- >> From: mailscanner-announce-bounces@lists.mailscanner.info >> [mailto:mailscanner-announce-bounces@lists.mailscanner.info] >> On Behalf Of Julian Field >> Sent: 02 December 2008 18:48 >> To: MailScanner-Announce mailing list list >> Subject: MailScanner Gold Production yum repository released >> >> We're very happy to announce the availability of our new MailScanner >> Gold Production yum repository subscription service for Red Hat and >> CentOS 5.x operating systems. This FSL yum repository system provides >> all of the 70+ applications and Perl modules required to install and >> maintain MailScanner, SpamAssassin, ClamAV, Razor, DCC and a >> MySQL Bayes >> database in easy to use rpm formats. >> > > Has anyone tried this? I was expecting some comments on this list but > haven't seen any since the release announcement. Personally, I've not had > problems with "Perl module dependency problems" but perhaps I've just been > lucky. Upgrading MailScanner can be a bit time consuming having to rejig > MailScanner.conf with new settings etc but presumably if new settings are > added in a release I'll still have to do this - the yum repository can't > make the changes for me. > upgrade_MailScanner_conf already does that bit for you. The yum repository does it automatically, whereas you have to run the command by hand if you don't use the repository. You don't need to do all the settings merging yourself, that would be a horrendous job to do by hand! :-( Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Dec 7 22:45:11 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Dec 7 22:45:21 2008 Subject: Apply RBL to X-Originating-IP: header Message-ID: <493C51F7.8080901@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Hotmail adds the IP address of the sender to the headers like this: X-Originating-IP: [79.185.246.69] Has some written some code to match this against RBL's or even country lists? I do not think anyone in the family is expecting a hotmail user to be in Poland at the moment so I could have killed this message. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJPFH1BvzDRVjxmYERAglWAJ4+2ygNfWljeGOH1dFTxGg7k8XU0ACdFpRZ r9fi6eR1tCtH4Fsqsi/sxtE= =o+hF -----END PGP SIGNATURE----- From steve.freegard at fsl.com Mon Dec 8 00:00:29 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Dec 8 00:00:40 2008 Subject: Apply RBL to X-Originating-IP: header In-Reply-To: <493C51F7.8080901@vanderkooij.org> References: <493C51F7.8080901@vanderkooij.org> Message-ID: <493C639D.3050508@fsl.com> Hi Hugo, Hugo van der Kooij wrote: > Hi, > > Hotmail adds the IP address of the sender to the headers like this: > X-Originating-IP: [79.185.246.69] > > Has some written some code to match this against RBL's or even country > lists? SA does this by default - in EvalTests.pm for my $header ('X-Originating-IP', 'X-Apparently-From') { my $str = $self->get($header); next unless $str; push (@originating, ($str =~ m/($IP_ADDRESS)/g)); } Cheers, Steve. From lists at rheel.co.nz Mon Dec 8 00:36:09 2008 From: lists at rheel.co.nz (Lists) Date: Mon Dec 8 00:34:41 2008 Subject: MailScanner Reload error In-Reply-To: <72cf361e0812040021l24ba1f35lebd751d4c668e86b@mail.gmail.com> References: <49359B3A.3020202@rheel.co.nz> <49373288.3090300@rheel.co.nz> <72cf361e0812040021l24ba1f35lebd751d4c668e86b@mail.gmail.com> Message-ID: <493C6BF9.8020304@rheel.co.nz> Martin Hepworth wrote: > 2008/12/4 Lists : > >> Alex Neuman van der Hans wrote: >> >>> Only if it was supposed to be running in the first place. It's basically >>> saying "Hey, I tried going through the list of process id (pid) numbers on >>> this text file to tell the MailScanner processes to reload, but one (or >>> more) of them aren't there!". >>> >>> On Dec 2, 2008, at 3:31 PM, Lists wrote: >>> >>> >>>> Reloading MailScanner workers: >>>> MailScanner: kill -10449: No such process >>>> kill 9570: No such process >>>> >>>> Does this indicate an error that I need to sort out? >>>> >> MailScanner is definately running at the time I do the reload so its a >> problem that its not finding the process to reload isn't it? >> Kate >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > kate > do the processes with those id's actually exist or has mailscanner got > itself confused somewhere. I guess a ps before and after the reload to > check. > > I did a MailScanner restart and it cleared up the problem - Must have been due to the upgrade I guess. Thanks Kate From mailwatch.kp at gmail.com Mon Dec 8 11:39:22 2008 From: mailwatch.kp at gmail.com (vinayan KP) Date: Mon Dec 8 11:39:31 2008 Subject: Spam assassin timeouts Message-ID: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> Hello, We use a mailscanner installed almost three years ago and was working perfectly till last week detecting and tagging each and every spam mail correctly and letting only genuine mails untagged. Since last week I could see each user is getting a lot of spam mails with out getting tagged as {Spam?} and I could see from the log the following lines. Dec 8 16:54:13 fedora MailScanner[2162]: SpamAssassin timed out (with no network checks) and was killed, failure 16 of 20 Dec 8 16:54:13 fedora MailScanner[2087]: SpamAssassin timed out (with no network checks) and was killed, failure 19 of 20 Dec 8 16:54:18 fedora MailScanner[2050]: SpamAssassin timed out (with no network checks) and was killed, failure 13 of 20 Dec 8 16:54:21 fedora MailScanner[2230]: SpamAssassin timed out (with no network checks) and was killed, failure 15 of 20 I can not see the lines in the mail header that used to be earlier showing the RBLs spamassassin checked and the score from each list now. Could someone help me with some idea/hints. Thanks in advance Vinayan From maxsec at gmail.com Mon Dec 8 12:06:06 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Dec 8 12:06:15 2008 Subject: Spam assassin timeouts In-Reply-To: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> References: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> Message-ID: <72cf361e0812080406w5d64fbcera96bdb945f79ba19@mail.gmail.com> 2008/12/8 vinayan KP : > Hello, > > We use a mailscanner installed almost three years ago and was working > perfectly till last week detecting and tagging each and every spam > mail correctly and letting only genuine mails untagged. > > Since last week I could see each user is getting a lot of spam mails > with out getting tagged as {Spam?} and I could see from the log the > following lines. > > Dec 8 16:54:13 fedora MailScanner[2162]: SpamAssassin timed out (with > no network checks) and was killed, failure 16 of 20 > Dec 8 16:54:13 fedora MailScanner[2087]: SpamAssassin timed out (with > no network checks) and was killed, failure 19 of 20 > Dec 8 16:54:18 fedora MailScanner[2050]: SpamAssassin timed out (with > no network checks) and was killed, failure 13 of 20 > Dec 8 16:54:21 fedora MailScanner[2230]: SpamAssassin timed out (with > no network checks) and was killed, failure 15 of 20 > > I can not see the lines in the mail header that used to be earlier > showing the RBLs spamassassin checked and the score from each list > now. > > Could someone help me with some idea/hints. > > Thanks in advance > > Vinayan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Spamassassin timeouts are usually down to SA RBLs (and URIrbls) taking too long. make sure you are using only RBL's you want (give others a zero score in spam.assassin.prefs.conf) and make sure you are running all the latest versions of MS and SA. A local caching nameserver on the mailscanner machine helps alot as well. -- Martin Hepworth Oxford, UK From ram at netcore.co.in Mon Dec 8 12:39:26 2008 From: ram at netcore.co.in (ram) Date: Mon Dec 8 12:39:40 2008 Subject: Spam assassin timeouts In-Reply-To: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> References: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> Message-ID: <1228739966.12079.75.camel@darkstar.netcore.co.in> On Mon, 2008-12-08 at 17:09 +0530, vinayan KP wrote: > Hello, > > We use a mailscanner installed almost three years ago and was working > perfectly till last week detecting and tagging each and every spam > mail correctly and letting only genuine mails untagged. > > Since last week I could see each user is getting a lot of spam mails > with out getting tagged as {Spam?} and I could see from the log the > following lines. > > Dec 8 16:54:13 fedora MailScanner[2162]: SpamAssassin timed out (with > no network checks) and was killed, failure 16 of 20 > Dec 8 16:54:13 fedora MailScanner[2087]: SpamAssassin timed out (with > no network checks) and was killed, failure 19 of 20 > Dec 8 16:54:18 fedora MailScanner[2050]: SpamAssassin timed out (with > no network checks) and was killed, failure 13 of 20 > Dec 8 16:54:21 fedora MailScanner[2230]: SpamAssassin timed out (with > no network checks) and was killed, failure 15 of 20 Lookup this List archive .. this has been asked multiple times here Usually it is DNS , but you seem to have these tests off already * Did you check your Bayes size * What is the h/w configuration on this server and what is the traffic (Remember h/w is usually much cheaper than wasting too much time trying to diagnose a load issue unless it is obvious ) Anyway When you machine starts timing out SA run spamassass -D -t < /path/somemail.eml 2>&1 | tee /tmp/sa_timeout.log The logfile should give you enough inputs, else post it here From MailScanner at ecs.soton.ac.uk Mon Dec 8 14:55:01 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 8 14:55:21 2008 Subject: Easy Installation Package for ClamAV 0.92.2 In-Reply-To: References: <4C898D4B-4871-4C66-AB06-4418F123A422@rtpty.com> Message-ID: <493D3545.9070209@ecs.soton.ac.uk> On 5/12/08 19:18, Scott Silva wrote: > on 12-4-2008 5:17 PM Alex Neuman van der Hans spake the following: > >> Note: I'm doing this in honor of Julian's work, and not to "upstage" him >> in any way... >> >> That being said, I'd like to help out by giving you an idea of what *I* >> would do in order to "roll my own" version of the "easy installation >> package". >> >> 1. Download the one we already have. Unpack. >> 2. Download clamav-0.94.2 from the Clam website >> 3. move the .tar.gz file from step 2 into >> ./install-Clam-0.94.1-SA-3.2.5/perl-tar/ created by step 1. >> 4. Edit line 3 to say CLAMAVVERSION=0.94.2 >> 5. Run ./install.sh as usual. >> >> Those of you who *really* know what you're doing may chip in any time... >> >> > And be prepared for the perl clam module to not work. It has been breaking > almost with every clam release lately. > I have updated the ClamAV+SA package to include a patch to Mail::ClamAV (as used by the scanner "clamavmodule") which lets it work with 0.94.x. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Dec 8 15:00:27 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 8 15:00:47 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <87tz9kho6h.fsf@hp-factory.de> References: <87tz9kho6h.fsf@hp-factory.de> Message-ID: <493D368B.30409@ecs.soton.ac.uk> Send me mail from a badly setup domain, and you better not be surprised when I don't accept it. The RFC makes it very clear that MX records can only point to A records and not to CNAME records. Get your DNS fixed and I will happily accept your mail. :-) On 3/12/08 22:46, Simon Walter wrote: > Hi, > > I send this through the mailinglist because I can't send it to > Julian directly because of the following: > > mailscanner@ecs.soton.ac.uk > SMTP error from remote mail server after MAIL FROM:: > host mx.ecs.soton.ac.uk [152.78.68.137]: 553 5.1.8 sender from hp-factory.de MX invalid #439 (kB2Lcm295123146500) > > I don't know what's causing this... > > Anyway, here is the mail in which some of you should be interested too. > > -------------------- Start of forwarded message -------------------- > To: Mark Purcell > Cc: 506353@bugs.debian.org, Raphael Geissert, mailscanner@ecs.soton.ac.uk > BCC: control@bugs.debian.org > Subject: Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks > X-Draft-From: ("nnml:debian.bugs" 284) > References:<200811201524.52353.atomo64@gmail.com> > <200812032338.02957.msp@debian.org> > From: Simon Walter > Date: Wed, 03 Dec 2008 22:28:09 +0100 > In-Reply-To:<200812032338.02957.msp@debian.org> (Mark Purcell's message of "Wed\, 3 Dec 2008 23\:38\:02 +1100") > Message-ID:<877i6hhrti.fsf@hp-factory.de> > User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) > Lines: 51 > Xref: tharlab others.sent:737 > > > package mailscanner > tags 506353 help upstream confirmed > thanks > > Hello, > > Mark Purcell writes: > >> On Friday 21 November 2008 08:24:46 Raphael Geissert wrote: >> >>> I'm using severity grave as this package should definitely not be shipped >>> in any release as is. >>> >> Simon, >> >> This RC bug was reported almost two weeks ago without any comment from you. >> >> Are you in a position to investigate and propose a way forward for your >> package in lenny? >> > > I have looked at the code-segments Raphael pointed out and I'm totally > agree with him. In the current state the package should not be part of > the lenny release. > > I'm in no position to fix all this. I'm not familiar enough with the > MailScanner sourcecode and I'm not able to test the changes I would > have to make, in particular to all the virusscanner scripts. > > > I have put Julian Field (upstream author) in CC to inform him about > all this. (@Julian: the full bugreport is here [1]) > > If he is willing and able to fix the problems in a feature > release before lenny is released I will try to backport the fixes to > the current package in lenny. > > > Otherwise this package should be removed. > > > I'm also wondering why [2] marks CVE-2008-5140 as fixed for > sid+lenny. It claims the bug was fix with 4.57.6-1, but there is no > difference between 4.55.10-3 and 4.57.6-1. > > Sorry for the late reply. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Mon Dec 8 23:15:50 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Dec 8 23:16:15 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <493D368B.30409@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> Message-ID: <7B7080D2-7D27-48EF-AD1E-E96C75FD267B@rtpty.com> Reminds me of a biblical reference about something in one's eye... ;-) On Dec 8, 2008, at 10:00 AM, Julian Field wrote: > Send me mail from a badly setup domain, and you better not be > surprised when I don't accept it. The RFC makes it very clear that > MX records can only point to A records and not to CNAME records. > Get your DNS fixed and I will happily accept your mail. > :-) > > On 3/12/08 22:46, Simon Walter wrote: >> Hi, >> >> I send this through the mailinglist because I can't send it to >> Julian directly because of the following: >> >> mailscanner@ecs.soton.ac.uk >> SMTP error from remote mail server after MAIL FROM:> >: >> host mx.ecs.soton.ac.uk [152.78.68.137]: 553 5.1.8 sender> > from hp-factory.de MX invalid #439 (kB2Lcm295123146500) >> >> I don't know what's causing this... >> >> Anyway, here is the mail in which some of you should be interested >> too. >> >> -------------------- Start of forwarded message -------------------- >> To: Mark Purcell >> Cc: 506353@bugs.debian.org, Raphael Geissert, mailscanner@ecs.soton.ac.uk >> BCC: control@bugs.debian.org >> Subject: Re: Bug#506353: mailscanner: many scripts allow local >> users to overwrite arbitrary files, and more, via symlink attacks >> X-Draft-From: ("nnml:debian.bugs" 284) >> References:<200811201524.52353.atomo64@gmail.com> >> <200812032338.02957.msp@debian.org> >> From: Simon Walter >> Date: Wed, 03 Dec 2008 22:28:09 +0100 >> In-Reply-To:<200812032338.02957.msp@debian.org> (Mark Purcell's >> message of "Wed\, 3 Dec 2008 23\:38\:02 +1100") >> Message-ID:<877i6hhrti.fsf@hp-factory.de> >> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) >> Lines: 51 >> Xref: tharlab others.sent:737 >> >> >> package mailscanner >> tags 506353 help upstream confirmed >> thanks >> >> Hello, >> >> Mark Purcell writes: >> >>> On Friday 21 November 2008 08:24:46 Raphael Geissert wrote: >>> >>>> I'm using severity grave as this package should definitely not be >>>> shipped >>>> in any release as is. >>>> >>> Simon, >>> >>> This RC bug was reported almost two weeks ago without any comment >>> from you. >>> >>> Are you in a position to investigate and propose a way forward for >>> your >>> package in lenny? >>> >> >> I have looked at the code-segments Raphael pointed out and I'm >> totally >> agree with him. In the current state the package should not be part >> of >> the lenny release. >> >> I'm in no position to fix all this. I'm not familiar enough with the >> MailScanner sourcecode and I'm not able to test the changes I would >> have to make, in particular to all the virusscanner scripts. >> >> >> I have put Julian Field (upstream author) in CC to inform him about >> all this. (@Julian: the full bugreport is here [1]) >> >> If he is willing and able to fix the problems in a feature >> release before lenny is released I will try to backport the fixes to >> the current package in lenny. >> >> >> Otherwise this package should be removed. >> >> >> I'm also wondering why [2] marks CVE-2008-5140 as fixed for >> sid+lenny. It claims the bug was fix with 4.57.6-1, but there is no >> difference between 4.55.10-3 and 4.57.6-1. >> >> Sorry for the late reply. >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rvdmerwe at mhg.co.za Tue Dec 9 07:52:14 2008 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Tue Dec 9 08:13:12 2008 Subject: Increased load In-Reply-To: <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com><492C7BAD.5090708@vanderkooij.org><3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com><223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> Message-ID: <7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za> I did apply the updated Message.pm file I am however still seeing the increased load on the server compared to versions 4.69.9-3 and prior. My 2 servers run at around lavg of 0.8, since first updating the one server then the other (can correlate this on my load graphs) the load now is around 1.5-2. Unfortunatly I didn't have the MailScanner performance logging enabled previously so I can't compare the internal runtimes to then. I am running 12 children on a 4 way box with 4096Mb ram with incoming area in tmpfs on CentOS 5.2 x86_64. Looking at my graphs I can see an increase in my CPU User time, CPU System time increased slightly but IOWait seem relatively the same. I am also running ClamAV module 0.22 with ClamAV 0.94. I could revert to an older build of MailScanner to test, but there is a compatibility issue with CLamAv? Or will ClamAV module handle that? Let me know if there is anything else I can provide. Regards Rabie -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rabie Van der Merwe Sent: 26 November 2008 13:18 PM To: MailScanner discussion Subject: RE: Increased load I recently joined the mailing list, could someone repost the file or let me know what the subject of the message was as I cant search the through the mailing list. Regards Rabie PS BAD CPU!! Down, down boy, staaay ! :) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 26 November 2008 10:54 AM To: MailScanner discussion Subject: Re: Increased load 2008/11/26 Rabie Van der Merwe : > > Yip CPU utilization is defiantly up. > Well, you need be strict with it then.... Tell it to be less defiant!!!:-):-):-)... (as if that would help:-) Seriously though, if you are using 4.72.5 you might need the latest Message.pm fix that Jules posted, or else you would see the children start to loop on some specific messages... Notably, the busy MailScanner child will report "cleaning messages" as commandline in "ps"... and never leave that state. Solutions would be: - get a hold of the fixed Message.pm and drop that into place (restart MS after that), or - revert to 4.71, or - wait for Jules to post a new release with the fix incorporated (there just might be a new beta around the corner:-). Cheers -- -- Glenn > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo > van der Kooij > Sent: 26 November 2008 00:27 AM > To: MailScanner discussion > Subject: Re: Increased load > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rabie Van der Merwe wrote: >> >> Can anyone think of a reason why moving from 4.69.9-3 to any of the >> later versions would increase the load on the server? I have 2 servers >> running MailScanner and my avg load went from 2 to 4 since the upgrade >> on both boxes. > > Well load in itself should not be an issue. Is the average CPU usage > significantly higher? (Use vmstat to find out.) > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba > coBDbgd/x0Mz6BfLVCn1OhE= > =IcK/ > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** --------- NOTICE --------- This message (including attachments) contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates, does not accept liability for any personal views expressed in this message. Metropolitan Health Group PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 www.mhg.co.za ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/8e6467eb/attachment.html From maxsec at gmail.com Tue Dec 9 08:38:17 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 9 08:38:26 2008 Subject: Increased load In-Reply-To: <7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> <492C7BAD.5090708@vanderkooij.org> <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> <7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za> Message-ID: <72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> 2008/12/9 Rabie Van der Merwe : > > I did apply the updated Message.pm file I am however still seeing the > increased load on the server compared to versions 4.69.9-3 and prior. > > My 2 servers run at around lavg of 0.8, since first updating the one > server then the other (can correlate this on my load graphs) the load > now is around 1.5-2. > > Unfortunatly I didn't have the MailScanner performance logging enabled > previously so I can't compare the internal runtimes to then. > > I am running 12 children on a 4 way box with 4096Mb ram with incoming > area in tmpfs on CentOS 5.2 x86_64. Looking at my graphs I can see an > increase in my CPU User time, CPU System time increased slightly but > IOWait seem relatively the same. I am also running ClamAV module 0.22 > with ClamAV 0.94. > > I could revert to an older build of MailScanner to test, but there is a > compatibility issue with CLamAv? Or will ClamAV module handle that? > > Let me know if there is anything else I can provide. > > Regards > Rabie > > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rabie > Van der Merwe > Sent: 26 November 2008 13:18 PM > To: MailScanner discussion > Subject: RE: Increased load > > > I recently joined the mailing list, could someone repost the file or let > me know what the subject of the message was as I cant search the through > the mailing list. > > Regards > Rabie > > PS BAD CPU!! Down, down boy, staaay ! :) > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: 26 November 2008 10:54 AM > To: MailScanner discussion > Subject: Re: Increased load > > 2008/11/26 Rabie Van der Merwe : >> >> Yip CPU utilization is defiantly up. >> > Well, you need be strict with it then.... Tell it to be less > defiant!!!:-):-):-)... (as if that would help:-) > > Seriously though, if you are using 4.72.5 you might need the latest > Message.pm fix that Jules posted, or else you would see the children > start to loop on some specific messages... Notably, the busy > MailScanner child will report "cleaning messages" as commandline in > "ps"... and never leave that state. > Solutions would be: > - get a hold of the fixed Message.pm and drop that into place (restart > MS after that), or > - revert to 4.71, or > - wait for Jules to post a new release with the fix incorporated > (there just might be a new beta around the corner:-). > > Cheers > -- > -- Glenn > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo >> van der Kooij >> Sent: 26 November 2008 00:27 AM >> To: MailScanner discussion >> Subject: Re: Increased load >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rabie Van der Merwe wrote: >>> >>> Can anyone think of a reason why moving from 4.69.9-3 to any of the >>> later versions would increase the load on the server? I have 2 > servers >>> running MailScanner and my avg load went from 2 to 4 since the > upgrade >>> on both boxes. >> >> Well load in itself should not be an issue. Is the average CPU usage >> significantly higher? (Use vmstat to find out.) >> >> Hugo. >> >> - -- >> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> A: Yes. >> >Q: Are you sure? >> >>A: Because it reverses the logical flow of conversation. >> >>>Q: Why is top posting frowned upon? >> >> Bored? Click on http://spamornot.org/ and rate those images. >> >> Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w > gyfieithu. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba >> coBDbgd/x0Mz6BfLVCn1OhE= >> =IcK/ >> -----END PGP SIGNATURE----- >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > ********************************************************************** > --------- > NOTICE > --------- > > This message (including attachments) contains privileged and confidential > information intended only for the person or entity to which it is addressed. > > Any review, retransmission, dissemination, copy or other use of, or taking > of any action in reliance upon this information by persons or entities other > than the intended recipient, is prohibited. > > If you received this message in error, please notify the sender immediately > by e-mail, facsimile or telephone and thereafter delete the material from > any computer. > > Metropolitan Health Group, its subsidiaries or associates, does not accept > liability for any personal views expressed in this message. > > Metropolitan Health Group > PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 > www.mhg.co.za > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > I'd suggest moving to clamd so you don't have the clammodule compatibility problems. I've been running a clamd system since the MS beta's first came out with clamd support with no issues what so-ever. -- Martin Hepworth Oxford, UK From rvdmerwe at mhg.co.za Tue Dec 9 10:53:35 2008 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Tue Dec 9 10:54:14 2008 Subject: Increased load In-Reply-To: <72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com><492C7BAD.5090708@vanderkooij.org><3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com><223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com><3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com><7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za> <72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> Message-ID: I can try that, but what I need to speed as I do high volume email. How does clamd compare to clamavmodule? I still have the issue with increased load on the later releases; I would like to resolve that first before I make architecture changes. Regards Rabie -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 09 December 2008 10:38 AM To: MailScanner discussion Subject: Re: Increased load 2008/12/9 Rabie Van der Merwe : > > I did apply the updated Message.pm file I am however still seeing the > increased load on the server compared to versions 4.69.9-3 and prior. > > My 2 servers run at around lavg of 0.8, since first updating the one > server then the other (can correlate this on my load graphs) the load > now is around 1.5-2. > > Unfortunatly I didn't have the MailScanner performance logging enabled > previously so I can't compare the internal runtimes to then. > > I am running 12 children on a 4 way box with 4096Mb ram with incoming > area in tmpfs on CentOS 5.2 x86_64. Looking at my graphs I can see an > increase in my CPU User time, CPU System time increased slightly but > IOWait seem relatively the same. I am also running ClamAV module 0.22 > with ClamAV 0.94. > > I could revert to an older build of MailScanner to test, but there is a > compatibility issue with CLamAv? Or will ClamAV module handle that? > > Let me know if there is anything else I can provide. > > Regards > Rabie > > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rabie > Van der Merwe > Sent: 26 November 2008 13:18 PM > To: MailScanner discussion > Subject: RE: Increased load > > > I recently joined the mailing list, could someone repost the file or let > me know what the subject of the message was as I cant search the through > the mailing list. > > Regards > Rabie > > PS BAD CPU!! Down, down boy, staaay ! :) > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: 26 November 2008 10:54 AM > To: MailScanner discussion > Subject: Re: Increased load > > 2008/11/26 Rabie Van der Merwe : >> >> Yip CPU utilization is defiantly up. >> > Well, you need be strict with it then.... Tell it to be less > defiant!!!:-):-):-)... (as if that would help:-) > > Seriously though, if you are using 4.72.5 you might need the latest > Message.pm fix that Jules posted, or else you would see the children > start to loop on some specific messages... Notably, the busy > MailScanner child will report "cleaning messages" as commandline in > "ps"... and never leave that state. > Solutions would be: > - get a hold of the fixed Message.pm and drop that into place (restart > MS after that), or > - revert to 4.71, or > - wait for Jules to post a new release with the fix incorporated > (there just might be a new beta around the corner:-). > > Cheers > -- > -- Glenn > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo >> van der Kooij >> Sent: 26 November 2008 00:27 AM >> To: MailScanner discussion >> Subject: Re: Increased load >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rabie Van der Merwe wrote: >>> >>> Can anyone think of a reason why moving from 4.69.9-3 to any of the >>> later versions would increase the load on the server? I have 2 > servers >>> running MailScanner and my avg load went from 2 to 4 since the > upgrade >>> on both boxes. >> >> Well load in itself should not be an issue. Is the average CPU usage >> significantly higher? (Use vmstat to find out.) >> >> Hugo. >> >> - -- >> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> A: Yes. >> >Q: Are you sure? >> >>A: Because it reverses the logical flow of conversation. >> >>>Q: Why is top posting frowned upon? >> >> Bored? Click on http://spamornot.org/ and rate those images. >> >> Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w > gyfieithu. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba >> coBDbgd/x0Mz6BfLVCn1OhE= >> =IcK/ >> -----END PGP SIGNATURE----- >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > ********************************************************************** > --------- > NOTICE > --------- > > This message (including attachments) contains privileged and confidential > information intended only for the person or entity to which it is addressed. > > Any review, retransmission, dissemination, copy or other use of, or taking > of any action in reliance upon this information by persons or entities other > than the intended recipient, is prohibited. > > If you received this message in error, please notify the sender immediately > by e-mail, facsimile or telephone and thereafter delete the material from > any computer. > > Metropolitan Health Group, its subsidiaries or associates, does not accept > liability for any personal views expressed in this message. > > Metropolitan Health Group > PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 > www.mhg.co.za > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > I'd suggest moving to clamd so you don't have the clammodule compatibility problems. I've been running a clamd system since the MS beta's first came out with clamd support with no issues what so-ever. -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** --------- NOTICE --------- This message (including attachments) contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates, does not accept liability for any personal views expressed in this message. Metropolitan Health Group PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 www.mhg.co.za ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/daf8b458/attachment.html From prandal at herefordshire.gov.uk Tue Dec 9 11:07:38 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Dec 9 11:08:07 2008 Subject: Increased load In-Reply-To: References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com><492C7BAD.5090708@vanderkooij.org><3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com><223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com><3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com><7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za><72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA055C6145@HC-MBX02.herefordshire.gov.uk> I'm seeing a substantially reduced load after switching to clamd from clamavmodule here. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rabie Van der Merwe Sent: 09 December 2008 10:54 To: MailScanner discussion Subject: RE: Increased load I can try that, but what I need to speed as I do high volume email. How does clamd compare to clamavmodule? I still have the issue with increased load on the later releases; I would like to resolve that first before I make architecture changes. Regards Rabie -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 09 December 2008 10:38 AM To: MailScanner discussion Subject: Re: Increased load 2008/12/9 Rabie Van der Merwe : > > I did apply the updated Message.pm file I am however still seeing the > increased load on the server compared to versions 4.69.9-3 and prior. > > My 2 servers run at around lavg of 0.8, since first updating the one > server then the other (can correlate this on my load graphs) the load > now is around 1.5-2. > > Unfortunatly I didn't have the MailScanner performance logging enabled > previously so I can't compare the internal runtimes to then. > > I am running 12 children on a 4 way box with 4096Mb ram with incoming > area in tmpfs on CentOS 5.2 x86_64. Looking at my graphs I can see an > increase in my CPU User time, CPU System time increased slightly but > IOWait seem relatively the same. I am also running ClamAV module 0.22 > with ClamAV 0.94. > > I could revert to an older build of MailScanner to test, but there is a > compatibility issue with CLamAv? Or will ClamAV module handle that? > > Let me know if there is anything else I can provide. > > Regards > Rabie > > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rabie > Van der Merwe > Sent: 26 November 2008 13:18 PM > To: MailScanner discussion > Subject: RE: Increased load > > > I recently joined the mailing list, could someone repost the file or let > me know what the subject of the message was as I cant search the through > the mailing list. > > Regards > Rabie > > PS BAD CPU!! Down, down boy, staaay ! :) > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: 26 November 2008 10:54 AM > To: MailScanner discussion > Subject: Re: Increased load > > 2008/11/26 Rabie Van der Merwe : >> >> Yip CPU utilization is defiantly up. >> > Well, you need be strict with it then.... Tell it to be less > defiant!!!:-):-):-)... (as if that would help:-) > > Seriously though, if you are using 4.72.5 you might need the latest > Message.pm fix that Jules posted, or else you would see the children > start to loop on some specific messages... Notably, the busy > MailScanner child will report "cleaning messages" as commandline in > "ps"... and never leave that state. > Solutions would be: > - get a hold of the fixed Message.pm and drop that into place (restart > MS after that), or > - revert to 4.71, or > - wait for Jules to post a new release with the fix incorporated > (there just might be a new beta around the corner:-). > > Cheers > -- > -- Glenn > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo >> van der Kooij >> Sent: 26 November 2008 00:27 AM >> To: MailScanner discussion >> Subject: Re: Increased load >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rabie Van der Merwe wrote: >>> >>> Can anyone think of a reason why moving from 4.69.9-3 to any of the >>> later versions would increase the load on the server? I have 2 > servers >>> running MailScanner and my avg load went from 2 to 4 since the > upgrade >>> on both boxes. >> >> Well load in itself should not be an issue. Is the average CPU usage >> significantly higher? (Use vmstat to find out.) >> >> Hugo. >> >> - -- >> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> A: Yes. >> >Q: Are you sure? >> >>A: Because it reverses the logical flow of conversation. >> >>>Q: Why is top posting frowned upon? >> >> Bored? Click on http://spamornot.org/ and rate those images. >> >> Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w > gyfieithu. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba >> coBDbgd/x0Mz6BfLVCn1OhE= >> =IcK/ >> -----END PGP SIGNATURE----- >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > ********************************************************************** > --------- > NOTICE > --------- > > This message (including attachments) contains privileged and confidential > information intended only for the person or entity to which it is addressed. > > Any review, retransmission, dissemination, copy or other use of, or taking > of any action in reliance upon this information by persons or entities other > than the intended recipient, is prohibited. > > If you received this message in error, please notify the sender immediately > by e-mail, facsimile or telephone and thereafter delete the material from > any computer. > > Metropolitan Health Group, its subsidiaries or associates, does not accept > liability for any personal views expressed in this message. > > Metropolitan Health Group > PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 > www.mhg.co.za > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > I'd suggest moving to clamd so you don't have the clammodule compatibility problems. I've been running a clamd system since the MS beta's first came out with clamd support with no issues what so-ever. -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** --------- NOTICE --------- This message (including attachments) contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates, does not accept liability for any personal views expressed in this message. Metropolitan Health Group PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 www.mhg.co.za ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/d26cab0d/attachment-0001.html From simon.walter at hp-factory.de Tue Dec 9 11:58:03 2008 From: simon.walter at hp-factory.de (simon.walter@hp-factory.de) Date: Tue Dec 9 11:54:19 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <493D368B.30409@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> Message-ID: <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> Hi, > Send me mail from a badly setup domain, and you better not be surprised > when I don't accept it. The RFC makes it very clear that MX records can > only point to A records and not to CNAME records. > Get your DNS fixed and I will happily accept your mail. > :-) Yeah, I have got that... I can't get my DNS fixed because it's not mine. I have to wait till someone else does it and I don't know when that will happen. Funny how everybody focuses on this little, unimportant, technical problem but ignores the real cause of my mail. Did you read my first mail which started thsi thread? -- Regards Simon From campbell at cnpapers.com Tue Dec 9 13:22:08 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Dec 9 13:22:23 2008 Subject: MailScanner Reload error In-Reply-To: <4935C26A.80407@rheel.co.nz> References: <49359B3A.3020202@rheel.co.nz> <4935A9C2.8090206@slackadelic.com> <4935C26A.80407@rheel.co.nz> Message-ID: <493E7100.8000201@cnpapers.com> Lists wrote: > Matt Hayes wrote: >> Lists wrote: >> >>> Hi, >>> When I run service MailScanner reload I get the following: >>> >>> Reloading MailScanner workers: >>> MailScanner: kill -10449: No such process >>> kill 9570: No such process >>> >>> Does this indicate an error that I need to sort out? >>> >>> Thanks >>> Kate >>> >>> >> >> It appears that the process ID that the script knew either was already >> shutdown or crashed of some kind. >> >> Hard to say really. >> >> Did you do an update or something? >> >> -Matt >> > Yes I did do an update a week or so ago to MailScanner version 4.72.5 > (I was running version only one version earlier) > > Kate Not sure if this has been resolved or not, but.... I used to get this also. If I recall, the problem was in the init script. Julian put out a better copy that seemed to fix it, and I thought he put it in the latest releases. You might want to check and see if there's an MailScanner.rpmnew in your init directory if you're using a redhat type system. Steve Campbell From maxsec at gmail.com Tue Dec 9 13:35:15 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 9 13:35:25 2008 Subject: Increased load In-Reply-To: References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> <492C7BAD.5090708@vanderkooij.org> <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> <7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za> <72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> Message-ID: <72cf361e0812090535m71c65224o738907a92b1ce01e@mail.gmail.com> 2008/12/9 Rabie Van der Merwe : > > I can try that, but what I need to speed as I do high volume email. > How does clamd compare to clamavmodule? > > I still have the issue with increased load on the later releases; I > would like to resolve that first before I make architecture changes. > > Regards > Rabie > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin > Hepworth > Sent: 09 December 2008 10:38 AM > To: MailScanner discussion > Subject: Re: Increased load > > 2008/12/9 Rabie Van der Merwe : >> >> I did apply the updated Message.pm file I am however still seeing the >> increased load on the server compared to versions 4.69.9-3 and prior. >> >> My 2 servers run at around lavg of 0.8, since first updating the one >> server then the other (can correlate this on my load graphs) the load >> now is around 1.5-2. >> >> Unfortunatly I didn't have the MailScanner performance logging enabled >> previously so I can't compare the internal runtimes to then. >> >> I am running 12 children on a 4 way box with 4096Mb ram with incoming >> area in tmpfs on CentOS 5.2 x86_64. Looking at my graphs I can see an >> increase in my CPU User time, CPU System time increased slightly but >> IOWait seem relatively the same. I am also running ClamAV module 0.22 >> with ClamAV 0.94. >> >> I could revert to an older build of MailScanner to test, but there is > a >> compatibility issue with CLamAv? Or will ClamAV module handle that? >> >> Let me know if there is anything else I can provide. >> >> Regards >> Rabie >> >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rabie >> Van der Merwe >> Sent: 26 November 2008 13:18 PM >> To: MailScanner discussion >> Subject: RE: Increased load >> >> >> I recently joined the mailing list, could someone repost the file or > let >> me know what the subject of the message was as I cant search the > through >> the mailing list. >> >> Regards >> Rabie >> >> PS BAD CPU!! Down, down boy, staaay ! :) >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn >> Steen >> Sent: 26 November 2008 10:54 AM >> To: MailScanner discussion >> Subject: Re: Increased load >> >> 2008/11/26 Rabie Van der Merwe : >>> >>> Yip CPU utilization is defiantly up. >>> >> Well, you need be strict with it then.... Tell it to be less >> defiant!!!:-):-):-)... (as if that would help:-) >> >> Seriously though, if you are using 4.72.5 you might need the latest >> Message.pm fix that Jules posted, or else you would see the children >> start to loop on some specific messages... Notably, the busy >> MailScanner child will report "cleaning messages" as commandline in >> "ps"... and never leave that state. >> Solutions would be: >> - get a hold of the fixed Message.pm and drop that into place (restart >> MS after that), or >> - revert to 4.71, or >> - wait for Jules to post a new release with the fix incorporated >> (there just might be a new beta around the corner:-). >> >> Cheers >> -- >> -- Glenn >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo >>> van der Kooij >>> Sent: 26 November 2008 00:27 AM >>> To: MailScanner discussion >>> Subject: Re: Increased load >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Rabie Van der Merwe wrote: >>>> >>>> Can anyone think of a reason why moving from 4.69.9-3 to any of the >>>> later versions would increase the load on the server? I have 2 >> servers >>>> running MailScanner and my avg load went from 2 to 4 since the >> upgrade >>>> on both boxes. >>> >>> Well load in itself should not be an issue. Is the average CPU usage >>> significantly higher? (Use vmstat to find out.) >>> >>> Hugo. >>> >>> - -- >>> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >>> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >>> >>> A: Yes. >>> >Q: Are you sure? >>> >>A: Because it reverses the logical flow of conversation. >>> >>>Q: Why is top posting frowned upon? >>> >>> Bored? Click on http://spamornot.org/ and rate those images. >>> >>> Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w >> gyfieithu. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.7 (GNU/Linux) >>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >>> >>> iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba >>> coBDbgd/x0Mz6BfLVCn1OhE= >>> =IcK/ >>> -----END PGP SIGNATURE----- >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> ********************************************************************** >> --------- >> NOTICE >> --------- >> >> This message (including attachments) contains privileged and > confidential >> information intended only for the person or entity to which it is > addressed. >> >> Any review, retransmission, dissemination, copy or other use of, or > taking >> of any action in reliance upon this information by persons or entities > other >> than the intended recipient, is prohibited. >> >> If you received this message in error, please notify the sender > immediately >> by e-mail, facsimile or telephone and thereafter delete the material > from >> any computer. >> >> Metropolitan Health Group, its subsidiaries or associates, does not > accept >> liability for any personal views expressed in this message. >> >> Metropolitan Health Group >> PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 >> www.mhg.co.za >> >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > I'd suggest moving to clamd so you don't have the clammodule > compatibility problems. I've been running a clamd system since the MS > beta's first came out with clamd support with no issues what so-ever. > > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > ********************************************************************** > --------- > NOTICE > --------- > > This message (including attachments) contains privileged and confidential > information intended only for the person or entity to which it is addressed. > > Any review, retransmission, dissemination, copy or other use of, or taking > of any action in reliance upon this information by persons or entities other > than the intended recipient, is prohibited. > > If you received this message in error, please notify the sender immediately > by e-mail, facsimile or telephone and thereafter delete the material from > any computer. > > Metropolitan Health Group, its subsidiaries or associates, does not accept > liability for any personal views expressed in this message. > > Metropolitan Health Group > PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 > www.mhg.co.za > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > another change could be the antiword feature. If you make sure this is off in MailScanner.conf Add Text Of Doc = off -- Martin Hepworth Oxford, UK From maxsec at gmail.com Tue Dec 9 13:54:00 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 9 13:54:09 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> Message-ID: <72cf361e0812090554hba5401cjbab66a08a5d815f8@mail.gmail.com> 2008/12/9 : > Hi, > >> Send me mail from a badly setup domain, and you better not be surprised >> when I don't accept it. The RFC makes it very clear that MX records can >> only point to A records and not to CNAME records. >> Get your DNS fixed and I will happily accept your mail. >> :-) > > Yeah, I have got that... > I can't get my DNS fixed because it's not mine. I have to wait till > someone else does it and I don't know when that will happen. > > Funny how everybody focuses on this little, unimportant, technical problem > but ignores the real cause of my mail. > > Did you read my first mail which started thsi thread? > > -- > Regards > Simon > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > the 'other' problem you got is that you're running an ancient version of mailscanner (which many debian users do). latest version is 4.73.4-2. If you install that ( via the tar.gz generic installer or a more upto date debian respository) you may find the issue has already been fixed. -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Tue Dec 9 14:13:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 9 14:13:30 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> Message-ID: <493E7CF3.1050301@ecs.soton.ac.uk> On 9/12/08 11:58, simon.walter@hp-factory.de wrote: > Hi, > > >> Send me mail from a badly setup domain, and you better not be surprised >> when I don't accept it. The RFC makes it very clear that MX records can >> only point to A records and not to CNAME records. >> Get your DNS fixed and I will happily accept your mail. >> :-) >> > > Yeah, I have got that... > I can't get my DNS fixed because it's not mine. I have to wait till > someone else does it and I don't know when that will happen. > > Funny how everybody focuses on this little, unimportant, technical problem > but ignores the real cause of my mail. > But if your mail never reaches me, how am I supposed to know what's in it? :-) > Did you read my first mail which started thsi thread? > Yes. What would you recommend as the best solution to the problem? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simon.walter at hp-factory.de Tue Dec 9 14:24:04 2008 From: simon.walter at hp-factory.de (simon.walter@hp-factory.de) Date: Tue Dec 9 14:20:19 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <72cf361e0812090554hba5401cjbab66a08a5d815f8@mail.gmail.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090554hba5401cjbab66a08a5d815f8@mail.gmail.com> Message-ID: <36409.62.128.6.83.1228832644.squirrel@mail.lksoft.com> Hello, > 2008/12/9 : >> Did you read my first mail which started thsi thread? > > the 'other' problem you got is that you're running an ancient version > of mailscanner (which many debian users do). latest version is > 4.73.4-2. 4.71.10 isn't ancient. > If you install that ( via the tar.gz generic installer or a > more upto date debian respository) you may find the issue has already > been fixed. or I may not. Lastest version of MailScanner fixes only one problem. 1/12/2008 New in Version 4.73.4-2 2 Security issue in "trend-autoupdate" resolved. also known as CVE-2008-5140[1]. The bugreport[2] I refer to is about a hole bunch of similar security problems[3][4] in MailScanner -- Regards Simon [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5140 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5312 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5313 From simon.walter at hp-factory.de Tue Dec 9 14:31:14 2008 From: simon.walter at hp-factory.de (simon.walter@hp-factory.de) Date: Tue Dec 9 14:27:30 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <493E7CF3.1050301@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> Message-ID: <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> > On 9/12/08 11:58, simon.walter@hp-factory.de wrote: >> Did you read my first mail which started thsi thread? >> > Yes. > What would you recommend as the best solution to the problem? In short: I can't fix it, would be nice if you could fix it. I'll just quote my comment to the debian-bugreport: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353#13 -- Regards Simon From alex at rtpty.com Tue Dec 9 14:28:53 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Dec 9 14:29:08 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <72cf361e0812090554hba5401cjbab66a08a5d815f8@mail.gmail.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090554hba5401cjbab66a08a5d815f8@mail.gmail.com> Message-ID: <1F40C700-7045-448E-A082-23D83F08081B@rtpty.com> Luke 6:42 (KJV, since I assume it's what most of you chaps might be familiar with ;) ) "Either how canst thou say to thy brother, Brother, let me pull out the mote that is in thine eye, when thou thyself beholdest not the beam that is in thine own eye? Thou hypocrite, cast out first the beam out of thine own eye, and then shalt thou see clearly to pull out the mote that is in thy brother's eye." Also Matthew 7:3 - " 3And why beholdest thou the mote that is in thy brother's eye, but considerest not the beam that is in thine own eye? 4Or how wilt thou say to thy brother, Let me pull out the mote out of thine eye; and, behold, a beam is in thine own eye? 5Thou hypocrite, first cast out the beam out of thine own eye; and then shalt thou see clearly to cast out the mote out of thy brother's eye. " On Dec 9, 2008, at 8:54 AM, Martin Hepworth wrote: > the 'other' problem you got is that you're running an ancient version > of mailscanner (which many debian users do). latest version is > 4.73.4-2. If you install that ( via the tar.gz generic installer or a > more upto date debian respository) you may find the issue has already > been fixed. From maillists at conactive.com Tue Dec 9 14:31:15 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 9 14:31:28 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> Message-ID: Simon.walter@hp-factory.de wrote on Tue, 9 Dec 2008 11:58:03 -0000 (UTC): > Funny how everybody focuses on this little, unimportant, technical problem > but ignores the real cause of my mail. The trend-updater problem has already been fixed in recent MS. I assume the other scripts will get fixed one by one over time if there really is a need. BTW, there was one sentence in your original quotes I absolutely agree with: > In the current state the package should not be part of > the lenny release. looking at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353 the MailScanner version in debian-stable is 4.55.10. That should indeed not be used anymore. If I understand this correctly the stable version is what comes with the current Debian 4.0? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Tue Dec 9 14:36:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 9 14:36:53 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> Message-ID: <493E8271.4070605@ecs.soton.ac.uk> Well if you can even give me a definitive statement of precisely what the underlying theoretical problem is, and how to avoid it, that would help. I don't want to write a load of code and then discover I've misunderstood the underlying problem and not actually fixed anything. You seem to know all about this problem, or your statements make it appear that you do. On 9/12/08 14:31, simon.walter@hp-factory.de wrote: >> On 9/12/08 11:58, simon.walter@hp-factory.de wrote: >> >>> Did you read my first mail which started thsi thread? >>> >>> >> Yes. >> What would you recommend as the best solution to the problem? >> > > In short: I can't fix it, would be nice if you could fix it. > > I'll just quote my comment to the debian-bugreport: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353#13 > > -- > Regards > Simon > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Tue Dec 9 14:43:38 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 9 14:43:48 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> Message-ID: <72cf361e0812090643l1425c7ecy3f03d36fee83f904@mail.gmail.com> 2008/12/9 : >> On 9/12/08 11:58, simon.walter@hp-factory.de wrote: >>> Did you read my first mail which started thsi thread? >>> >> Yes. >> What would you recommend as the best solution to the problem? > > In short: I can't fix it, would be nice if you could fix it. > > I'll just quote my comment to the debian-bugreport: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353#13 > > -- > Regards > Simon > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5313 seems to have a comprehensive list of the other files involved. -- Martin Hepworth Oxford, UK From paulo-m-roncon at ptinovacao.pt Tue Dec 9 14:44:10 2008 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Tue Dec 9 14:44:26 2008 Subject: Problem with remote execute of Mailscanner start and restart In-Reply-To: <200812061202.mB6C0OC6016836@safir.blacknight.ie> References: <200812061202.mB6C0OC6016836@safir.blacknight.ie> Message-ID: on 12-5-2008 11:34 AM Paulo Roncon spake the following: > Hello, > > I'm having a problem starting/restarting mailscanner with ssh. > When I do: > ssh root@machine1 /etc/init.d/MailScanner restart it does restart the > service but i have to crtl+c to get back the bash... > This is a bit of a problem with some remote scripts i have implemented. > This problem doesnt exist in older versions of MailScanner (4.66.5) > > Any ideias? > > thanks > > > Paulo Roncon > The problem subsists... When I try to do a remote restart of MailScanner the bash hangs: ssh root@machine1 /etc/init.d/MailScanner restart The restart Works but the bash freezes until I crtl+c. This problem occurs with restart and start. The Stop and reload work nicely. Sending the process to background wouldn't solve cause it would generate a lot of zombie process... and it still locks the bash! This behaviour only started on the latest versions of MailScanner. Can anyone help? Paulo From maxsec at gmail.com Tue Dec 9 14:46:01 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 9 14:46:11 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> Message-ID: <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> 2008/12/9 Kai Schaetzl : > Simon.walter@hp-factory.de wrote on Tue, 9 Dec 2008 11:58:03 -0000 (UTC): > >> Funny how everybody focuses on this little, unimportant, technical problem >> but ignores the real cause of my mail. > > The trend-updater problem has already been fixed in recent MS. I assume the > other scripts will get fixed one by one over time if there really is a need. > > BTW, there was one sentence in your original quotes I absolutely agree with: > >> In the current state the package should not be part of >> the lenny release. > > looking at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353 the > MailScanner version in debian-stable is 4.55.10. That should indeed not be > used anymore. If I understand this correctly the stable version is what > comes with the current Debian 4.0? > > > Kai > > -- > Kai Sch?tzl, Berlin, Germany Well yeah this is a general problem with debian - esp for 'unstable' (or rapidily updated) stuff like mailScanner, the long release cycles give problems. -- Martin Hepworth Oxford, UK From prandal at herefordshire.gov.uk Tue Dec 9 14:48:30 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Dec 9 14:48:46 2008 Subject: Updated RPM clamd documentation on wiki Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA055C622E@HC-MBX02.herefordshire.gov.uk> Folks, I've updated the RPM clamd documentation on the wiki to match the reality I experienced when moving from Julian's tarball install of clamav/Mail::ClamAV to rpmforge's clamd/clamav on CentOS 5.2. http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav :switch_to_rpm_clamd Please fix any errors or omissions you find. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/5f191a77/attachment.html From spamlists at coders.co.uk Tue Dec 9 14:51:44 2008 From: spamlists at coders.co.uk (Matt) Date: Tue Dec 9 14:52:20 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <493E8271.4070605@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> <493E8271.4070605@ecs.soton.ac.uk> Message-ID: <493E8600.8070202@coders.co.uk> Julian Field wrote: > Well if you can even give me a definitive statement of precisely what > the underlying theoretical problem is, and how to avoid it, that would > help. I don't want to write a load of code and then discover I've > misunderstood the underlying problem and not actually fixed anything. http://lists.debian.org/debian-devel/2008/08/msg00285.html The above is the message that starts it all. Basically because the auto updaters create temporary files in /tmp it is theoretically possible for a user to create a symlink to another file and compromise the system. matt From MailScanner at ecs.soton.ac.uk Tue Dec 9 14:58:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 9 14:58:51 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <72cf361e0812090643l1425c7ecy3f03d36fee83f904@mail.gmail.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> <72cf361e0812090643l1425c7ecy3f03d36fee83f904@mail.gmail.com> Message-ID: <493E8798.4030504@ecs.soton.ac.uk> On 9/12/08 14:43, Martin Hepworth wrote: > 2008/12/9: > >>> On 9/12/08 11:58, simon.walter@hp-factory.de wrote: >>> >>>> Did you read my first mail which started thsi thread? >>>> >>>> >>> Yes. >>> What would you recommend as the best solution to the problem? >>> >> In short: I can't fix it, would be nice if you could fix it. >> >> I'll just quote my comment to the debian-bugreport: >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353#13 >> >> -- >> Regards >> Simon >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > > Jules > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5313 > > seems to have a comprehensive list of the other files involved. > > Yes, it does, I can run "grep" too. But they still don't explain precisely what the problem actually is nor have any suggestions on how I should correctly fix it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From winslowb at pa.net Tue Dec 9 15:18:11 2008 From: winslowb at pa.net (Ben Winslow) Date: Tue Dec 9 15:18:26 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <493E8271.4070605@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> <493E8271.4070605@ecs.soton.ac.uk> Message-ID: <20081209101811.4cca3f9f@winslowb.int.pa.net> On Tue, 09 Dec 2008 14:36:33 +0000 Julian Field wrote: > Well if you can even give me a definitive statement of precisely what > the underlying theoretical problem is, and how to avoid it, that > would help. I don't want to write a load of code and then discover > I've misunderstood the underlying problem and not actually fixed > anything. The problem with the other autoupdate scripts is similar to the problem with the Trend script: several of them are vulnerable to symlink attacks. Example: user$ ln -s /etc/passwd /tmp/ClamAVBusy.lock root# /usr/lib/MailScanner/clamav-autoupdate root# cat /etc/passwd Locked for updating ClamAV definitions by 18371 Unlocked after updating ClamAV definitions by 18371 root# Symlinking /tmp/ClamAV.update.log is ineffective, because freshclam drops privileges before the log file is opened, but it's still bad practice to pass it a file in a world-writable directory like that. As far as fixing the problem, many systems have a mktemp utility that can be used to securely create a temporary file (which is typically just a wrapper around the system's mkstemp() function, if present.) Since that's not really portable, though, you might be better off porting the remaining autoupdate shell scripts to perl, where you can use sysopen(HANDLE, "/tmp/file", ...|O_EXCL), which will fail if the file already exists. Alternately, the fix for the trend-autoupdate script in the latest version of MailScanner should work in the other shell scripts as well, but it's not very elegant. -- Ben Winslow From jase at sensis.com Tue Dec 9 15:40:24 2008 From: jase at sensis.com (Desai, Jason) Date: Tue Dec 9 15:41:20 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <20081209101811.4cca3f9f@winslowb.int.pa.net> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk><44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com><493E7CF3.1050301@ecs.soton.ac.uk><32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com><493E8271.4070605@ecs.soton.ac.uk> <20081209101811.4cca3f9f@winslowb.int.pa.net> Message-ID: <1951DC816E1A9F469307B05FA183F4380151E3DF@corpatsmail1.corp.sensis.com> > As far as fixing the problem, many systems have a mktemp utility that > can be used to securely create a temporary file (which is typically > just a wrapper around the system's mkstemp() function, if present.) > Since that's not really portable, though, you might be better off > porting the remaining autoupdate shell scripts to perl, where you can > use sysopen(HANDLE, "/tmp/file", ...|O_EXCL), which will fail if the > file already exists. Alternately, the fix for the trend-autoupdate > script in the latest version of MailScanner should work in the other > shell scripts as well, but it's not very elegant. Or maybe be able to specify a working directory which the update scripts would use which is not world writable, but writable only by the MailScanner user? Jase From glenn.steen at gmail.com Tue Dec 9 15:46:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 9 15:46:59 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <20081209101811.4cca3f9f@winslowb.int.pa.net> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> <493E8271.4070605@ecs.soton.ac.uk> <20081209101811.4cca3f9f@winslowb.int.pa.net> Message-ID: <223f97700812090746g260a7f07mfd95c2e87c74e26f@mail.gmail.com> 2008/12/9 Ben Winslow : > On Tue, 09 Dec 2008 14:36:33 +0000 > Julian Field wrote: > >> Well if you can even give me a definitive statement of precisely what >> the underlying theoretical problem is, and how to avoid it, that >> would help. I don't want to write a load of code and then discover >> I've misunderstood the underlying problem and not actually fixed >> anything. > > The problem with the other autoupdate scripts is similar to the problem > with the Trend script: several of them are vulnerable to symlink > attacks. > > Example: > user$ ln -s /etc/passwd /tmp/ClamAVBusy.lock > root# /usr/lib/MailScanner/clamav-autoupdate > root# cat /etc/passwd > Locked for updating ClamAV definitions by 18371 > Unlocked after updating ClamAV definitions by 18371 > root# > > Symlinking /tmp/ClamAV.update.log is ineffective, because > freshclam drops privileges before the log file is opened, but it's > still bad practice to pass it a file in a world-writable directory like > that. > > As far as fixing the problem, many systems have a mktemp utility that > can be used to securely create a temporary file (which is typically > just a wrapper around the system's mkstemp() function, if present.) > Since that's not really portable, though, you might be better off > porting the remaining autoupdate shell scripts to perl, where you can > use sysopen(HANDLE, "/tmp/file", ...|O_EXCL), which will fail if the > file already exists. Alternately, the fix for the trend-autoupdate > script in the latest version of MailScanner should work in the other > shell scripts as well, but it's not very elegant. > Why not either remove any preexisting file (provided it is a symlink) or barf and die? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kwang at ucalgary.ca Tue Dec 9 15:53:10 2008 From: kwang at ucalgary.ca (Kai Wang) Date: Tue Dec 9 15:53:24 2008 Subject: A message disappeared Message-ID: <493E9466.2040209@ucalgary.ca> Greetings, We run Postfix (postfix-2.3.3-2.pcre.sasl2.rhel4) and MailScanner (mailscanner-4.66.5-3) together. A user reported that he lost a message. I checked into our log and found 4 entries about the message, all from postfix. Dec 7 16:04:47 smtp2 postfix/smtpd[12441]: connect from h129-184.wlan.ucalgary.ca[136.159.184.129] Dec 7 16:04:52 smtp2 postfix/smtpd[12441]: 5568910031: client=h129-184.wlan.ucalgary.ca [136.159.184.129], sasl_method=PLAIN, sasl_username=USERA@ucalgary.ca Dec 7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: hold: header Received: from [136.159.184.129] (h129-184.wlan.ucalgary.ca [136.159.184.129])??by smtp2.ucalgary.ca (Postfix) with ESMTP id 5568910031??for ; Sun, 7 Dec 2008 16:04:52 -0700 (MST) from h129-184.wlan.ucalgary.ca [136.159.184.129]; from= to= proto=ESMTP helo=<[136.159.184.129]> Dec 7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: message-id=<493C568F.9060006@ucalgary.ca> I posted a message in postfix-users mailing list and Wietse Venema replied me as follows: "Postfix left the message in the "hold" queue and Mailscanner took over. If you have no other entries for message-id=<493C568F.9060006@ucalgary.ca> then Mailscanner trashed your mail." Thanks -- Kai Wang System Services Information Technologies, University of Calgary, 2500 University Drive, N.W., Calgary, Alberta, Canada T2N 1N4 Phone (403) 220-2423, Fax (403) 282-9361 From winslowb at pa.net Tue Dec 9 15:55:18 2008 From: winslowb at pa.net (Ben Winslow) Date: Tue Dec 9 15:55:31 2008 Subject: [Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <223f97700812090746g260a7f07mfd95c2e87c74e26f@mail.gmail.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <493E7CF3.1050301@ecs.soton.ac.uk> <32890.62.128.6.83.1228833074.squirrel@mail.lksoft.com> <493E8271.4070605@ecs.soton.ac.uk> <20081209101811.4cca3f9f@winslowb.int.pa.net> <223f97700812090746g260a7f07mfd95c2e87c74e26f@mail.gmail.com> Message-ID: <20081209105518.2742e2eb@winslowb.int.pa.net> On Tue, 9 Dec 2008 16:46:48 +0100 "Glenn Steen" wrote: > Why not either remove any preexisting file (provided it is a symlink) > or barf and die? That's the fix employed in the trend-autoupdate script, although you also have to create a temporary directory to work in (which the script does) or there'll still be a race condition. > Cheers -- Ben Winslow From gibbard at chem.fsu.edu Tue Dec 9 16:33:09 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Tue Dec 9 16:24:37 2008 Subject: WARNINGS Ignoring deprecated option freebsd Message-ID: <493E9DC5.60406@chem.fsu.edu> WHAT I AM USING FOR MAIL: CPU speed -> Dual 2.5 XEONs Memory -> 8GB Operating System -> FreeBSD 7.0 pkg_info REPORTS: MailScanner-4.67.6_3 clamav-0.94.2 postfix-2.4.7,1 I installed from ports, which is what the mailscanner.info site recommends. Of course its not the latest version of mailscanner. Should I use the download able tar version instead? I didn't have this problem using Mailscanner 4.61.7 and clamav 94.1. CURRENT mailscanner.conf settings # # Incoming Work Dir Settings # -------------------------- # # You should not normally need to touch these settings at all, # unless you are using ClamAV and need to be able to use the # external archive unpackers instead of ClamAV's built-in ones. # If you want to create the temporary working files so they are owned # by a user other than the "Run As User" setting at the top of this file, # you can change that here. # # Note: If the "Run As User" is not "root" you cannot change the # user but may still be able to change the group, if the # "Run As User" is a member of both of the groups "Run As Group" # and "Incoming Work Group" # Note: If the "Run As User" is "root" (or not set at all) and you are # using the "clamd" virus scanner AND clamd is not running as root, # then this must be set to the group clamd is using (from your # clamd.conf), example: # Incoming Work Group = clamav # Incoming Work Permissions = 0640 Incoming Work User = root Incoming Work Group = root I tried this with group mail too. PROBLEM THAT I WANT TO RESOLVE: Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --unzip Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --jar Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --tar Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --tgz Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --deb Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --unrar Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --arj Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --lha Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --unzoo Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --max-ratio Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option --unrar Dec 9 11:48:03 mail MailScanner[754]: MailScanner E-Mail Virus Scanner version 4.67.6 starting... I realize this was a topic before, but I have one question. Even though Mailscanner.info states to install by ports, should I still still get the latest version from the site and install that one instead? Thanks in advance. -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Tue Dec 9 16:45:00 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 9 16:45:09 2008 Subject: WARNINGS Ignoring deprecated option freebsd In-Reply-To: <493E9DC5.60406@chem.fsu.edu> References: <493E9DC5.60406@chem.fsu.edu> Message-ID: <72cf361e0812090845o4ff76039v8e7ca6ded3b48550@mail.gmail.com> 2008/12/9 Hiram Gibbard : > WHAT I AM USING FOR MAIL: > CPU speed -> Dual 2.5 XEONs > Memory -> 8GB > Operating System -> FreeBSD 7.0 > > pkg_info REPORTS: > MailScanner-4.67.6_3 > clamav-0.94.2 > postfix-2.4.7,1 > > I installed from ports, which is what the mailscanner.info site recommends. > Of course its not the latest version of mailscanner. Should I use the > download able tar version instead? I didn't have this problem using > Mailscanner 4.61.7 and clamav 94.1. > > > CURRENT mailscanner.conf settings > # > # Incoming Work Dir Settings > # -------------------------- > # > # You should not normally need to touch these settings at all, > # unless you are using ClamAV and need to be able to use the > # external archive unpackers instead of ClamAV's built-in ones. > > # If you want to create the temporary working files so they are owned > # by a user other than the "Run As User" setting at the top of this file, > # you can change that here. > # > # Note: If the "Run As User" is not "root" you cannot change the > # user but may still be able to change the group, if the > # "Run As User" is a member of both of the groups "Run As Group" > # and "Incoming Work Group" > # Note: If the "Run As User" is "root" (or not set at all) and you are > # using the "clamd" virus scanner AND clamd is not running as root, > # then this must be set to the group clamd is using (from your > # clamd.conf), example: > # Incoming Work Group = clamav > # Incoming Work Permissions = 0640 > Incoming Work User = root > Incoming Work Group = root > > I tried this with group mail too. > > > > PROBLEM THAT I WANT TO RESOLVE: > > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --unzip > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --jar > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --tar > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --tgz > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --deb > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --unrar > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --arj > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --lha > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --unzoo > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --max-ratio > Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option > --unrar > Dec 9 11:48:03 mail MailScanner[754]: MailScanner E-Mail Virus Scanner > version 4.67.6 starting... > > > I realize this was a topic before, but I have one question. Even though > Mailscanner.info states to install by ports, should I still still get the > latest version from the site and install that one instead? > > Thanks in advance. > -- > -------------------------------------------- > Hiram Gibbard > Florida State University > Computer Support > > Department of Chemistry > Phone: 850.644.3004 > Fax: 850.644.8281 > URL: http://www.chem.fsu.edu/~gibbard > -------------------------------------------- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This is because you need the latest mailscanner version to be compatible with clamav 0.94. So yes the tar.gz will be needed as the port maintainer hasn't the time to upgrade the port at the moment (I asked him off list a couple of weeks ago). I'm doing the move from ports to tar.gz version at the moment. If I come across anything unusual when I do the final move tomorrow AM (gmt) i'll let you know. -- Martin Hepworth Oxford, UK From ssilva at sgvwater.com Tue Dec 9 16:52:18 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 9 16:52:41 2008 Subject: Increased load In-Reply-To: References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com><492C7BAD.5090708@vanderkooij.org><3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com><223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com><3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com><7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za> <72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> Message-ID: on 12-9-2008 2:53 AM Rabie Van der Merwe spake the following: > > I can try that, but what I need to speed as I do high volume email. > How does clamd compare to clamavmodule? > > I still have the issue with increased load on the later releases; I > would like to resolve that first before I make architecture changes. > > Regards > Rabie > The newer versions of MailScanner are needed with the latest version of clam. 4.72.5 or later ONLY works with clam 0.94 + . If you revert to older clam, you also need to revert to older mailscanner. 1/11/2008 New in Version 4.72.5-1 ================================= * New Features and Improvements * 1 Added support for ClamAV 0.94. Note that this has necessitated removal of complete support for earlier versions of ClamAV as the command-line settings are incompatible. So only use this version if you have upgraded to the latest ClamAV 0.94. It is a minor change to run clamd. You can get clamd running and make all the config changes first. Then you only have to change the line "virus scanners =" in mailscanner.conf to get it using clamd. That way you can test clamd, and set up whatever monitoring you want to do to make sure it stays running before you depend on the daemon to catch the nasties. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> Before posting, read http://wiki.mailscanner.info/posting >>> Support MailScanner development - buy the book off the website! >>> -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> Before posting, read http://wiki.mailscanner.info/posting >>> Support MailScanner development - buy the book off the website! >>> >> >> >> >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> ********************************************************************** >> --------- >> NOTICE >> --------- >> >> This message (including attachments) contains privileged and > confidential >> information intended only for the person or entity to which it is > addressed. >> >> Any review, retransmission, dissemination, copy or other use of, or > taking >> of any action in reliance upon this information by persons or entities > other >> than the intended recipient, is prohibited. >> >> If you received this message in error, please notify the sender > immediately >> by e-mail, facsimile or telephone and thereafter delete the material > from >> any computer. >> >> Metropolitan Health Group, its subsidiaries or associates, does not > accept >> liability for any personal views expressed in this message. >> >> Metropolitan Health Group >> PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 >> www.mhg.co.za >> >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > I'd suggest moving to clamd so you don't have the clammodule > compatibility problems. I've been running a clamd system since the MS > beta's first came out with clamd support with no issues what so-ever. > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > Before posting, read http://wiki.mailscanner.info/posting > Support MailScanner development - buy the book off the website! > ********************************************************************** > --------- > NOTICE > --------- > This message (including attachments) contains privileged and > confidential information intended only for the person or entity to which > it is addressed. > Any review, retransmission, dissemination, copy or other use of, or > taking of any action in reliance upon this information by persons or > entities other than the intended recipient, is prohibited. > If you received this message in error, please notify the sender > immediately by e-mail, facsimile or telephone and thereafter delete the > material from any computer. > Metropolitan Health Group, its subsidiaries or associates, does not > accept liability for any personal views expressed in this message. > *Metropolitan Health Group* > PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 > www.mhg.co.za > ********************************************************************** -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/8ea4ab35/signature-0001.bin From ssilva at sgvwater.com Tue Dec 9 17:17:56 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 9 17:18:18 2008 Subject: Problem with remote execute of Mailscanner start and restart In-Reply-To: References: <200812061202.mB6C0OC6016836@safir.blacknight.ie> Message-ID: on 12-9-2008 6:44 AM Paulo Roncon spake the following: > on 12-5-2008 11:34 AM Paulo Roncon spake the following: >> Hello, >> >> I'm having a problem starting/restarting mailscanner with ssh. >> When I do: >> ssh root@machine1 /etc/init.d/MailScanner restart it does restart the >> service but i have to crtl+c to get back the bash... >> This is a bit of a problem with some remote scripts i have implemented. >> This problem doesnt exist in older versions of MailScanner (4.66.5) >> >> Any ideias? >> >> thanks >> >> >> Paulo Roncon >> > > > The problem subsists... When I try to do a remote restart of MailScanner the bash hangs: ssh root@machine1 /etc/init.d/MailScanner restart > The restart Works but the bash freezes until I crtl+c. > > This problem occurs with restart and start. The Stop and reload work nicely. > > Sending the process to background wouldn't solve cause it would generate a lot of zombie process... and it still locks the bash! > > This behaviour only started on the latest versions of MailScanner. > > Can anyone help? > > Paulo > > Have you tried diff-ing the old and new init scripts and looking for code differences? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/43a37257/signature.bin From maxsec at gmail.com Tue Dec 9 17:25:42 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 9 17:25:51 2008 Subject: A message disappeared In-Reply-To: <493E9466.2040209@ucalgary.ca> References: <493E9466.2040209@ucalgary.ca> Message-ID: <72cf361e0812090925h4dc8c3b5if96b78ac03f430de@mail.gmail.com> 2008/12/9 Kai Wang : > > Greetings, > > We run Postfix (postfix-2.3.3-2.pcre.sasl2.rhel4) and MailScanner > (mailscanner-4.66.5-3) > together. A user reported that he lost a message. I checked into our log and > found 4 entries > about the message, all from postfix. > > Dec 7 16:04:47 smtp2 postfix/smtpd[12441]: connect from > h129-184.wlan.ucalgary.ca[136.159.184.129] > Dec 7 16:04:52 smtp2 postfix/smtpd[12441]: 5568910031: > client=h129-184.wlan.ucalgary.ca > [136.159.184.129], sasl_method=PLAIN, sasl_username=USERA@ucalgary.ca > Dec 7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: hold: header > Received: from [136.159.184.129] > (h129-184.wlan.ucalgary.ca [136.159.184.129])??by smtp2.ucalgary.ca > (Postfix) with ESMTP id > 5568910031??for ; Sun, 7 Dec 2008 16:04:52 -0700 (MST) > from h129-184.wlan.ucalgary.ca > [136.159.184.129]; from= to= > proto=ESMTP helo=<[136.159.184.129]> > Dec 7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: > message-id=<493C568F.9060006@ucalgary.ca> > > I posted a message in postfix-users mailing list and Wietse Venema replied > me as follows: > > "Postfix left the message in the "hold" queue and Mailscanner took over. If > you have no other > entries for message-id=<493C568F.9060006@ucalgary.ca> then Mailscanner > trashed your mail." > > > > > Thanks > > -- > Kai Wang > System Services > Information Technologies, University of Calgary, > 2500 University Drive, N.W., > Calgary, Alberta, Canada T2N 1N4 > Phone (403) 220-2423, Fax (403) 282-9361 > Kai there's a couple of postfix fixes in later mailscanner versions. I'd suggest upgrading to latest and seeing if you can reproduce this. MailScanners design is such that 'loosing' messages is very very unlikely. Perhaps turning on some more detialed logging may help as well (see the "Log nonspam" and other option in MailScanner.conf. . -- Martin Hepworth Oxford, UK From ssilva at sgvwater.com Tue Dec 9 17:29:07 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 9 17:29:26 2008 Subject: Updated RPM clamd documentation on wiki In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA055C622E@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA055C622E@HC-MBX02.herefordshire.gov.uk> Message-ID: on 12-9-2008 6:48 AM Randal, Phil spake the following: > Folks, > > I've updated the RPM clamd documentation on the wiki to match the > reality I experienced when moving from Julian's tarball install of > clamav/Mail::ClamAV to rpmforge's clamd/clamav on CentOS 5.2. > > _http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd_ > > > Please fix any errors or omissions you find. > > Cheers, > > Phil I moved the comment about removing the old versions above the line to install the new rpm. Only because many people follow numbered lists in order without really reading the whole thing thoroughly. Also added a note about the clam module settings. I don't think clamd needs them since freshclam will HUP the daemon if it actually updates anything. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/142efb44/signature.bin From stef at aoc-uk.com Tue Dec 9 17:33:42 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Tue Dec 9 17:33:47 2008 Subject: A message disappeared In-Reply-To: References: Message-ID: <200812091733.mB9HXcAb009027@safir.blacknight.ie> Kai Wang wrote: > I posted a message in postfix-users mailing list and Wietse > Venema replied me as follows: > > "Postfix left the message in the "hold" queue and Mailscanner > took over. > If you have no other > entries for message-id=<493C568F.9060006@ucalgary.ca> then > Mailscanner trashed your mail." Further to Martin's comments, whilst I have found the postfix list to be generally helpful, the word "MailScanner" is pretty much a kiss of death for getting assistance there. Mr. Venema isn't a fan. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta :postfix:politics&s=postfix May be of help. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From gibbard at chem.fsu.edu Tue Dec 9 19:00:30 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Tue Dec 9 18:52:11 2008 Subject: WARNINGS Ignoring deprecated option freebsd In-Reply-To: <72cf361e0812090845o4ff76039v8e7ca6ded3b48550@mail.gmail.com> References: <493E9DC5.60406@chem.fsu.edu> <72cf361e0812090845o4ff76039v8e7ca6ded3b48550@mail.gmail.com> Message-ID: <493EC04E.7030905@chem.fsu.edu> Martin Hepworth wrote: > 2008/12/9 Hiram Gibbard : >> WHAT I AM USING FOR MAIL: >> CPU speed -> Dual 2.5 XEONs >> Memory -> 8GB >> Operating System -> FreeBSD 7.0 >> >> pkg_info REPORTS: >> MailScanner-4.67.6_3 >> clamav-0.94.2 >> postfix-2.4.7,1 >> >> I installed from ports, which is what the mailscanner.info site recommends. >> Of course its not the latest version of mailscanner. Should I use the >> download able tar version instead? I didn't have this problem using >> Mailscanner 4.61.7 and clamav 94.1. >> >> >> CURRENT mailscanner.conf settings >> # >> # Incoming Work Dir Settings >> # -------------------------- >> # >> # You should not normally need to touch these settings at all, >> # unless you are using ClamAV and need to be able to use the >> # external archive unpackers instead of ClamAV's built-in ones. >> >> # If you want to create the temporary working files so they are owned >> # by a user other than the "Run As User" setting at the top of this file, >> # you can change that here. >> # >> # Note: If the "Run As User" is not "root" you cannot change the >> # user but may still be able to change the group, if the >> # "Run As User" is a member of both of the groups "Run As Group" >> # and "Incoming Work Group" >> # Note: If the "Run As User" is "root" (or not set at all) and you are >> # using the "clamd" virus scanner AND clamd is not running as root, >> # then this must be set to the group clamd is using (from your >> # clamd.conf), example: >> # Incoming Work Group = clamav >> # Incoming Work Permissions = 0640 >> Incoming Work User = root >> Incoming Work Group = root >> >> I tried this with group mail too. >> >> >> >> PROBLEM THAT I WANT TO RESOLVE: >> >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --unzip >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --jar >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --tar >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --tgz >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --deb >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --unrar >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --arj >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --lha >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --unzoo >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --max-ratio >> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated option >> --unrar >> Dec 9 11:48:03 mail MailScanner[754]: MailScanner E-Mail Virus Scanner >> version 4.67.6 starting... >> >> >> I realize this was a topic before, but I have one question. Even though >> Mailscanner.info states to install by ports, should I still still get the >> latest version from the site and install that one instead? >> >> Thanks in advance. >> -- >> -------------------------------------------- >> Hiram Gibbard >> Florida State University >> Computer Support >> >> Department of Chemistry >> Phone: 850.644.3004 >> Fax: 850.644.8281 >> URL: http://www.chem.fsu.edu/~gibbard >> -------------------------------------------- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > This is because you need the latest mailscanner version to be > compatible with clamav 0.94. So yes the tar.gz will be needed as the > port maintainer hasn't the time to upgrade the port at the moment (I > asked him off list a couple of weeks ago). > > I'm doing the move from ports to tar.gz version at the moment. If I > come across anything unusual when I do the final move tomorrow AM > (gmt) i'll let you know. > sorry to be naive, but I can't seem to figure out where the rc.Mailscanner file resides, or can be obtained. Can you point me in the right direction? This doesn't seem to be updated info: 6. Download /opt/MailScanner/bin/rc.MailScanner Fetch the file from http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner chmod a=rx /opt/MailScanner/bin/rc.MailScanner I got this out of INSTALL.FreeBSD -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brent.addis at spit.gen.nz Tue Dec 9 20:19:20 2008 From: brent.addis at spit.gen.nz (Brent Addis) Date: Tue Dec 9 20:19:34 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> Message-ID: <1228853960.7516.8.camel@baddis-laptop> On Tue, 2008-12-09 at 14:46 +0000, Martin Hepworth wrote: > 2008/12/9 Kai Schaetzl : > > Simon.walter@hp-factory.de wrote on Tue, 9 Dec 2008 11:58:03 -0000 (UTC): > > > >> Funny how everybody focuses on this little, unimportant, technical problem > >> but ignores the real cause of my mail. > > > > The trend-updater problem has already been fixed in recent MS. I assume the > > other scripts will get fixed one by one over time if there really is a need. > > > > BTW, there was one sentence in your original quotes I absolutely agree with: > > > >> In the current state the package should not be part of > >> the lenny release. > > > > looking at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353 the > > MailScanner version in debian-stable is 4.55.10. That should indeed not be > > used anymore. If I understand this correctly the stable version is what > > comes with the current Debian 4.0? > > > > > > Kai > > > > -- > > Kai Sch?tzl, Berlin, Germany > > > Well yeah this is a general problem with debian - esp for 'unstable' > (or rapidily updated) stuff like mailScanner, the long release cycles > give problems. > > > -- > Martin Hepworth > Oxford, UK Why doesn't someone create a deb for release with debian-volatile then? This generally takes care of constantly updating packages like clam, MailScanner should be there too. We run debian-volatile anywhere need stuff up to date (Such as mailservers). It works very well. - Brent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081210/011ae999/attachment.html From ssilva at sgvwater.com Tue Dec 9 21:19:29 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 9 21:25:19 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <1228853960.7516.8.camel@baddis-laptop> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> Message-ID: > > Why doesn't someone create a deb for release with debian-volatile then? > > This generally takes care of constantly updating packages like clam, > MailScanner should be there too. > > We run debian-volatile anywhere need stuff up to date (Such as > mailservers). It works very well. > > > - Brent > Volunteering? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/a775799b/signature.bin From brent.addis at spit.gen.nz Tue Dec 9 21:44:19 2008 From: brent.addis at spit.gen.nz (Brent Addis) Date: Tue Dec 9 21:44:35 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> Message-ID: <1228859059.21644.9.camel@baddis-laptop> I used to build them, but time got taken away from me (I have a family now) I can look into it if theres enough interest? On Tue, 2008-12-09 at 13:19 -0800, Scott Silva wrote: > > > > > Why doesn't someone create a deb for release with debian-volatile then? > > > > This generally takes care of constantly updating packages like clam, > > MailScanner should be there too. > > > > We run debian-volatile anywhere need stuff up to date (Such as > > mailservers). It works very well. > > > > > > - Brent > > > Volunteering? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081210/078ae96b/attachment.html From lists at designmedia.com Tue Dec 9 21:47:30 2008 From: lists at designmedia.com (Henry Kwan) Date: Tue Dec 9 21:47:56 2008 Subject: Mailscanner, CentOS 5, and updating perl. Message-ID: Hi. Noticed that the perl on my CentOS/Mailscanner box is a bit stale. Tried to yum update it but got a bunch of errors. Googled and found an old message from Julian saying to "rpm -e" the offending perl rpms, update perl, and then reinstall Mailscanner. I did so on a test box but noticed that during the re-install, there were a bunch of errors saying that the version of the perl rpm being installed conflicted with the updated perl rpm already install ("...conflicts with file from package perl-5.8.8-15.el5_2.1"). Also, there looked like a fairly serious error with Compress-Zlib failing to compile. When I went to start Mailscanner, this is what I got: ---snip--- MailScanner: is only avaliable with the XS version at /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9 BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9. Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 11. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 11. Compilation failed in require at /usr/lib/MailScanner/MailScanner/Message.pm line 48. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 48. Compilation failed in require at /usr/sbin/MailScanner line 82. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 82. ---snip--- I checked and it looked like that there was a later version of Compress-Zlib already installed on the system. I removed that rpm and restarted the install script. Now Mailscanner starts without errors and linting shows no problems. So I guess my question is that if Mailscanners starts/lints without errors, should I be concerned about the error messages during the install? Thanks. From Jeff.Mills at versacold.com.au Tue Dec 9 21:59:22 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Tue Dec 9 21:59:35 2008 Subject: How does mailscanner handle spanned archives? Message-ID: Is MailScanner able to handle spanned archives? I've got a client who has had an attachment removed with the message: "Message contained archive nested too deeply" The subject of the email is this: Subject: {Dangerous Content?} National Team Update Conference Call Email 1 of 3 The subject makes me think that perhaps a spanned zip has been used, but does MailScanner blanket reject spanned zips, or can it handle them okay? I guess it is not able to check the contents of spanned zips because it doesn't have all the parts at the same time, but is this the message we would see? My archive depth setting was 2. I have changed this to 3, just in case they had zips inside zips. From astephens at ptera.net Tue Dec 9 22:08:38 2008 From: astephens at ptera.net (Arthur Stephens) Date: Tue Dec 9 22:09:23 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! Message-ID: <493EEC66.6010400@ptera.net> It turns out to be my fault. MailScanner was dutifully doing exactly what he was told to do. SPAM ACTIONS = delete header "X-Spam-Status: Yes" That is why they disappeared after being put on hold. I post this in hopes some other newbie doesn't end up with the same problem. Now I just need to fine tune my spam assassin settings. -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From simon.walter at hp-factory.de Tue Dec 9 22:14:00 2008 From: simon.walter at hp-factory.de (simon.walter@hp-factory.de) Date: Tue Dec 9 22:10:14 2008 Subject: MailScanner in debian-volatile In-Reply-To: <1228859059.21644.9.camel@baddis-laptop> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <1228859059.21644.9.camel@baddis-laptop> Message-ID: <45845.92.75.113.89.1228860840.squirrel@mail.lksoft.com> Hello, >> > Why doesn't someone create a deb for release with debian-volatile >> then? Because I did't have enough time to do it yet ... I took over the debian package when I was working in job I was involved with MailScanner nearly every day. I'm currently in a job where I develop a J2EE Application, so not much time left for MailScanner. Here is the feature-request for volatile: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313145 >> > This generally takes care of constantly updating packages like clam, >> > MailScanner should be there too. >> > >> > We run debian-volatile anywhere need stuff up to date (Such as >> > mailservers). It works very well. >> Volunteering? > I used to build them, but time got taken away from me (I have a family > now) I can look into it if theres enough interest? Would be great. -- Regards Simon From ssilva at sgvwater.com Tue Dec 9 22:13:26 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 9 22:13:47 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: <493EEC66.6010400@ptera.net> References: <493EEC66.6010400@ptera.net> Message-ID: on 12-9-2008 2:08 PM Arthur Stephens spake the following: > It turns out to be my fault. > MailScanner was dutifully doing exactly what he was told to do. > > SPAM ACTIONS = delete header "X-Spam-Status: Yes" > > That is why they disappeared after being put on hold. > > I post this in hopes some other newbie doesn't end up with the same > problem. > Now I just need to fine tune my spam assassin settings. > And adding a header to a deleted item is a waste also. But you caught that also I'm sure. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/f7144e7e/signature.bin From alex at rtpty.com Tue Dec 9 22:20:17 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Dec 9 22:20:29 2008 Subject: How does mailscanner handle spanned archives? In-Reply-To: References: Message-ID: Nested too deeply means just that. Either a zip file more than 2 archives deep, or an Office 2007 file that gets understood as such. On Dec 9, 2008, at 4:59 PM, Jeff Mills wrote: > > Is MailScanner able to handle spanned archives? > > I've got a client who has had an attachment removed with the message: > "Message contained archive nested too deeply" > > The subject of the email is this: > Subject: {Dangerous Content?} National Team Update Conference Call > Email > 1 of 3 > > The subject makes me think that perhaps a spanned zip has been used, > but > does MailScanner blanket reject spanned zips, or can it handle them > okay? > I guess it is not able to check the contents of spanned zips because > it > doesn't have all the parts at the same time, but is this the message > we > would see? > > My archive depth setting was 2. I have changed this to 3, just in case > they had zips inside zips. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From lists at designmedia.com Tue Dec 9 22:52:02 2008 From: lists at designmedia.com (Henry Kwan) Date: Tue Dec 9 22:52:20 2008 Subject: Mailscanner, CentOS 5, and updating perl. References: Message-ID: Henry Kwan designmedia.com> writes: > Also, there looked like a fairly serious > error with Compress-Zlib failing to compile. When I went to start > Mailscanner, this is what I got: > > ---snip--- > MailScanner: is only avaliable with the XS version at > /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9 > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9. > Compilation failed in require at > /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 11. > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 11. > Compilation failed in require at > /usr/lib/MailScanner/MailScanner/Message.pm line 48. > BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/Message.pm line 48. > Compilation failed in require at /usr/sbin/MailScanner line 82. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 82. > ---snip--- > So the offending rpm was this one that yum update wants me to install: perl-Compress-Zlib.i386 1.42-1.fc6 base If I go ahead and install it, the same error as above always pops up when I go to start Mailscanner. So I guess I should just ignore it? Perhaps mark all perl rpms as "skip" for yum update? Is that what I'm suppose to do? Thanks. From nwp at nz.lemon-computing.com Tue Dec 9 22:57:54 2008 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Tue Dec 9 22:58:07 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> Message-ID: <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> On 10/12/2008, at 10:19 AM, Scott Silva wrote: > >> >> Why doesn't someone create a deb for release with debian-volatile >> then? >> >> This generally takes care of constantly updating packages like clam, >> MailScanner should be there too. >> >> We run debian-volatile anywhere need stuff up to date (Such as >> mailservers). It works very well. >> >> >> - Brent >> > Volunteering? FWIW, I'm still planning on doing this, but I need to get my own debian infrastructure sorted in order to do it. This has been stalled on waiting for me getting an autobuilder running, which is far uglier than it should be. Cheers, Nick From astephens at ptera.net Tue Dec 9 23:05:33 2008 From: astephens at ptera.net (Arthur Stephens) Date: Tue Dec 9 23:06:18 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: References: <493EEC66.6010400@ptera.net> Message-ID: <493EF9BD.6010004@ptera.net> Scott Silva wrote: > on 12-9-2008 2:08 PM Arthur Stephens spake the following: > >> It turns out to be my fault. >> MailScanner was dutifully doing exactly what he was told to do. >> >> SPAM ACTIONS = delete header "X-Spam-Status: Yes" >> >> That is why they disappeared after being put on hold. >> >> I post this in hopes some other newbie doesn't end up with the same >> problem. >> Now I just need to fine tune my spam assassin settings. >> >> > And adding a header to a deleted item is a waste also. But you caught that > also I'm sure. > > Yes but here is what I would really like to do. Forward it and then delete it. Seems I can only get the delete part to work. Tried it as rule forward test@ptera.net delete and as a rule file FromOrTo: default forward test@ptera.net FromOrTo: default delete But all this has done is delete the message. Any help? -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/39b2db76/attachment.html From alex at rtpty.com Tue Dec 9 23:15:43 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Dec 9 23:15:56 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: <493EF9BD.6010004@ptera.net> References: <493EEC66.6010400@ptera.net> <493EF9BD.6010004@ptera.net> Message-ID: Just forward it. Since you're not saying "deliver", it won't be delivered. Just forwarded. Just like when you "delete" you "delete", *not* deliver *nor* forward. On Dec 9, 2008, at 6:05 PM, Arthur Stephens wrote: > Scott Silva wrote: >> >> on 12-9-2008 2:08 PM Arthur Stephens spake the following: >> >>> It turns out to be my fault. >>> MailScanner was dutifully doing exactly what he was told to do. >>> >>> SPAM ACTIONS = delete header "X-Spam-Status: Yes" >>> >>> That is why they disappeared after being put on hold. >>> >>> I post this in hopes some other newbie doesn't end up with the same >>> problem. >>> Now I just need to fine tune my spam assassin settings. >>> >>> >> And adding a header to a deleted item is a waste also. But you >> caught that >> also I'm sure. >> >> > Yes but here is what I would really like to do. > Forward it and then delete it. Seems I can only get the delete part > to work. > > Tried it as rule > forward test@ptera.net delete > > and as a rule file > FromOrTo: default forward test@ptera.net > FromOrTo: default delete > > But all this has done is delete the message. > Any help? > > -- > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet Service > PO Box 135 > Liberty Lake, WA 99019 > 509-927-7837 > For technical support visit http://www.ptera.net/support > ----------------------------------------------------------------------------- > "This message may contain confidential and/or propriety information, > and is intended for the person/entity to whom it was originally > addressed. Any use by others is strictly prohibited. > Please note that any views or opinions presented in this email are > solely > those of the author and are not intended to represent those of the > company." > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From astephens at ptera.net Tue Dec 9 23:19:46 2008 From: astephens at ptera.net (Arthur Stephens) Date: Tue Dec 9 23:20:30 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: References: <493EEC66.6010400@ptera.net> <493EF9BD.6010004@ptera.net> Message-ID: <493EFD12.90007@ptera.net> That is what I was guessing... maybe my brain has egg on it too. Thanks Arthur Alex Neuman van der Hans wrote: > Just forward it. Since you're not saying "deliver", it won't be > delivered. Just forwarded. > > Just like when you "delete" you "delete", *not* deliver *nor* forward. > > On Dec 9, 2008, at 6:05 PM, Arthur Stephens wrote: > >> Scott Silva wrote: >>> >>> on 12-9-2008 2:08 PM Arthur Stephens spake the following: >>> >>>> It turns out to be my fault. >>>> MailScanner was dutifully doing exactly what he was told to do. >>>> >>>> SPAM ACTIONS = delete header "X-Spam-Status: Yes" >>>> >>>> That is why they disappeared after being put on hold. >>>> >>>> I post this in hopes some other newbie doesn't end up with the same >>>> problem. >>>> Now I just need to fine tune my spam assassin settings. >>>> >>>> >>> And adding a header to a deleted item is a waste also. But you >>> caught that >>> also I'm sure. >>> >>> >> Yes but here is what I would really like to do. >> Forward it and then delete it. Seems I can only get the delete part >> to work. >> >> Tried it as rule >> forward test@ptera.net delete >> >> and as a rule file >> FromOrTo: default forward test@ptera.net >> FromOrTo: default delete >> >> But all this has done is delete the message. >> Any help? >> >> -- >> Arthur Stephens >> Senior Sales Technician >> Ptera Wireless Internet Service >> PO Box 135 >> Liberty Lake, WA 99019 >> 509-927-7837 >> For technical support visit http://www.ptera.net/support >> ----------------------------------------------------------------------------- >> >> "This message may contain confidential and/or propriety information, >> and is intended for the person/entity to whom it was originally >> addressed. Any use by others is strictly prohibited. >> Please note that any views or opinions presented in this email are >> solely >> those of the author and are not intended to represent those of the >> company." >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From ssilva at sgvwater.com Tue Dec 9 23:27:54 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Dec 9 23:28:13 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: <493EFD12.90007@ptera.net> References: <493EEC66.6010400@ptera.net> <493EF9BD.6010004@ptera.net> <493EFD12.90007@ptera.net> Message-ID: on 12-9-2008 3:19 PM Arthur Stephens spake the following: > That is what I was guessing... maybe my brain has egg on it too. > I'll have mine scrambled! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/ccbe2442/signature.bin From astephens at ptera.net Tue Dec 9 23:32:16 2008 From: astephens at ptera.net (Arthur Stephens) Date: Tue Dec 9 23:33:01 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: References: <493EEC66.6010400@ptera.net> <493EF9BD.6010004@ptera.net> <493EFD12.90007@ptera.net> Message-ID: <493F0000.10202@ptera.net> Scott Silva wrote: > on 12-9-2008 3:19 PM Arthur Stephens spake the following: > >> That is what I was guessing... maybe my brain has egg on it too. >> >> > I'll have mine scrambled! ;-P > > > Your Brains?!? No seriously I now have SPAM ACTIONS set to: forward test@ptera.net but nothing shows up there. Dec 9 14:56:52 mailgate MailScanner[9672]: Spam Checks: Found 1 spam messages Dec 9 14:56:52 mailgate MailScanner[9672]: Spam Actions: message 1A6216FB1A6.B93CB actions are test@ptera.net,forward Arthur -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/14df4f03/attachment.html From ssilva at sgvwater.com Wed Dec 10 00:09:45 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 10 00:10:11 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: <493F0000.10202@ptera.net> References: <493EEC66.6010400@ptera.net> <493EF9BD.6010004@ptera.net> <493EFD12.90007@ptera.net> <493F0000.10202@ptera.net> Message-ID: on 12-9-2008 3:32 PM Arthur Stephens spake the following: > Scott Silva wrote: >> on 12-9-2008 3:19 PM Arthur Stephens spake the following: >> >>> That is what I was guessing... maybe my brain has egg on it too. >>> >>> >> I'll have mine scrambled! ;-P >> >> >> > Your Brains?!?? No seriously I now have SPAM ACTIONS set to: forward > test@ptera.net > but nothing shows up there. > > Dec? 9 14:56:52 mailgate MailScanner[9672]: Spam Checks: Found 1 spam > messages > Dec? 9 14:56:52 mailgate MailScanner[9672]: Spam Actions: message > 1A6216FB1A6.B93CB actions are test@ptera.net,forward > > Arthur According to the docs, that should work http://www.mailscanner.info/MailScanner.conf.index.html#Spam%20Actions -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081209/9e9cfccc/signature.bin From maillists at conactive.com Wed Dec 10 00:31:15 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 10 00:31:28 2008 Subject: Increased load In-Reply-To: References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> <492C7BAD.5090708@vanderkooij.org> <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> <7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za> <72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> Message-ID: Scott Silva wrote on Tue, 09 Dec 2008 08:52:18 -0800: > It is a minor change to run clamd. You can get clamd running and make all the > config changes first. Then you only have to change the line "virus scanners =" > in mailscanner.conf to get it using clamd. That way you can test clamd, and > set up whatever monitoring you want to do to make sure it stays running before > you depend on the daemon to catch the nasties. Shouldn't it be possible on an older MailScanner version that doesn't know clamd to make use of clamd by using clamdscan in clamavwrapper? e.g. ClamScan=$1/bin/clamdscan Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From alex at rtpty.com Wed Dec 10 03:20:58 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Dec 10 03:21:11 2008 Subject: Emails on HOLD not processed and delivered AKA Egg on my face! In-Reply-To: <493F0000.10202@ptera.net> References: <493EEC66.6010400@ptera.net> <493EF9BD.6010004@ptera.net> <493EFD12.90007@ptera.net> <493F0000.10202@ptera.net> Message-ID: <5A42CBEC-2409-4458-BB74-E824B7BA4224@rtpty.com> You can tell from the logs that you're writing it wrong. The problem is you're only saying you have it correctly there but you're not giving us the EXACT way you set it up. On Dec 9, 2008, at 6:32 PM, Arthur Stephens wrote: > Your Brains?!? No seriously I now have SPAM ACTIONS set to: forward test@ptera.net > but nothing shows up there. > > Dec 9 14:56:52 mailgate MailScanner[9672]: Spam Checks: Found 1 > spam messages > Dec 9 14:56:52 mailgate MailScanner[9672]: Spam Actions: message > 1A6216FB1A6.B93CB actions are test@ptera.net,forward > > Arthur > From rvdmerwe at mhg.co.za Wed Dec 10 06:58:29 2008 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Wed Dec 10 06:58:52 2008 Subject: Increased load In-Reply-To: References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com><492C7BAD.5090708@vanderkooij.org><3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com><223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com><3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com><7109f116-c5c4-11dd-91f2-0004e2e@rocketseed.mhg.co.za><72cf361e0812090038u1d2f67fcw952702323dfdb000@mail.gmail.com> Message-ID: <18622962-c686-11dd-84c1-0004e2e@rocketseed.mhg.co.za> Yip that seems to have done the trick, regardless of the fact that my lavg has come down drastically, the memory footprint has come down radically as well, down from around 200Mb per MailScanner instance to 80Mb per instance. Another question on clamd then: I'm running postfix so MailScanner is running as user postfix, why do I need to set the 'Incoming Work Group' to clamav if I feed clamd the data via a unix socket? I assume also that if clamd was running on another box this setting should not apply even if using external unpackers? Where do you set external unpackers in clamd? Regards Rabie ********************************************************************** --------- NOTICE --------- This message (including attachments) contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates, does not accept liability for any personal views expressed in this message. Metropolitan Health Group PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 www.mhg.co.za ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081210/687936c2/attachment-0001.html From maxsec at gmail.com Wed Dec 10 08:35:09 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Dec 10 08:35:20 2008 Subject: WARNINGS Ignoring deprecated option freebsd In-Reply-To: <493EC04E.7030905@chem.fsu.edu> References: <493E9DC5.60406@chem.fsu.edu> <72cf361e0812090845o4ff76039v8e7ca6ded3b48550@mail.gmail.com> <493EC04E.7030905@chem.fsu.edu> Message-ID: <72cf361e0812100035i252d8221q13e5853f677b230b@mail.gmail.com> 2008/12/9 Hiram Gibbard : > > > Martin Hepworth wrote: >> >> 2008/12/9 Hiram Gibbard : >>> >>> WHAT I AM USING FOR MAIL: >>> CPU speed -> Dual 2.5 XEONs >>> Memory -> 8GB >>> Operating System -> FreeBSD 7.0 >>> >>> pkg_info REPORTS: >>> MailScanner-4.67.6_3 >>> clamav-0.94.2 >>> postfix-2.4.7,1 >>> >>> I installed from ports, which is what the mailscanner.info site >>> recommends. >>> Of course its not the latest version of mailscanner. Should I use the >>> download able tar version instead? I didn't have this problem using >>> Mailscanner 4.61.7 and clamav 94.1. >>> >>> >>> CURRENT mailscanner.conf settings >>> # >>> # Incoming Work Dir Settings >>> # -------------------------- >>> # >>> # You should not normally need to touch these settings at all, >>> # unless you are using ClamAV and need to be able to use the >>> # external archive unpackers instead of ClamAV's built-in ones. >>> >>> # If you want to create the temporary working files so they are owned >>> # by a user other than the "Run As User" setting at the top of this file, >>> # you can change that here. >>> # >>> # Note: If the "Run As User" is not "root" you cannot change the >>> # user but may still be able to change the group, if the >>> # "Run As User" is a member of both of the groups "Run As Group" >>> # and "Incoming Work Group" >>> # Note: If the "Run As User" is "root" (or not set at all) and you are >>> # using the "clamd" virus scanner AND clamd is not running as root, >>> # then this must be set to the group clamd is using (from your >>> # clamd.conf), example: >>> # Incoming Work Group = clamav >>> # Incoming Work Permissions = 0640 >>> Incoming Work User = root >>> Incoming Work Group = root >>> >>> I tried this with group mail too. >>> >>> >>> >>> PROBLEM THAT I WANT TO RESOLVE: >>> >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --unzip >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --jar >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --tar >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --tgz >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --deb >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --unrar >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --arj >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --lha >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --unzoo >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --max-ratio >>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>> option >>> --unrar >>> Dec 9 11:48:03 mail MailScanner[754]: MailScanner E-Mail Virus Scanner >>> version 4.67.6 starting... >>> >>> >>> I realize this was a topic before, but I have one question. Even though >>> Mailscanner.info states to install by ports, should I still still get the >>> latest version from the site and install that one instead? >>> >>> Thanks in advance. >>> -- >>> -------------------------------------------- >>> Hiram Gibbard >>> Florida State University >>> Computer Support >>> >>> Department of Chemistry >>> Phone: 850.644.3004 >>> Fax: 850.644.8281 >>> URL: http://www.chem.fsu.edu/~gibbard >>> -------------------------------------------- >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> This is because you need the latest mailscanner version to be >> compatible with clamav 0.94. So yes the tar.gz will be needed as the >> port maintainer hasn't the time to upgrade the port at the moment (I >> asked him off list a couple of weeks ago). >> >> I'm doing the move from ports to tar.gz version at the moment. If I >> come across anything unusual when I do the final move tomorrow AM >> (gmt) i'll let you know. >> > > sorry to be naive, but I can't seem to figure out where the rc.Mailscanner > file resides, or can be obtained. Can you point me in the right direction? > This doesn't seem to be updated info: > 6. Download /opt/MailScanner/bin/rc.MailScanner > > Fetch the file from > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner > chmod a=rx /opt/MailScanner/bin/rc.MailScanner > I got this out of INSTALL.FreeBSD > > -- > -------------------------------------------- > Hiram Gibbard > Florida State University > Computer Support > > Department of Chemistry > Phone: 850.644.3004 > Fax: 850.644.8281 > URL: http://www.chem.fsu.edu/~gibbard > -------------------------------------------- > Not sure which instructions you're following but I concure that this file no longer exists. I've just copied the ports one and modified it to point at the new locations. -- Martin Hepworth Oxford, UK From mailwatch.kp at gmail.com Wed Dec 10 09:33:02 2008 From: mailwatch.kp at gmail.com (vinayan KP) Date: Wed Dec 10 09:33:12 2008 Subject: Spam assassin timeouts In-Reply-To: <1228739966.12079.75.camel@darkstar.netcore.co.in> References: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> <1228739966.12079.75.camel@darkstar.netcore.co.in> Message-ID: <6a7195cc0812100133s3334cdb5kf70f64406b1d4e7b@mail.gmail.com> Dear Ram, Thank you very much for your mail. I learned linux just recently I am not an expert. I normally used to try things whenever I get time but now I hardly have any time these days to sit and feel dont have enough knowledge to fix this problem. A third party installed and configured mailscanner for us couple of years back but that company does not exist anymore. Hope you would be able to help me out. The following are the size of bayes file. Are thse alright? The bayes_seen file is too large but it was like this for a long time and was working alright. -rw------- 1 root root 9.4K Dec 10 14:29 bayes_journal -rw-rw-rw- 1 root root 5.7K Dec 10 14:29 bayes.mutex -rw------- 1 root root 167M Dec 10 14:26 bayes_seen -rw------- 1 root root 9.7M Dec 10 14:28 bayes_toks -rw------- 1 root root 12K Dec 9 10:35 bayes_toks.expire10686 -rw------- 1 root root 12K Dec 10 00:12 bayes_toks.expire11495 -rw------- 1 root root 12K Dec 8 19:22 bayes_toks.expire11824 -rw------- 1 root root 12K Dec 8 20:40 bayes_toks.expire13768 -rw------- 1 root root 12K Dec 10 07:48 bayes_toks.expire28490 -rw------- 1 root root 12K Dec 7 21:22 bayes_toks.expire31832 -rw------- 1 root root 0 Dec 2 04:04 __db.bayes_toks.expire12682 -rw------- 1 root root 12K Nov 27 18:58 __db.bayes_toks.expire14247 -rw------- 1 root root 12K Sep 6 06:22 __db.bayes_toks.expire15605 -rw------- 1 root root 12K Nov 14 14:38 __db.bayes_toks.expire15684 -rw------- 1 root root 4.0K Sep 2 07:48 __db.bayes_toks.expire1745 -rw------- 1 root root 12K Dec 2 08:39 __db.bayes_toks.expire20880 -rw------- 1 root root 12K Dec 6 00:18 __db.bayes_toks.expire23304 -rw------- 1 root root 0 Dec 4 16:39 __db.bayes_toks.expire23851 -rw------- 1 root root 0 Oct 26 19:52 __db.bayes_toks.expire24361 -rw------- 1 root root 0 Sep 2 04:52 __db.bayes_toks.expire29096 -rw------- 1 root root 12K Nov 11 17:37 __db.bayes_toks.expire30758 -rw------- 1 root root 12K Oct 23 18:31 __db.bayes_toks.expire31745 -rw------- 1 root root 4.0K Dec 9 05:28 __db.bayes_toks.expire32018 -rw------- 1 root root 0 Nov 21 04:07 __db.bayes_toks.expire32087 -rw------- 1 root root 12K Dec 5 15:17 __db.bayes_toks.expire3656 -rw------- 1 root root 0 Dec 4 05:45 __db.bayes_toks.expire5747 -rw------- 1 root root 12K Oct 22 16:03 __db.bayes_toks.expire7440 -rw------- 1 root root 12K Nov 26 16:21 __db.bayes_toks.expire7458 -rw------- 1 root root 0 Sep 18 00:39 __db.bayes_toks.expire9575 -rw-r--r-- 1 root root 1.5K Dec 8 13:23 user_prefs Today I found that not all messages are getting through with out scanning but a majority of them are getting delivered with out getting scanned. Those mails which are getting checked are properly tagged as spam if they are actually spam,but a lot of spam mails gets through, those apparantly are not scanned, as genuine mails thogh they are actually spam. As you said this is the output of # spamassass -D -t < /path/somemail.eml 2>&1 | tee /tmp/sa_timeout.log [13354] dbg: logger: adding facilities: all [13354] dbg: logger: logging level is DBG [13354] dbg: generic: SpamAssassin version 3.1.0 [13354] dbg: config: score set 0 chosen. [13354] dbg: util: running in taint mode? yes [13354] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [13354] dbg: util: PATH included '/usr/kerberos/sbin', keeping [13354] dbg: util: PATH included '/usr/kerberos/bin', keeping [13354] dbg: util: PATH included '/usr/local/sbin', keeping [13354] dbg: util: PATH included '/usr/local/bin', keeping [13354] dbg: util: PATH included '/sbin', keeping [13354] dbg: util: PATH included '/bin', keeping [13354] dbg: util: PATH included '/usr/sbin', keeping [13354] dbg: util: PATH included '/usr/bin', keeping [13354] dbg: util: PATH included '/usr/X11R6/bin', keeping [13354] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [13354] dbg: dns: is Net::DNS::Resolver available? yes [13354] dbg: dns: Net::DNS version: 0.49 [13354] dbg: dns: name server: 192.168.0.9, family: 2, ipv6: 0 [13354] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [13354] dbg: config: read file /etc/mail/spamassassin/init.pre [13354] dbg: config: read file /etc/mail/spamassassin/v310.pre [13354] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [13354] dbg: config: using "/usr/share/spamassassin" for default rules dir [13354] dbg: config: read file /usr/share/spamassassin/10_misc.cf [13354] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf [13354] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf [13354] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/20_compensate.cf [13354] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/20_drugs.cf [13354] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/20_phrases.cf [13354] dbg: config: read file /usr/share/spamassassin/20_porn.cf [13354] dbg: config: read file /usr/share/spamassassin/20_ratware.cf [13354] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf [13354] dbg: config: read file /usr/share/spamassassin/23_bayes.cf [13354] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf [13354] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf [13354] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf [13354] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf [13354] dbg: config: read file /usr/share/spamassassin/25_dcc.cf [13354] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf [13354] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf [13354] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf [13354] dbg: config: read file /usr/share/spamassassin/25_razor2.cf [13354] dbg: config: read file /usr/share/spamassassin/25_replace.cf [13354] dbg: config: read file /usr/share/spamassassin/25_spf.cf [13354] dbg: config: read file /usr/share/spamassassin/25_textcat.cf [13354] dbg: config: read file /usr/share/spamassassin/25_uribl.cf [13354] dbg: config: read file /usr/share/spamassassin/30_text_de.cf [13354] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf [13354] dbg: config: read file /usr/share/spamassassin/30_text_it.cf [13354] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf [13354] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf [13354] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf [13354] dbg: config: read file /usr/share/spamassassin/50_scores.cf [13354] dbg: config: read file /usr/share/spamassassin/60_awl.cf [13354] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf [13354] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf [13354] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf [13354] dbg: config: using "/etc/mail/spamassassin" for site rules dir [13354] dbg: config: read file /etc/mail/spamassassin/local.cf [13354] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [13354] dbg: config: using "/root/.spamassassin" for user state dir [13354] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file [13354] dbg: config: read file /root/.spamassassin/user_prefs [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9f4abd8) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9f696f4) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x9f89828) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [13354] dbg: pyzor: network tests on, attempting Pyzor [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9f9d9bc) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [13354] dbg: reporter: network tests on, attempting SpamCop [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa0179d8) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa0466f4) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa1e4fe4) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa1efc20) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa1f9a3c) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa2093c8) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [13354] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x9ee4fc4) [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [13354] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000), already registered [13354] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [13354] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9f899b4), already registered [13354] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [13354] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [13354] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [13354] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [13354] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [13354] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i [13354] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [13354] info: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13354] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa2093c8) implements 'finish_parsing_end' [13354] dbg: replacetags: replacing tags [13354] dbg: replacetags: done replacing tags [13354] dbg: config: using "/root/.spamassassin" for user state dir [13354] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [13354] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [13354] dbg: bayes: found bayes db version 3 [13354] dbg: bayes: opportunistic call attempt skipped, found fresh running expire magic token [13354] dbg: config: score set 3 chosen. [13354] dbg: dns: dns_available set to yes in config file, skipping test [13354] dbg: metadata: X-Spam-Relays-Trusted: [13354] dbg: metadata: X-Spam-Relays-Untrusted: [13354] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x9ee4fc4) implements 'extract_metadata' [13354] dbg: metadata: X-Relay-Countries: [13354] dbg: message: ---- MIME PARSER START ---- [13354] dbg: message: main message type: text/plain [13354] dbg: message: parsing normal part [13354] dbg: message: added part, type: text/plain [13354] dbg: message: ---- MIME PARSER END ---- [13354] dbg: message: no encoding detected [13354] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9f4abd8) implements 'parsed_metadata' [13354] dbg: uri: parsed uri found, fedora.cdelinux.org [13354] dbg: uri: cleaned parsed uri, http://fedora.cdelinux.org [13354] dbg: uri: cleaned parsed uri, fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, http://fedora.cdelinux.org [13354] dbg: uri: cleaned parsed uri, http://fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: cleaned parsed uri, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, http://fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, http://fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, mail.econdse.org [13354] dbg: uri: cleaned parsed uri, http://mail.econdse.org [13354] dbg: uri: cleaned parsed uri, mail.econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, http://mail.econdse.org [13354] dbg: uri: cleaned parsed uri, http://mail.econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, http://fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, http://fedora.cdelinux.org [13354] dbg: uri: parsed domain, cdelinux.org [13354] dbg: uri: parsed uri found, mailto:sivakumah@ifg.com [13354] dbg: uri: cleaned parsed uri, mailto:sivakumah@ifg.com [13354] dbg: uri: parsed domain, ifg.com [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, mailto:1843019db925$3312bb48$61f0e2a9@ifg.com [13354] dbg: uri: cleaned parsed uri, mailto:1843019db925$3312bb48$61f0e2a9@ifg.com [13354] dbg: uri: parsed domain, ifg.com [13354] dbg: uri: parsed uri found, mailto:sivakumah@ifg.com [13354] dbg: uri: parsed domain, ifg.com [13354] dbg: uri: parsed uri found, mailto:aftbrc@econdse.org [13354] dbg: uri: parsed domain, econdse.org [13354] dbg: uri: parsed uri found, mailto:sivakumah@ifg.com [13354] dbg: uri: parsed domain, ifg.com [13354] dbg: uri: parsed uri found, http://pufigfeb.com/ [13354] dbg: uri: cleaned parsed uri, http://pufigfeb.com/ [13354] dbg: uri: parsed domain, pufigfeb.com [13354] dbg: uri: parsed uri found, http://www.mailscanner.info/ [13354] dbg: uri: cleaned parsed uri, http://www.mailscanner.info/ [13354] dbg: uri: parsed domain, mailscanner.info [13354] dbg: uridnsbl: domain mailscanner.info in skip list [13354] dbg: uridnsbl: domains to query: cdelinux.org econdse.org pufigfeb.com [13354] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-notfirsthop [13354] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [13354] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl [13354] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [13354] dbg: dns: checking RBL combined.njabl.org., set njabl-notfirsthop [13354] dbg: dns: checking RBL combined.njabl.org., set njabl [13354] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois [13354] dbg: dns: checking RBL list.dsbl.org., set dsbl-notfirsthop [13354] dbg: dns: checking RBL bl.spamcop.net., set spamcop [13354] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [13354] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-notfirsthop [13354] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-notfirsthop [13354] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [13354] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [13354] dbg: check: running tests for priority: 0 [13354] dbg: rules: running header regexp tests; score so far=0 [13354] dbg: plugin: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9f696f4)) [13354] dbg: plugin: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: spf: message was delivered entirely via trusted relays, not required [13354] dbg: eval: all '*From' addrs: [13354] dbg: plugin: registering glue method for check_subject_in_blacklist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa1efc20)) [13354] dbg: plugin: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9f696f4)) [13354] dbg: eval: all '*To' addrs: [13354] dbg: plugin: registering glue method for check_for_spf_neutral (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: spf: message was delivered entirely via trusted relays, not required [13354] dbg: plugin: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: rules: ran eval rule NO_RELAYS ======> got hit [13354] dbg: plugin: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: plugin: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: rules: ran eval rule __ENV_AND_HDR_FROM_MATCH ======> got hit [13354] dbg: plugin: registering glue method for check_for_def_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: spf: cannot get Envelope-From, cannot use SPF [13354] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [13354] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [13354] dbg: plugin: registering glue method for check_subject_in_whitelist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa1efc20)) [13354] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ee5000)) [13354] dbg: spf: spf_whitelist_from: could not find useable envelope sender [13354] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 [13354] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "-" [13354] dbg: rules: ran body rule REPLICA_WATCH ======> got hit: "Replica=20=0A= Rolex" [13354] dbg: uri: running uri tests; score so far=2.899 [13354] dbg: rules: ran uri rule INFO_TLD ======> got hit: ".info/" [13354] dbg: bayes: opportunistic call attempt skipped, found fresh running expire magic token [13354] dbg: bayes: corpus size: nspam = 350493, nham = 175182 [13354] dbg: bayes: score = 9.71445146547012e-15 [13354] dbg: bayes: opportunistic call attempt skipped, found fresh running expire magic token [13354] dbg: config: using "/root/.spamassassin" for user state dir [13354] dbg: bayes: untie-ing [13354] dbg: bayes: untie-ing db_toks [13354] dbg: bayes: untie-ing db_seen [13354] dbg: plugin: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9f899b4)) [13354] dbg: rules: ran eval rule BAYES_00 ======> got hit [13354] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.573 [13354] dbg: rules: running full-text regexp tests; score so far=1.573 [13354] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9f9d9bc)) [13354] dbg: pyzor: pyzor is not available: no pyzor executable found [13354] dbg: pyzor: no pyzor found, disabling Pyzor [13354] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9f4abd8) implements 'check_tick' [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: query for cdelinux.org took 33 seconds to look up (multi.surbl.org.:cdelinux.org) [13354] dbg: uridnsbl: queries completed: 1 started: 0 [13354] dbg: uridnsbl: queries active: DNSBL=2 NS=3 at Wed Dec 10 14:40:26 2008 [13354] dbg: check: running tests for priority: 500 [13354] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9f4abd8) implements 'check_post_dnsbl' [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 1 [13354] dbg: uridnsbl: queries active: DNSBL=2 NS=2 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 2 [13354] dbg: uridnsbl: queries active: A=1 DNSBL=2 NS=1 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: domain "pufigfeb.com" listed (URIBL_AB_SURBL): 127.0.0.118 [13354] dbg: uridnsbl: domain "pufigfeb.com" listed (URIBL_WS_SURBL): 127.0.0.118 [13354] dbg: uridnsbl: domain "pufigfeb.com" listed (URIBL_JP_SURBL): 127.0.0.118 [13354] dbg: uridnsbl: domain "pufigfeb.com" listed (URIBL_OB_SURBL): 127.0.0.118 [13354] dbg: uridnsbl: domain "pufigfeb.com" listed (URIBL_SC_SURBL): 127.0.0.118 [13354] dbg: uridnsbl: query for pufigfeb.com took 33 seconds to look up (multi.surbl.org.:pufigfeb.com) [13354] dbg: uridnsbl: queries completed: 1 started: 0 [13354] dbg: uridnsbl: queries active: A=3 DNSBL=1 NS=1 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 2 [13354] dbg: uridnsbl: queries active: A=3 DNSBL=1 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: query for econdse.org took 33 seconds to look up (multi.surbl.org.:econdse.org) [13354] dbg: uridnsbl: queries completed: 1 started: 0 [13354] dbg: uridnsbl: queries active: A=5 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 2 [13354] dbg: uridnsbl: queries active: A=4 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 1 [13354] dbg: uridnsbl: queries active: A=3 DNSBL=2 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 1 [13354] dbg: uridnsbl: queries active: A=2 DNSBL=3 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 1 [13354] dbg: uridnsbl: queries active: A=1 DNSBL=4 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: queries completed: 1 started: 0 [13354] dbg: uridnsbl: queries active: DNSBL=5 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: query for cdelinux.org took 33 seconds to look up (sbl.spamhaus.org.:9.0.168.192) [13354] dbg: uridnsbl: queries completed: 1 started: 0 [13354] dbg: uridnsbl: queries active: DNSBL=4 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: query for cdelinux.org took 33 seconds to look up (sbl.spamhaus.org.:8.0.168.192) [13354] dbg: uridnsbl: queries completed: 1 started: 0 [13354] dbg: uridnsbl: queries active: DNSBL=3 at Wed Dec 10 14:40:26 2008 [13354] dbg: uridnsbl: select found 1 socks ready [13354] dbg: uridnsbl: domain "pufigfeb.com" listed (URIBL_SBL): "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL69622" [13354] dbg: uridnsbl: query for pufigfeb.com took 35 seconds to look up (sbl.spamhaus.org.:2.96.176.94) [13354] dbg: uridnsbl: queries completed: 1 started: 0 [13354] dbg: uridnsbl: queries active: DNSBL=2 at Wed Dec 10 14:40:28 2008 [13354] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete [13354] dbg: uridnsbl: aborting remaining lookups [13354] dbg: rules: running meta tests; score so far=20.757 [13354] dbg: rules: running header regexp tests; score so far=22.703 [13354] dbg: rules: running body-text per-line regexp tests; score so far=22.703 [13354] dbg: uri: running uri tests; score so far=22.703 [13354] dbg: rules: running raw-body-text per-line regexp tests; score so far=22.703 [13354] dbg: rules: running full-text regexp tests; score so far=22.703 [13354] dbg: check: running tests for priority: 1000 [13354] dbg: rules: running meta tests; score so far=22.703 [13354] dbg: rules: running header regexp tests; score so far=22.703 [13354] dbg: plugin: registering glue method for check_from_in_auto_whitelist (Mail::SpamAssassin::Plugin::AWL=HASH(0xa0466f4)) [13354] dbg: rules: running body-text per-line regexp tests; score so far=22.703 [13354] dbg: uri: running uri tests; score so far=22.703 [13354] dbg: rules: running raw-body-text per-line regexp tests; score so far=22.703 [13354] dbg: rules: running full-text regexp tests; score so far=22.703 [13354] dbg: plugin: Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa1e4fe4) implements 'autolearn_discriminator' [13354] dbg: learn: auto-learn: currently using scoreset 3, recomputing score based on scoreset 1 [13354] dbg: learn: auto-learn: message score: 22.703, computed score for autolearn: 20.122 [13354] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=18.643, head-points=0, learned-points=-2.599 [13354] dbg: learn: auto-learn? no: scored as spam but too few head points (0 < 3) [13354] dbg: check: is spam? score=22.703 required=5 [13354] dbg: check: tests=BAYES_00,INFO_TLD,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,REPLICA_WATCH,TO_CC_NONE,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL [13354] dbg: check: subtests=__ENV_AND_HDR_FROM_MATCH,__NONEMPTY_BODY,__UNUSABLE_MSGID X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on fedora.cdelinux.org X-Spam-Level: ********************** X-Spam-Status: Yes, score=22.7 required=5.0 tests=BAYES_00,INFO_TLD, MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,REPLICA_WATCH,TO_CC_NONE, URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL autolearn=no version=3.1.0 X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 2.9 REPLICA_WATCH BODY: Message talks about a replica watch * 1.3 INFO_TLD URI: Contains an URL in the INFO top-level domain * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.0000] * 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: pufigfeb.com] * 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: pufigfeb.com] * 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: pufigfeb.com] * 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: pufigfeb.com] * 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: pufigfeb.com] * 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: pufigfeb.com] * 1.8 MISSING_SUBJECT Missing Subject: header * -0.0 NO_RECEIVED Informational: message has no Received headers * 0.1 TO_CC_NONE No To: or Cc: header This is a MIME-encapsulated message Subject: [SPAM] X-Spam-Prev-Subject: (nonexistent) --mBA0bKRY024855.1228869441/fedora.cdelinux.org The original message was received at Wed, 10 Dec 2008 05:53:29 +0530 from [123.4.212.104] ----- The following addresses had permanent fatal errors ----- (reason: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table) ----- Transcript of session follows ----- ... while talking to mail.econdse.org.: >>> DATA <<< 550 5.1.1 : Recipient address rejected: User unknown in local recipient table 550 5.1.1 ... User unknown <<< 554 5.5.1 Error: no valid recipients --mBA0bKRY024855.1228869441/fedora.cdelinux.org Content-Type: message/delivery-status Reporting-MTA: dns; fedora.cdelinux.org Arrival-Date: Wed, 10 Dec 2008 05:53:29 +0530 Final-Recipient: RFC822; aftbrc@econdse.org Action: failed Status: 5.1.1 Remote-MTA: DNS; mail.econdse.org Diagnostic-Code: SMTP; 550 5.1.1 : Recipient address rejected: User unknown in local recipient table Last-Attempt-Date: Wed, 10 Dec 2008 06:07:21 +0530 --mBA0bKRY024855.1228869441/fedora.cdelinux.org Content-Type: message/rfc822 Return-Path: Received: from localhost ([123.4.212.104]) by fedora.cdelinux.org (8.13.4/8.13.4) with ESMTP id mBA0NSO1024395 for ; Wed, 10 Dec 2008 05:53:29 +0530 Message-ID: <1843019db925$3312bb48$61f0e2a9@ifg.com> From: "=?windows-1251?B?VGFnIEhldWVyIFdhdGNoZXM=?=" To: Subject: =?windows-1251?B?T2ZmaWNpbmUgUGFuZXJhaSBXYXRjaGVz?= Date: Wed, 10 Dec 3609 08:29:57 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----=_NextPart_000_0023_A1_87FD81A6.4603DD82 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-yoursite-MailScanner-Information: Please contact the ISP for more information X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: sivakumah@ifg.com X-Spam-Status: No This is a multi-part message in MIME format. ------=_NextPart_000_0023_A1_87FD81A6.4603DD82 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =0A= =0A= =0A= Replica=20=0A= Rolex models of the latest Baselworld 2009=20=0A= designs have just been launched on our replica sites.=20=0A= These are the first run of the=20=0A= 2009 models with inner Rolex inscriptions and better bands and cases.=20=0A= =0A= Only limited to 1000 pieces worldwide, they are expected to sell out within= a=20=0A= month.=20=0A= Browse our shop=0A= =0A= --=20=0A= This message has been scanned for viruses and=0A= dangerous content by MailScanner, and is=0A= believed to be clean.=0A= =0A= ------=_NextPart_000_0023_A1_87FD81A6.4603DD82 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable = =0A= =0A= =0A=

Replica=20=0A= Rolex models of the latest Baselworld= 2009=20=0A= designs have just been launched on our replica sites.

= =0A=

These are the first = run of the=20=0A= 2009 models with inner Rolex inscriptions and better bands and cases.
= =0A= Only limited to 1000 pieces worldwide, they are expected to sell out within= a=20=0A= month.

=0A=

Browse our shop

=0A=
--=20=0A=
This message has been scanned for viruses and=0A=
dangerous content by=0A= MailScanner, and is=0A=
believed to be clean.=0A= =0A= ------=_NextPart_000_0023_A1_87FD81A6.4603DD82-- -------- --mBA0bKRY024855.1228869441/fedora.cdelinux.org-- Spam detection software, running on the system "fedora.cdelinux.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see y for details. Content preview: The original message was received at Wed, 10 Dec 2008 05:53:29 +0530 from [123.4.212.104] ----- The following addresses had permanent fatal errors ----- (reason: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table) [...] Content analysis details: (22.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 2.9 REPLICA_WATCH BODY: Message talks about a replica watch 1.3 INFO_TLD URI: Contains an URL in the INFO top-level domain -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: pufigfeb.com] 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: pufigfeb.com] 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: pufigfeb.com] 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: pufigfeb.com] 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: pufigfeb.com] 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: pufigfeb.com] 1.8 MISSING_SUBJECT Missing Subject: header -0.0 NO_RECEIVED Informational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I took this when spam assassin was timing out. Any idea whats happening ? Looking forward for you valuable suggestion. Thanks in advance Vinu On Mon, Dec 8, 2008 at 6:09 PM, ram wrote: > On Mon, 2008-12-08 at 17:09 +0530, vinayan KP wrote: >> Hello, >> >> We use a mailscanner installed almost three years ago and was working >> perfectly till last week detecting and tagging each and every spam >> mail correctly and letting only genuine mails untagged. >> >> Since last week I could see each user is getting a lot of spam mails >> with out getting tagged as {Spam?} and I could see from the log the >> following lines. >> >> Dec 8 16:54:13 fedora MailScanner[2162]: SpamAssassin timed out (with >> no network checks) and was killed, failure 16 of 20 >> Dec 8 16:54:13 fedora MailScanner[2087]: SpamAssassin timed out (with >> no network checks) and was killed, failure 19 of 20 >> Dec 8 16:54:18 fedora MailScanner[2050]: SpamAssassin timed out (with >> no network checks) and was killed, failure 13 of 20 >> Dec 8 16:54:21 fedora MailScanner[2230]: SpamAssassin timed out (with >> no network checks) and was killed, failure 15 of 20 > > > > Lookup this List archive .. this has been asked multiple times here > Usually it is DNS , but you seem to have these tests off already > > * Did you check your Bayes size > > * What is the h/w configuration on this server and what is the traffic > (Remember h/w is usually much cheaper than wasting too much time trying > to diagnose a load issue unless it is obvious ) > > > Anyway When you machine starts timing out SA > run > spamassass -D -t < /path/somemail.eml 2>&1 | tee /tmp/sa_timeout.log > > The logfile should give you enough inputs, else post it here > > > > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maxsec at gmail.com Wed Dec 10 09:57:04 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Dec 10 09:57:13 2008 Subject: WARNINGS Ignoring deprecated option freebsd In-Reply-To: <72cf361e0812100035i252d8221q13e5853f677b230b@mail.gmail.com> References: <493E9DC5.60406@chem.fsu.edu> <72cf361e0812090845o4ff76039v8e7ca6ded3b48550@mail.gmail.com> <493EC04E.7030905@chem.fsu.edu> <72cf361e0812100035i252d8221q13e5853f677b230b@mail.gmail.com> Message-ID: <72cf361e0812100157p274b8cbr240250a56c4d4a5d@mail.gmail.com> 2008/12/10 Martin Hepworth : > 2008/12/9 Hiram Gibbard : >> >> >> Martin Hepworth wrote: >>> >>> 2008/12/9 Hiram Gibbard : >>>> >>>> WHAT I AM USING FOR MAIL: >>>> CPU speed -> Dual 2.5 XEONs >>>> Memory -> 8GB >>>> Operating System -> FreeBSD 7.0 >>>> >>>> pkg_info REPORTS: >>>> MailScanner-4.67.6_3 >>>> clamav-0.94.2 >>>> postfix-2.4.7,1 >>>> >>>> I installed from ports, which is what the mailscanner.info site >>>> recommends. >>>> Of course its not the latest version of mailscanner. Should I use the >>>> download able tar version instead? I didn't have this problem using >>>> Mailscanner 4.61.7 and clamav 94.1. >>>> >>>> >>>> CURRENT mailscanner.conf settings >>>> # >>>> # Incoming Work Dir Settings >>>> # -------------------------- >>>> # >>>> # You should not normally need to touch these settings at all, >>>> # unless you are using ClamAV and need to be able to use the >>>> # external archive unpackers instead of ClamAV's built-in ones. >>>> >>>> # If you want to create the temporary working files so they are owned >>>> # by a user other than the "Run As User" setting at the top of this file, >>>> # you can change that here. >>>> # >>>> # Note: If the "Run As User" is not "root" you cannot change the >>>> # user but may still be able to change the group, if the >>>> # "Run As User" is a member of both of the groups "Run As Group" >>>> # and "Incoming Work Group" >>>> # Note: If the "Run As User" is "root" (or not set at all) and you are >>>> # using the "clamd" virus scanner AND clamd is not running as root, >>>> # then this must be set to the group clamd is using (from your >>>> # clamd.conf), example: >>>> # Incoming Work Group = clamav >>>> # Incoming Work Permissions = 0640 >>>> Incoming Work User = root >>>> Incoming Work Group = root >>>> >>>> I tried this with group mail too. >>>> >>>> >>>> >>>> PROBLEM THAT I WANT TO RESOLVE: >>>> >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --unzip >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --jar >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --tar >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --tgz >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --deb >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --unrar >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --arj >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --lha >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --unzoo >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --max-ratio >>>> Dec 9 11:48:02 mail MailScanner[730]: WARNING: Ignoring deprecated >>>> option >>>> --unrar >>>> Dec 9 11:48:03 mail MailScanner[754]: MailScanner E-Mail Virus Scanner >>>> version 4.67.6 starting... >>>> >>>> >>>> I realize this was a topic before, but I have one question. Even though >>>> Mailscanner.info states to install by ports, should I still still get the >>>> latest version from the site and install that one instead? >>>> >>>> Thanks in advance. >>>> -- >>>> -------------------------------------------- >>>> Hiram Gibbard >>>> Florida State University >>>> Computer Support >>>> >>>> Department of Chemistry >>>> Phone: 850.644.3004 >>>> Fax: 850.644.8281 >>>> URL: http://www.chem.fsu.edu/~gibbard >>>> -------------------------------------------- >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> >>> This is because you need the latest mailscanner version to be >>> compatible with clamav 0.94. So yes the tar.gz will be needed as the >>> port maintainer hasn't the time to upgrade the port at the moment (I >>> asked him off list a couple of weeks ago). >>> >>> I'm doing the move from ports to tar.gz version at the moment. If I >>> come across anything unusual when I do the final move tomorrow AM >>> (gmt) i'll let you know. >>> >> >> sorry to be naive, but I can't seem to figure out where the rc.Mailscanner >> file resides, or can be obtained. Can you point me in the right direction? >> This doesn't seem to be updated info: >> 6. Download /opt/MailScanner/bin/rc.MailScanner >> >> Fetch the file from >> >> http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner >> chmod a=rx /opt/MailScanner/bin/rc.MailScanner >> I got this out of INSTALL.FreeBSD >> >> -- >> -------------------------------------------- >> Hiram Gibbard >> Florida State University >> Computer Support >> >> Department of Chemistry >> Phone: 850.644.3004 >> Fax: 850.644.8281 >> URL: http://www.chem.fsu.edu/~gibbard >> -------------------------------------------- >> > > Not sure which instructions you're following but I concure that this > file no longer exists. I've just copied the ports one and modified it > to point at the new locations. > > -- > Martin Hepworth > Oxford, UK > Everything running OK now , only fly in the ointment was for some reason the install.sh didn't install OLE::Storage_Lite so I CPAN-ed that and everything is find now, I'll raise a separate query about this. -- Martin Hepworth Oxford, UK From glenn.steen at gmail.com Wed Dec 10 10:28:20 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 10 10:28:30 2008 Subject: Spam assassin timeouts In-Reply-To: <6a7195cc0812100133s3334cdb5kf70f64406b1d4e7b@mail.gmail.com> References: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> <1228739966.12079.75.camel@darkstar.netcore.co.in> <6a7195cc0812100133s3334cdb5kf70f64406b1d4e7b@mail.gmail.com> Message-ID: <223f97700812100228t7261143ase48a8ae8e1325991@mail.gmail.com> 2008/12/10 vinayan KP : > Dear Ram, > > Thank you very much for your mail. I learned linux just recently I am > not an expert. I normally used to try things whenever I get time but > now I hardly have any time these days to sit and feel dont have enough > knowledge to fix this problem. A third party installed and configured > mailscanner for us couple of years back but that company does not > exist anymore. Hope you would be able to help me out. > > The following are the size of bayes file. Are thse alright? The > bayes_seen file is too large but it was like this for a long time and > was working alright. > > -rw------- 1 root root 9.4K Dec 10 14:29 bayes_journal > -rw-rw-rw- 1 root root 5.7K Dec 10 14:29 bayes.mutex > -rw------- 1 root root 167M Dec 10 14:26 bayes_seen > -rw------- 1 root root 9.7M Dec 10 14:28 bayes_toks > -rw------- 1 root root 12K Dec 9 10:35 bayes_toks.expire10686 > -rw------- 1 root root 12K Dec 10 00:12 bayes_toks.expire11495 > -rw------- 1 root root 12K Dec 8 19:22 bayes_toks.expire11824 > -rw------- 1 root root 12K Dec 8 20:40 bayes_toks.expire13768 > -rw------- 1 root root 12K Dec 10 07:48 bayes_toks.expire28490 > -rw------- 1 root root 12K Dec 7 21:22 bayes_toks.expire31832 > -rw------- 1 root root 0 Dec 2 04:04 __db.bayes_toks.expire12682 > -rw------- 1 root root 12K Nov 27 18:58 __db.bayes_toks.expire14247 > -rw------- 1 root root 12K Sep 6 06:22 __db.bayes_toks.expire15605 > -rw------- 1 root root 12K Nov 14 14:38 __db.bayes_toks.expire15684 > -rw------- 1 root root 4.0K Sep 2 07:48 __db.bayes_toks.expire1745 > -rw------- 1 root root 12K Dec 2 08:39 __db.bayes_toks.expire20880 > -rw------- 1 root root 12K Dec 6 00:18 __db.bayes_toks.expire23304 > -rw------- 1 root root 0 Dec 4 16:39 __db.bayes_toks.expire23851 > -rw------- 1 root root 0 Oct 26 19:52 __db.bayes_toks.expire24361 > -rw------- 1 root root 0 Sep 2 04:52 __db.bayes_toks.expire29096 > -rw------- 1 root root 12K Nov 11 17:37 __db.bayes_toks.expire30758 > -rw------- 1 root root 12K Oct 23 18:31 __db.bayes_toks.expire31745 > -rw------- 1 root root 4.0K Dec 9 05:28 __db.bayes_toks.expire32018 > -rw------- 1 root root 0 Nov 21 04:07 __db.bayes_toks.expire32087 > -rw------- 1 root root 12K Dec 5 15:17 __db.bayes_toks.expire3656 > -rw------- 1 root root 0 Dec 4 05:45 __db.bayes_toks.expire5747 > -rw------- 1 root root 12K Oct 22 16:03 __db.bayes_toks.expire7440 > -rw------- 1 root root 12K Nov 26 16:21 __db.bayes_toks.expire7458 > -rw------- 1 root root 0 Sep 18 00:39 __db.bayes_toks.expire9575 > -rw-r--r-- 1 root root 1.5K Dec 8 13:23 user_prefs > (snip) This is classic... You have a huge seen file there, and a load of expire files from unsuccessful expire runs. Remove the seen file as well as all the expire files, then do a manual expire... Consider configuring your bayes for manual expire only. Also consider increasing the SA timeout value rather much ... in MailScanner.conf. MS will rudely cut off some SA operations otherwise. Exactly what you need, as well as where depend on your circumstances, so I'll refrain from giving any hard numbers. Removing the bayes_seen file will affect your ability to unlearn messages previously learnt, but ... that is likely something you can live with temporarily. As Ram says, this has been covered numerous times (and all the other reasons for SA to time out:-) on this list... and I'm almost certain you can find pertinent information in the wiki/maq as well. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Dec 10 10:29:55 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 10 10:30:05 2008 Subject: Spam assassin timeouts In-Reply-To: <223f97700812100228t7261143ase48a8ae8e1325991@mail.gmail.com> References: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> <1228739966.12079.75.camel@darkstar.netcore.co.in> <6a7195cc0812100133s3334cdb5kf70f64406b1d4e7b@mail.gmail.com> <223f97700812100228t7261143ase48a8ae8e1325991@mail.gmail.com> Message-ID: <223f97700812100229k1c95f0a6l3e82d63a92b0a1e8@mail.gmail.com> 2008/12/10 Glenn Steen : > 2008/12/10 vinayan KP : >> Dear Ram, >> >> Thank you very much for your mail. I learned linux just recently I am >> not an expert. I normally used to try things whenever I get time but >> now I hardly have any time these days to sit and feel dont have enough >> knowledge to fix this problem. A third party installed and configured >> mailscanner for us couple of years back but that company does not >> exist anymore. Hope you would be able to help me out. >> >> The following are the size of bayes file. Are thse alright? The >> bayes_seen file is too large but it was like this for a long time and >> was working alright. >> >> -rw------- 1 root root 9.4K Dec 10 14:29 bayes_journal >> -rw-rw-rw- 1 root root 5.7K Dec 10 14:29 bayes.mutex >> -rw------- 1 root root 167M Dec 10 14:26 bayes_seen >> -rw------- 1 root root 9.7M Dec 10 14:28 bayes_toks >> -rw------- 1 root root 12K Dec 9 10:35 bayes_toks.expire10686 >> -rw------- 1 root root 12K Dec 10 00:12 bayes_toks.expire11495 >> -rw------- 1 root root 12K Dec 8 19:22 bayes_toks.expire11824 >> -rw------- 1 root root 12K Dec 8 20:40 bayes_toks.expire13768 >> -rw------- 1 root root 12K Dec 10 07:48 bayes_toks.expire28490 >> -rw------- 1 root root 12K Dec 7 21:22 bayes_toks.expire31832 >> -rw------- 1 root root 0 Dec 2 04:04 __db.bayes_toks.expire12682 >> -rw------- 1 root root 12K Nov 27 18:58 __db.bayes_toks.expire14247 >> -rw------- 1 root root 12K Sep 6 06:22 __db.bayes_toks.expire15605 >> -rw------- 1 root root 12K Nov 14 14:38 __db.bayes_toks.expire15684 >> -rw------- 1 root root 4.0K Sep 2 07:48 __db.bayes_toks.expire1745 >> -rw------- 1 root root 12K Dec 2 08:39 __db.bayes_toks.expire20880 >> -rw------- 1 root root 12K Dec 6 00:18 __db.bayes_toks.expire23304 >> -rw------- 1 root root 0 Dec 4 16:39 __db.bayes_toks.expire23851 >> -rw------- 1 root root 0 Oct 26 19:52 __db.bayes_toks.expire24361 >> -rw------- 1 root root 0 Sep 2 04:52 __db.bayes_toks.expire29096 >> -rw------- 1 root root 12K Nov 11 17:37 __db.bayes_toks.expire30758 >> -rw------- 1 root root 12K Oct 23 18:31 __db.bayes_toks.expire31745 >> -rw------- 1 root root 4.0K Dec 9 05:28 __db.bayes_toks.expire32018 >> -rw------- 1 root root 0 Nov 21 04:07 __db.bayes_toks.expire32087 >> -rw------- 1 root root 12K Dec 5 15:17 __db.bayes_toks.expire3656 >> -rw------- 1 root root 0 Dec 4 05:45 __db.bayes_toks.expire5747 >> -rw------- 1 root root 12K Oct 22 16:03 __db.bayes_toks.expire7440 >> -rw------- 1 root root 12K Nov 26 16:21 __db.bayes_toks.expire7458 >> -rw------- 1 root root 0 Sep 18 00:39 __db.bayes_toks.expire9575 >> -rw-r--r-- 1 root root 1.5K Dec 8 13:23 user_prefs >> > (snip) BTW... Safest is to start these operations after shutting MailScanner down. > This is classic... You have a huge seen file there, and a load of > expire files from unsuccessful expire runs. Remove the seen file as > well as all the expire files, then do a manual expire... Consider > configuring your bayes for manual expire only. Also consider > increasing the SA timeout value rather much ... in MailScanner.conf. > MS will rudely cut off some SA operations otherwise. Exactly what you > need, as well as where depend on your circumstances, so I'll refrain > from giving any hard numbers. > Removing the bayes_seen file will affect your ability to unlearn > messages previously learnt, but ... that is likely something you can > live with temporarily. > > As Ram says, this has been covered numerous times (and all the other > reasons for SA to time out:-) on this list... and I'm almost certain > you can find pertinent information in the wiki/maq as well. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Wed Dec 10 12:15:12 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 10 12:15:25 2008 Subject: Mailscanner, CentOS 5, and updating perl. In-Reply-To: References: Message-ID: Henry Kwan wrote on Tue, 9 Dec 2008 22:52:02 +0000 (UTC): > So the offending rpm was this one that yum update wants me to install: > > perl-Compress-Zlib.i386 1.42-1.fc6 base why should "yum update" want you to install it? This is not an update. Is it a dependancy? > If I go ahead and install it, the same error as above always pops up when I go > to start Mailscanner. Not here, with 1.42-1.fc6 on the system. However, my latest MS version currently is 4.71.10. So, there may be something offending with a later version. Or it is caused by installing all those Perl source packages from Julian's tarball. On RH/CentOS systems I strongly recommend *not* to install the complete tar.gz you get from Julian's site. Unpack that and *only* (force-)install the mailscanner*.rpm plus the tnef rpm and I may be missing another one. Install *all* the perl modules that are missing from rpmforge before you install MailScanner. Also note, that some of the modules in the tar.gz are already included in the installed Perl. There's no need to install these. I once posted a list of the modules you have to install for CentOS on this very list (this year I think). I haven't ever had any problems with this approach and enjoy an easy update path for the OS *and* MailScanner (and updating MS this way is *much* faster as well) and no problems with Perl. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Wed Dec 10 17:21:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Dec 10 17:21:38 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> Message-ID: <493FFA8F.9010600@ecs.soton.ac.uk> My current plan is to use a /var/spool/MailScanner/incoming/tmp directory which is owned by the "Run As User" and "Run As Group" and only accessible by drwx------ so that MailScanner can write to it and root can as well. This is already half-implemented as there is a "Lockfile Dir" setting in MailScanner.conf. I just need to pass that on the command-line of the -autoupdate scripts so they know where to expect and put their lockfiles (all the current ones assume Lockfile Dir = /tmp). After that there's just a few places in TNEF.pm, SA.pm and the "MailScanner --lint" code which also need to use the Lockfile Dir directory instead of /tmp. Any reason why this wouldn't work? I can implement all this in about an hour's work. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Dec 10 19:16:45 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 10 19:16:54 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <493FFA8F.9010600@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> Message-ID: <223f97700812101116j471c902ap39b76e818de97280@mail.gmail.com> 2008/12/10 Julian Field : > My current plan is to use a /var/spool/MailScanner/incoming/tmp directory > which is owned by the "Run As User" and "Run As Group" and only accessible > by drwx------ so that MailScanner can write to it and root can as well. This > is already half-implemented as there is a "Lockfile Dir" setting in > MailScanner.conf. I just need to pass that on the command-line of the > -autoupdate scripts so they know where to expect and put their lockfiles > (all the current ones assume Lockfile Dir = /tmp). > > After that there's just a few places in TNEF.pm, SA.pm and the "MailScanner > --lint" code which also need to use the Lockfile Dir directory instead of > /tmp. > > Any reason why this wouldn't work? I can implement all this in about an > hour's work. > > Jules > Sounds perfect to me. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at designmedia.com Wed Dec 10 19:42:33 2008 From: lists at designmedia.com (Henry Kwan) Date: Wed Dec 10 19:42:56 2008 Subject: Mailscanner, CentOS 5, and updating perl. References: Message-ID: Kai Schaetzl conactive.com> writes: > Henry Kwan wrote on Tue, 9 Dec 2008 22:52:02 +0000 (UTC): > > > So the offending rpm was this one that yum update wants me to install: > > > > perl-Compress-Zlib.i386 1.42-1.fc6 base > > why should "yum update" want you to install it? This is not an update. Is it > a dependancy? Not sure. I'm guessing it's because I installed perl-Compress-Zlib-1.41-1 from Julian's tarball. > > > If I go ahead and install it, the same error as above always pops up when > > I go to start Mailscanner. > > Not here, with 1.42-1.fc6 on the system. However, my latest MS version > currently is 4.71.10. So, there may be something offending with a later > version. I was running 4.71.10-1 with 1.42-1.fc6 fine but when I tried upgrading to 4.73.4-2, that's when the error popped up. So I removed 1.42-1.fc6 and downgrade to 1.41-1. > Or it is caused by installing all those Perl source packages from Julian's > tarball. On RH/CentOS systems I strongly recommend *not* to install the > complete tar.gz you get from Julian's site. Unpack that and *only* (force-) > install the mailscanner*.rpm plus the tnef rpm and I may be missing another > one. Install *all* the perl modules that are missing from rpmforge before > you install MailScanner. Also note, that some of the modules in the tar.gz > are already included in the installed Perl. There's no need to install > these. Ok, I'll do a search for your old list and will try bringing up MS from only installing the main mailscanner*.rpm and the 1 or 2 missing perl modules. Though, after this exercise, I can see why having a dedicated repository is so attractive. :-) Thanks for the response. --Henry From ssilva at sgvwater.com Wed Dec 10 19:47:40 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 10 19:47:59 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <493FFA8F.9010600@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> Message-ID: on 12-10-2008 9:21 AM Julian Field spake the following: > My current plan is to use a /var/spool/MailScanner/incoming/tmp > directory which is owned by the "Run As User" and "Run As Group" and > only accessible by drwx------ so that MailScanner can write to it and > root can as well. This is already half-implemented as there is a > "Lockfile Dir" setting in MailScanner.conf. I just need to pass that on > the command-line of the -autoupdate scripts so they know where to expect > and put their lockfiles (all the current ones assume Lockfile Dir = /tmp). > > After that there's just a few places in TNEF.pm, SA.pm and the > "MailScanner --lint" code which also need to use the Lockfile Dir > directory instead of /tmp. > > Any reason why this wouldn't work? I can implement all this in about an > hour's work. > > Jules > Is there any way that a user could set an option in mailscanner.conf that would break this? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081210/672c3a0e/signature.bin From ssilva at sgvwater.com Wed Dec 10 19:57:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 10 20:00:15 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> Message-ID: on 12-10-2008 11:47 AM Scott Silva spake the following: > on 12-10-2008 9:21 AM Julian Field spake the following: >> My current plan is to use a /var/spool/MailScanner/incoming/tmp >> directory which is owned by the "Run As User" and "Run As Group" and >> only accessible by drwx------ so that MailScanner can write to it and >> root can as well. This is already half-implemented as there is a >> "Lockfile Dir" setting in MailScanner.conf. I just need to pass that on >> the command-line of the -autoupdate scripts so they know where to expect >> and put their lockfiles (all the current ones assume Lockfile Dir = /tmp). >> >> After that there's just a few places in TNEF.pm, SA.pm and the >> "MailScanner --lint" code which also need to use the Lockfile Dir >> directory instead of /tmp. >> >> Any reason why this wouldn't work? I can implement all this in about an >> hour's work. >> >> Jules >> > Is there any way that a user could set an option in mailscanner.conf that > would break this? > And I mean a proper option like queue file location, not a bad one. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081210/40fda5eb/signature.bin From maillists at conactive.com Wed Dec 10 23:31:28 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 10 23:31:41 2008 Subject: Mailscanner, CentOS 5, and updating perl. In-Reply-To: References: Message-ID: Henry Kwan wrote on Wed, 10 Dec 2008 19:42:33 +0000 (UTC): > Not sure. I'm guessing it's because I installed perl-Compress-Zlib-1.41-1 > from Julian's tarball. Oh, yeah, of course, I didn't know the version number. > > > > > > If I go ahead and install it, the same error as above always pops up when > > > I go to start Mailscanner. > > > > Not here, with 1.42-1.fc6 on the system. However, my latest MS version > > currently is 4.71.10. So, there may be something offending with a later > > version. > > I was running 4.71.10-1 with 1.42-1.fc6 fine but when I tried upgrading to > 4.73.4-2, that's when the error popped up. So I removed 1.42-1.fc6 and > downgrade to 1.41-1. It popped up because you were installing 1.41 from Jules over 1.42 from CentOS base. Again. (It was already part of MS 4.71). Not because 1.42 was on the system. So, depending on your update cycle you were updating, overwriting, updating, overwriting that and maybe other packages ... Just installed latest MS with no problems at all. I checked and it's really only the mailscanner*.rpm and the tnef*.rpm (if it is a new one) that I install. I don't install *any* of the perl modules or the ExtUtils-MakeMaker.tar.gz from that tarball. I took the opportunity to get a list of the files and rpm -q these, so I get a list of installed versions and not installed packages. Not installed packages are already part of Perl. Here's the quick output, hope this helps. rpm -q mailscanner mailscanner-4.73.4-2 rpm -q perl-Archive-Zip perl-Archive-Zip-1.16-1.2.1 rpm -q perl-bignum package perl-bignum is not installed rpm -q perl-Compress-Zlib perl-Compress-Zlib-1.42-1.fc6 rpm -q perl-Convert-BinHex perl-Convert-BinHex-1.119-2.2.el5.rf rpm -q perl-Convert-TNEF perl-Convert-TNEF-0.17-3.2.el5.rf rpm -q perl-DBD-SQLite perl-DBD-SQLite-1.14-1.el5.rf rpm -q perl-DBI perl-DBI-1.52-1.fc6 rpm -q perl-Digest-MD5 package perl-Digest-MD5 is not installed rpm -q perl-Digest-SHA1 perl-Digest-SHA1-2.11-1.2.1 rpm -q perl-ExtUtils-MakeMaker package perl-ExtUtils-MakeMaker is not installed rpm -q perl-File-Spec package perl-File-Spec is not installed rpm -q perl-Filesys-Df perl-Filesys-Df-0.92-1.el5.rf rpm -q perl-File-Temp perl-File-Temp is not installed rpm -q perl-Getopt-Long package perl-Getopt-Long is not installed rpm -q perl-HTML-Parser perl-HTML-Parser-3.55-1.fc6 rpm -q perl-HTML-Tagset perl-HTML-Tagset-3.10-2.1.1 rpm -q perl-IO package perl-IO is not installed rpm -q perl-IO-stringy perl-IO-stringy-2.110-1.2.el5.rf rpm -q perl-MailTools perl-MailTools-1.77-1.el5.centos rpm -q perl-Math-BigInt package perl-Math-BigInt is not installed rpm -q perl-Math-BigRat package perl-Math-BigRat is not installed rpm -q perl-MIME-Base64 package perl-MIME-Base64 is not installed rpm -q perl-MIME-tools perl-MIME-tools-5.420-2.el5.rf rpm -q perl-Net-CIDR perl-Net-CIDR-0.11-1.2.el5.rf rpm -q perl-Net-DNS perl-Net-DNS-0.59-3.el5 rpm -q perl-Net-IP perl-Net-IP-1.25-2.fc6 rpm -q perl-OLE-Storage_Lite perl-OLE-Storage_Lite-0.17-1.el5.rf rpm -q perl-Pod-Escapes perl-Pod-Escapes-1.04-1.2.el5.rf rpm -q perl-Pod-Simple perl-Pod-Simple-3.05-1.el5.rf rpm -q perl-Scalar-List package perl-Scalar-List is not installed rpm -q perl-Storable package perl-Storable is not installed rpm -q perl-Sys-Hostname-Long perl-Sys-Hostname-Long-1.4-1.2.el5.rf rpm -q perl-Sys-Syslog package perl-Sys-Syslog is not installed rpm -q perl-Test-Harness package perl-Test-Harness is not installed rpm -q perl-Test-Pod perl-Test-Pod-1.26-1.el5.rf rpm -q perl-Test-Simple package perl-Test-Simple is not installed rpm -q perl-TimeDate perl-TimeDate-1.16-5.el5 rpm -q perl-Time-HiRes package perl-Time-HiRes is not installed rpm -q tnef tnef-1.4.4-1 Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From support-lists at petdoctors.co.uk Thu Dec 11 09:39:53 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Dec 11 09:39:41 2008 Subject: Handling mobile users Message-ID: Hi, Any hints on handling mobile users where the sending domains keep hopping on and off RBLs? I have asked this before but not really found a satisfactory solution - for example, whitelisting our domain opens up the spam floodgate. The ideal situation would be to skip RBL checks on emails from authenticated users, but either I am not doing it right or I am missing the trick. It was suggested that whitelisting 127.0.0.1 would help but this does not seem to be the case. Our mobiles are on UK Vodafone but, for example, one of the Directors is currently roaming in Italy. I was looking at creating up a ruleset for the "Spam List = " to set it to "" for emails from our domain (not ideal, but better than nothing), but I cannot work out how to do this for selected domains. All hints and pointers appreciated. Thanks Nigel Kendrick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081211/bd073a5d/attachment.html From ms-list at alexb.ch Thu Dec 11 10:11:09 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Dec 11 10:11:20 2008 Subject: Handling mobile users In-Reply-To: References: Message-ID: <4940E73D.4090007@alexb.ch> On 12/11/2008 10:39 AM, Nigel Kendrick wrote: > Hi, > > Any hints on handling mobile users where the sending domains keep hopping on > and off RBLs? I have asked this before but not really found a satisfactory > solution - for example, whitelisting our domain opens up the spam floodgate. > The ideal situation would be to skip RBL checks on emails from authenticated > users, but either I am not doing it right or I am missing the trick. It was > suggested that whitelisting 127.0.0.1 would help but this does not seem to > be the case. Our mobiles are on UK Vodafone but, for example, one of the > Directors is currently roaming in Italy. > > I was looking at creating up a ruleset for the "Spam List = " to set it to > "" for emails from our domain (not ideal, but better than nothing), but I > cannot work out how to do this for selected domains. > > All hints and pointers appreciated. imo, all mobile workers, even a director should VPN to your network and smtp-auth from there. Even if VPN ports are blocked @hotels, etc, its trivial to setup a VPN channel which listens on TCP 443 which is always open. or... lets assume you're not VPN yet doing RBL lookups @MTA level, smtp-auth'd users should be exempt from rbl lookups in the first place. There's hardly need to tweak MailScanner or SA if stuff is coming off your trusted network. or am I missing something? Ale From steve.freegard at fsl.com Thu Dec 11 10:32:08 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Dec 11 10:32:18 2008 Subject: Handling mobile users In-Reply-To: References: Message-ID: <4940EC28.6050907@fsl.com> Nigel Kendrick wrote: > Hi, > > Any hints on handling mobile users where the sending domains keep > hopping on and off RBLs? I have asked this before but not really found a > satisfactory solution - for example, whitelisting our domain opens up > the spam floodgate. The ideal situation would be to skip RBL checks on > emails from authenticated users, but either I am not doing it right or I > am missing the trick. It was suggested that whitelisting 127.0.0.1 would > help but this does not seem to be the case. Our mobiles are on UK > Vodafone but, for example, one of the Directors is currently roaming in > Italy. > > I was looking at creating up a ruleset for the "Spam List = " to set it > to "" for emails from our domain (not ideal, but better than nothing), > but I cannot work out how to do this for selected domains. > > All hints and pointers appreciated. > The 'Spam Domain=' list in MailScanner is pretty basic - you'd have to write a CustomFunction on it to parse the received headers inserted by your MTA and bypass it if the user were authenticated. I personally wouldn't do it that way - if I were you I would nuke the Spam Domain list entirely and configure your MTA to reject clients listed on zen.spamhaus.org at RCPT TO: time (e.g. delay checks), then your MTA can allow SMTP AUTH clients to send mail regardless of the RBL status of their IP address. That will achieve what you need and reduce the load on your MailScanner box at the same time. Cheers, Steve. From list-mailscanner at linguaphone.com Thu Dec 11 11:23:18 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Dec 11 13:31:24 2008 Subject: Handling mobile users In-Reply-To: References: Message-ID: <1228994598.608.1.camel@gblades-suse.linguaphone-intranet.co.uk> I have postfix configured to listen on port 587 aswell. All email to this port has to be authenticated and for these mails mailscanner is bypassed altogether. Any viruses will still be caught by the actual mail server as virus scanning is running on it aswell. On Thu, 2008-12-11 at 09:39, Nigel Kendrick wrote: > Hi, > > Any hints on handling mobile users where the sending domains keep > hopping on and off RBLs? I have asked this before but not really found > a satisfactory solution - for example, whitelisting our domain opens > up the spam floodgate. The ideal situation would be to skip RBL checks > on emails from authenticated users, but either I am not doing it right > or I am missing the trick. It was suggested that whitelisting > 127.0.0.1 would help but this does not seem to be the case. Our > mobiles are on UK Vodafone but, for example, one of the Directors is > currently roaming in Italy. > > I was looking at creating up a ruleset for the "Spam List = " to set > it to "" for emails from our domain (not ideal, but better than > nothing), but I cannot work out how to do this for selected domains. > > All hints and pointers appreciated. > > Thanks > > Nigel Kendrick > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From support-lists at petdoctors.co.uk Thu Dec 11 14:05:28 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Dec 11 14:05:21 2008 Subject: Handling mobile users In-Reply-To: <4940E73D.4090007@alexb.ch> References: <4940E73D.4090007@alexb.ch> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens Sent: Thursday, December 11, 2008 10:11 AM To: MailScanner discussion Subject: Re: Handling mobile users On 12/11/2008 10:39 AM, Nigel Kendrick wrote: > Hi, > > Any hints on handling mobile users where the sending domains keep hopping on > and off RBLs? I have asked this before but not really found a satisfactory > solution - for example, whitelisting our domain opens up the spam floodgate. > The ideal situation would be to skip RBL checks on emails from authenticated > users, but either I am not doing it right or I am missing the trick. It was > suggested that whitelisting 127.0.0.1 would help but this does not seem to > be the case. Our mobiles are on UK Vodafone but, for example, one of the > Directors is currently roaming in Italy. > > I was looking at creating up a ruleset for the "Spam List = " to set it to > "" for emails from our domain (not ideal, but better than nothing), but I > cannot work out how to do this for selected domains. > > All hints and pointers appreciated. >>imo, all mobile workers, even a director should VPN to your network and smtp-auth from there. >> >>Even if VPN ports are blocked @hotels, etc, its trivial to setup a VPN channel which listens on TCP 443 which is always open. >> >>or... >>lets assume you're not VPN yet doing RBL lookups @MTA level, smtp-auth'd users should be exempt from rbl lookups in the first place. >> >>There's hardly need to tweak MailScanner or SA if stuff is coming off your trusted network. >> >>or am I missing something? >> >>Ale Hi Alex, Thanks for the comments - I presume that the problem is because when the users send mail from their phones, their client is seen as something like 1234abcd@uk.access.vodafone.net and 'vodafone.net' has made it onto a blacklist? Nigel From MailScanner at ecs.soton.ac.uk Thu Dec 11 14:16:06 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 11 14:16:26 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> Message-ID: <494120A6.1000704@ecs.soton.ac.uk> The final solution ended up being rather more secure than the version I proposed yesterday, in order to avoid any possible extra privilege escalation bugs, whereby a user could have "root" effects while only getting "MailScanner Run As User" privileges. Anyway, I have published my solution, version 4.74.6. I would be grateful if you could test this and see if it works. All the -autoupdate scripts and -wrapper scripts have been replaced, there is a new "mailscanner_create_locks" script which is called automatically from a couple of places for you, and there are quite a few changes inside MailScanner too. Please let me know what you think works and what still doesn't work, if anything. Thanks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Thu Dec 11 14:27:23 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Dec 11 14:27:50 2008 Subject: Handling mobile users In-Reply-To: <1228994598.608.1.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1228994598.608.1.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <0CF7A3B5158E49ED868666A9F4C697EB@SUPPORT01V> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gareth Sent: Thursday, December 11, 2008 11:23 AM To: MailScanner discussion Subject: Re: Handling mobile users I have postfix configured to listen on port 587 aswell. All email to this port has to be authenticated and for these mails mailscanner is bypassed altogether. Any viruses will still be caught by the actual mail server as virus scanning is running on it aswell. On Thu, 2008-12-11 at 09:39, Nigel Kendrick wrote: > Hi, > > Any hints on handling mobile users where the sending domains keep > hopping on and off RBLs? I have asked this before but not really found > a satisfactory solution - for example, whitelisting our domain opens > up the spam floodgate. The ideal situation would be to skip RBL checks > on emails from authenticated users, but either I am not doing it right > or I am missing the trick. It was suggested that whitelisting > 127.0.0.1 would help but this does not seem to be the case. Our > mobiles are on UK Vodafone but, for example, one of the Directors is > currently roaming in Italy. > > I was looking at creating up a ruleset for the "Spam List = " to set > it to "" for emails from our domain (not ideal, but better than > nothing), but I cannot work out how to do this for selected domains. > > All hints and pointers appreciated. > > Thanks > > Nigel Kendrick > > ______________________________________________________________________ > -- Hi Gareth, I am already listening on 587. I set this up years ago to help out a home worker using AOL at the time. Can you give me any pointers on how to allow this route to bypass MailScanner? Thanks Nigel From support-lists at petdoctors.co.uk Thu Dec 11 14:29:42 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Dec 11 14:30:19 2008 Subject: Handling mobile users In-Reply-To: <4940EC28.6050907@fsl.com> References: <4940EC28.6050907@fsl.com> Message-ID: <9C0CBCA9A9294A03BAACBD470B2A65EF@SUPPORT01V> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Thursday, December 11, 2008 10:32 AM To: MailScanner discussion Subject: Re: Handling mobile users The 'Spam Domain=' list in MailScanner is pretty basic - you'd have to write a CustomFunction on it to parse the received headers inserted by your MTA and bypass it if the user were authenticated. I personally wouldn't do it that way - if I were you I would nuke the Spam Domain list entirely and configure your MTA to reject clients listed on zen.spamhaus.org at RCPT TO: time (e.g. delay checks), then your MTA can allow SMTP AUTH clients to send mail regardless of the RBL status of their IP address. That will achieve what you need and reduce the load on your MailScanner box at the same time. Cheers, Steve. -- Thanks Steve - any pointers on how to do this? Nigel From list-mailscanner at linguaphone.com Thu Dec 11 14:48:35 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Dec 11 14:48:51 2008 Subject: Handling mobile users In-Reply-To: <0CF7A3B5158E49ED868666A9F4C697EB@SUPPORT01V> References: <1228994598.608.1.camel@gblades-suse.linguaphone-intranet.co.uk> <0CF7A3B5158E49ED868666A9F4C697EB@SUPPORT01V> Message-ID: <1229006914.615.14.camel@gblades-suse.linguaphone-intranet.co.uk> In main.cf you will have a line like the following to define the header checks which inturn has a rule which puts all mail into the hold queue. header_checks = regexp:/etc/postfix/header_checks Now in master.cf you can have a line such as the following which listens on port 587 and overides the receipient restrictions to force only authenticated users and also specifies a different header check file which doesnt put all mail into the hold queue. 587 inet n - n - - smtpd -o header_checks=regexp:/etc/postfix/header_checks_nomailscanner -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject On Thu, 2008-12-11 at 14:27, Nigel Kendrick wrote: > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gareth > Sent: Thursday, December 11, 2008 11:23 AM > To: MailScanner discussion > Subject: Re: Handling mobile users > > I have postfix configured to listen on port 587 aswell. All email to > this port has to be authenticated and for these mails mailscanner is > bypassed altogether. Any viruses will still be caught by the actual mail > server as virus scanning is running on it aswell. > > On Thu, 2008-12-11 at 09:39, Nigel Kendrick wrote: > > Hi, > > > > Any hints on handling mobile users where the sending domains keep > > hopping on and off RBLs? I have asked this before but not really found > > a satisfactory solution - for example, whitelisting our domain opens > > up the spam floodgate. The ideal situation would be to skip RBL checks > > on emails from authenticated users, but either I am not doing it right > > or I am missing the trick. It was suggested that whitelisting > > 127.0.0.1 would help but this does not seem to be the case. Our > > mobiles are on UK Vodafone but, for example, one of the Directors is > > currently roaming in Italy. > > > > I was looking at creating up a ruleset for the "Spam List = " to set > > it to "" for emails from our domain (not ideal, but better than > > nothing), but I cannot work out how to do this for selected domains. > > > > All hints and pointers appreciated. > > > > Thanks > > > > Nigel Kendrick > > > > ______________________________________________________________________ > > -- > > > Hi Gareth, > > I am already listening on 587. I set this up years ago to help out a home > worker using AOL at the time. Can you give me any pointers on how to allow > this route to bypass MailScanner? > > Thanks > > Nigel From support-lists at petdoctors.co.uk Thu Dec 11 15:49:52 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Dec 11 15:50:34 2008 Subject: Handling mobile users In-Reply-To: <1229006914.615.14.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1228994598.608.1.camel@gblades-suse.linguaphone-intranet.co.uk><0CF7A3B5158E49ED868666A9F4C697EB@SUPPORT01V> <1229006914.615.14.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <0CAE47A57B26485B9C8C28CC9F397EC1@SUPPORT01V> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gareth Sent: Thursday, December 11, 2008 2:49 PM To: MailScanner discussion Subject: RE: Handling mobile users In main.cf you will have a line like the following to define the header checks which inturn has a rule which puts all mail into the hold queue. header_checks = regexp:/etc/postfix/header_checks Now in master.cf you can have a line such as the following which listens on port 587 and overides the receipient restrictions to force only authenticated users and also specifies a different header check file which doesnt put all mail into the hold queue. 587 inet n - n - - smtpd -o header_checks=regexp:/etc/postfix/header_checks_nomailscanner -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject Yep, that makes sense - much obliged. Nigel From maillists at conactive.com Thu Dec 11 16:43:12 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 11 16:43:23 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <494120A6.1000704@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> <494120A6.1000704@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: > Please let me know what you think works and what still doesn't work, if > anything. So far so good. Got this on first restart: Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership abilities on /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, please delete the file file doesn't exist, though. Directory contains lockfiles for all the virusscan wrappers, no matter if in use or not. Is this intended? Everything seems to be fine. How to test? Run /etc/cron.hourly/update_virus_scanners ? I also noticed a somewhat strange behavior of upgrade_MailScanner_conf. It mentioned Added new: Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif although this was already present in MailScanner.conf (from 4.74.4). One request for mailscanner*.rpm: could you add a check that stops creating the /etc/spamassassin/mailscanner.conf symlink in case there's already a symlink or file? I tried touching an empty file there, but the rpm just wiped it away. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mark at msapiro.net Thu Dec 11 17:33:03 2008 From: mark at msapiro.net (Mark Sapiro) Date: Thu Dec 11 17:33:19 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: Message-ID: Kai Schaetzl wrote: >Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: > >> Please let me know what you think works and what still doesn't work, if >> anything. > >So far so good. Got this on first restart: > >Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership >abilities on >/var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, please >delete the file > >file doesn't exist, though. Directory contains lockfiles for all the >virusscan wrappers, no matter if in use or not. Is this intended? > >Everything seems to be fine. Same here. (except for the pid in the file name) -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Thu Dec 11 19:59:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 11 19:59:46 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> <494120A6.1000704@ecs.soton.ac.uk> Message-ID: <49417118.6080109@ecs.soton.ac.uk> On 11/12/08 16:43, Kai Schaetzl wrote: > Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: > > >> Please let me know what you think works and what still doesn't work, if >> anything. >> > > So far so good. Got this on first restart: > > Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership > abilities on > /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, please > delete the file > > file doesn't exist, though. Directory contains lockfiles for all the > virusscan wrappers, no matter if in use or not. Is this intended? > > Everything seems to be fine. > How to test? Run /etc/cron.hourly/update_virus_scanners ? > Do MailScanner --lint and /usr/sbin/update_virus_scanners If it complains about there not being a MailScannerCreateLocks or anything in /usr/lib/MailScanner/mailscanner_create_locks or the /usr/sbin/mailscanner_create_locks script not existing, please do ls -ld /usr/sbin/mail* /usr/sbin/Mail* > > I also noticed a somewhat strange behavior of upgrade_MailScanner_conf. It > mentioned > Added new: Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif > although this was already present in MailScanner.conf (from 4.74.4). > It should have said "Added new: Lockfile Dir = /var/spool/MailScanner/incoming/Locks" as well. That's to be expected, I needed to overwrite people's settings for those two. People never read instructions, so it's pointless just asking people to change it. > One request for mailscanner*.rpm: could you add a check that stops > creating the /etc/spamassassin/mailscanner.conf symlink in case there's > already a symlink or file? I tried touching an empty file there, but the > rpm just wiped it away. > I'll take a look. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Dec 11 20:24:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 11 20:24:36 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49417118.6080109@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> <494120A6.1000704@ecs.soton.ac.uk> <49417118.6080109@ecs.soton.ac.uk> Message-ID: <494176E7.7020909@ecs.soton.ac.uk> You seem to be getting an old version of the file. The mailscanner*rpm file itself should be 782198 11 Dec 14:02 mailscanner-4.74.6-1.noarch.rpm so 782198 bytes. Please compare this with what you have downloaded. On 11/12/08 19:59, Julian Field wrote: > > > On 11/12/08 16:43, Kai Schaetzl wrote: >> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >> >>> Please let me know what you think works and what still doesn't work, if >>> anything. >> >> So far so good. Got this on first restart: >> >> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership >> abilities on >> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, >> please >> delete the file >> >> file doesn't exist, though. Directory contains lockfiles for all the >> virusscan wrappers, no matter if in use or not. Is this intended? >> >> Everything seems to be fine. >> How to test? Run /etc/cron.hourly/update_virus_scanners ? > Do > MailScanner --lint > and > /usr/sbin/update_virus_scanners > > If it complains about there not being a MailScannerCreateLocks or > anything in /usr/lib/MailScanner/mailscanner_create_locks or the > /usr/sbin/mailscanner_create_locks script not existing, please do > ls -ld /usr/sbin/mail* /usr/sbin/Mail* > > >> >> I also noticed a somewhat strange behavior of >> upgrade_MailScanner_conf. It >> mentioned >> Added new: Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif >> although this was already present in MailScanner.conf (from 4.74.4). > It should have said "Added new: Lockfile Dir = > /var/spool/MailScanner/incoming/Locks" as well. That's to be expected, > I needed to overwrite people's settings for those two. People never > read instructions, so it's pointless just asking people to change it. > >> One request for mailscanner*.rpm: could you add a check that stops >> creating the /etc/spamassassin/mailscanner.conf symlink in case there's >> already a symlink or file? I tried touching an empty file there, but the >> rpm just wiped it away. > I'll take a look. > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Dec 11 20:28:43 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 11 20:29:04 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49417118.6080109@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> <494120A6.1000704@ecs.soton.ac.uk> <49417118.6080109@ecs.soton.ac.uk> Message-ID: <494177FB.7010408@ecs.soton.ac.uk> I have just released 4.74.6-2 which is exactly the same code as -1 but there shouldn't be any doubt about filesizes now. Please upgrade to this one and try it again. On 11/12/08 19:59, Julian Field wrote: > > > On 11/12/08 16:43, Kai Schaetzl wrote: >> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >> >>> Please let me know what you think works and what still doesn't work, if >>> anything. >> >> So far so good. Got this on first restart: >> >> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership >> abilities on >> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, >> please >> delete the file >> >> file doesn't exist, though. Directory contains lockfiles for all the >> virusscan wrappers, no matter if in use or not. Is this intended? >> >> Everything seems to be fine. >> How to test? Run /etc/cron.hourly/update_virus_scanners ? > Do > MailScanner --lint > and > /usr/sbin/update_virus_scanners > > If it complains about there not being a MailScannerCreateLocks or > anything in /usr/lib/MailScanner/mailscanner_create_locks or the > /usr/sbin/mailscanner_create_locks script not existing, please do > ls -ld /usr/sbin/mail* /usr/sbin/Mail* > > >> >> I also noticed a somewhat strange behavior of >> upgrade_MailScanner_conf. It >> mentioned >> Added new: Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif >> although this was already present in MailScanner.conf (from 4.74.4). > It should have said "Added new: Lockfile Dir = > /var/spool/MailScanner/incoming/Locks" as well. That's to be expected, > I needed to overwrite people's settings for those two. People never > read instructions, so it's pointless just asking people to change it. > >> One request for mailscanner*.rpm: could you add a check that stops >> creating the /etc/spamassassin/mailscanner.conf symlink in case there's >> already a symlink or file? I tried touching an empty file there, but the >> rpm just wiped it away. > I'll take a look. > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Thu Dec 11 21:05:09 2008 From: mark at msapiro.net (Mark Sapiro) Date: Thu Dec 11 21:05:30 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49417118.6080109@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > >On 11/12/08 16:43, Kai Schaetzl wrote: >> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >> >> >>> Please let me know what you think works and what still doesn't work, if >>> anything. >>> >> >> So far so good. Got this on first restart: >> >> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership >> abilities on >> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, please >> delete the file >> >> file doesn't exist, though. Directory contains lockfiles for all the >> virusscan wrappers, no matter if in use or not. Is this intended? >> >> Everything seems to be fine. >> How to test? Run /etc/cron.hourly/update_virus_scanners ? >> >Do >MailScanner --lint >and >/usr/sbin/update_virus_scanners > >If it complains about there not being a MailScannerCreateLocks or >anything in /usr/lib/MailScanner/mailscanner_create_locks or the >/usr/sbin/mailscanner_create_locks script not existing, please do >ls -ld /usr/sbin/mail* /usr/sbin/Mail* MailScanner --lint looks good. /usr/sbin/update_virus_scanners produces no error. Everything seems to be working normally, but each time a child starts, a message like the following is logged: Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file ownership abilities on /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654, please delete the file and no such file exists after the fact: [root@sbh16 ~]# ls -l /var/spool/MailScanner/incoming/Locks/ total 4 -rw------- 1 postfix postfix 0 Dec 11 09:18 antivirBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 avastBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 avgBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 bitdefenderBusy.lock -rw------- 1 postfix postfix 49 Dec 11 12:28 clamavBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 cssBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 esetsBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 etrustBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 f-prot-6Busy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 f-protBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 f-secureBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 genericBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 inoculanBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 kasperskyBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 mcafeeBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 nod32Busy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 normanBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 pandaBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 ravBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 sophosBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 symscanengineBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 trendBusy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 vba32Busy.lock -rw------- 1 postfix postfix 0 Dec 11 09:18 vexiraBusy.lock [root@sbh16 ~]# cat /var/spool/MailScanner/incoming/Locks/clamavBusy.lock Virus checker locked for scanning by clamd 23654 [root@sbh16 ~]# Is the above log message significant? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maillists at conactive.com Thu Dec 11 21:31:21 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 11 21:31:33 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <494177FB.7010408@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> <494120A6.1000704@ecs.soton.ac.uk> <494177FB.7010408 Message-ID: @ecs.soton.ac.uk> Reply-To: mailscanner@lists.mailscanner.info Julian Field wrote on Thu, 11 Dec 2008 20:28:43 +0000: > I have just released 4.74.6-2 -rw-r--r-- 1 root root 4868907 Dec 11 15:02 MailScanner-4.74.6- 1.rpm.tar.gz -rw-r--r-- 1 root root 4868804 Dec 11 21:26 MailScanner-4.74.6- 2.rpm.tar.gz I see now that the "Could not test file ownership abilities" occurred more often than just on first restart. It didn't occur with this restart. Apart from that it seems to be working fine, with or without that error. I notice that both, MailScanner and the update wrapper, are writing to the lockfile (in this case clamavBusy.lock). Won't this create any problem? Or, as you seem to be writing line by line the current lock status, won't this slow down performance a bit? (write that line to it, search/find it, delete it ... for each batch). Wait, it's still happening, it just took some time to get in the log: Dec 11 22:01:59 d01 MailScanner[15174]: Could not test file ownership abilities on /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.15174, please delete the file Somehow it doesn't seem to be able to confirm that the file is gone (it is gone!). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Dec 11 21:31:21 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 11 21:31:34 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <494176E7.7020909@ecs.soton.ac.uk> References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> <494120A6.1000704@ecs.soton.ac.uk> <494176E7.7020909 Message-ID: @ecs.soton.ac.uk> Reply-To: mailscanner@lists.mailscanner.info Julian Field wrote on Thu, 11 Dec 2008 20:24:07 +0000: > 782198 11 Dec 14:02 mailscanner-4.74.6-1.noarch.rpm > so 782198 bytes. Please compare this with what you have downloaded. -rw-r--r-- 1 root root 782198 Dec 11 15:02 mailscanner-4.74.6-1.noarch.rpm -rw-r--r-- 1 root root 782261 Dec 11 21:26 mailscanner-4.74.6-2.noarch.rpm > MailScanner --lint > and > /usr/sbin/update_virus_scanners > > If it complains about there not being a MailScannerCreateLocks or > anything in /usr/lib/MailScanner/mailscanner_create_locks or the > /usr/sbin/mailscanner_create_locks script not existing, please do > ls -ld /usr/sbin/mail* /usr/sbin/Mail* everything fine. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mmcintosh at infowall.com Fri Dec 12 06:09:58 2008 From: mmcintosh at infowall.com (mmcintosh) Date: Fri Dec 12 06:10:57 2008 Subject: MailScanner MailWatch Multi-Domain SPAM issue Message-ID: <1229062198.29037.40.camel@Sphinx-Dev> Hello All, I have an issue with people from the same domain xxx@example.com sending to yyy@example.com sending mail to each other and the mail being listed as spam. I am not sure at this point if this is a mailwatch or mailscanner issue. How do I assure that this does not happen??? I have not had this issue before with any other domain. This is a newly added domain but nothing has changed I am on centos 5.2 mailscanner version 4.71.10 MailWatch 1.04 Is it possible or advisable to whitelist domains within my list to be auto white listed ?? why from the same doamin would a piece of mail come up as spam (just text mail no attachments) ?? If I have not included enough information please excuse I am not as familiar with this as I should be I have many systems to take care of (I have the book and do the best I can) Mark McIntosh -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Dec 12 06:35:33 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 12 06:35:44 2008 Subject: MailScanner MailWatch Multi-Domain SPAM issue In-Reply-To: <1229062198.29037.40.camel@Sphinx-Dev> References: <1229062198.29037.40.camel@Sphinx-Dev> Message-ID: <49420635.4020909@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mmcintosh wrote: > I have an issue with people from the same domain xxx@example.com sending > to yyy@example.com sending mail to each other and the mail being listed > as spam. I am not sure at this point if this is a mailwatch or > mailscanner issue. How do I assure that this does not happen??? I have > not had this issue before with any other domain. This is a newly added > domain but nothing has changed I am on centos 5.2 mailscanner version > 4.71.10 MailWatch 1.04 Why bother scanning local traffic? > Is it possible or advisable to whitelist domains within my list to be > auto white listed ?? If you like spam. Then by all means. But I get plenty of spam send in that claims to be either from me or someone else in my domain. > why from the same doamin would a piece of mail come up as spam (just > text mail no attachments) ?? You are the person to answer that. You got the messages with headers. You got the logs. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJQgYzBvzDRVjxmYERAtAHAJ9PYyNp4FdptAVxoDu5XXJPDU7QFQCgohVu S0poMQlcLckVsmWjFmokMoc= =IokE -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Fri Dec 12 09:13:08 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 12 09:13:29 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: Message-ID: <49422B24.7040900@ecs.soton.ac.uk> On 11/12/08 21:05, Mark Sapiro wrote: > Julian Field wrote: > >> On 11/12/08 16:43, Kai Schaetzl wrote: >> >>> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >>> >>> >>> >>>> Please let me know what you think works and what still doesn't work, if >>>> anything. >>>> >>>> >>> So far so good. Got this on first restart: >>> >>> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership >>> abilities on >>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, please >>> delete the file >>> >>> file doesn't exist, though. Directory contains lockfiles for all the >>> virusscan wrappers, no matter if in use or not. Is this intended? >>> >>> Everything seems to be fine. >>> How to test? Run /etc/cron.hourly/update_virus_scanners ? >>> >>> >> Do >> MailScanner --lint >> and >> /usr/sbin/update_virus_scanners >> >> If it complains about there not being a MailScannerCreateLocks or >> anything in /usr/lib/MailScanner/mailscanner_create_locks or the >> /usr/sbin/mailscanner_create_locks script not existing, please do >> ls -ld /usr/sbin/mail* /usr/sbin/Mail* >> > > > MailScanner --lint looks good. > > /usr/sbin/update_virus_scanners produces no error. > > Everything seems to be working normally, but each time a child starts, > a message like the following is logged: > > Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file ownership > abilities on > /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654, > please delete the file > Please try the attached /usr/lib/MailScanner/MailScanner/WorkArea.pm file and restart MailScanner. That should have fixed that problem. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: WorkArea.pm.zip Type: application/zip Size: 3745 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081212/6aa8a2f1/WorkArea.pm.zip From MailScanner at ecs.soton.ac.uk Fri Dec 12 09:13:56 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 12 09:14:17 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <87tz9kho6h.fsf@hp-factory.de> <493D368B.30409@ecs.soton.ac.uk> <44089.62.128.6.83.1228823883.squirrel@mail.lksoft.com> <72cf361e0812090646u8340daao6a42ede5cd2ed851@mail.gmail.com> <1228853960.7516.8.camel@baddis-laptop> <00F0C59F-86F8-458A-9180-ADF94F1D1280@nz.lemon-computing.com> <493FFA8F.9010600@ecs.soton.ac.uk> <494120A6.1000704@ecs.soton.ac.uk> <494177FB.7010408 Message-ID: <49422B54.2000503@ecs.soton.ac.uk> On 11/12/08 21:31, Kai Schaetzl wrote: > @ecs.soton.ac.uk> > Reply-To: mailscanner@lists.mailscanner.info > > Julian Field wrote on Thu, 11 Dec 2008 20:28:43 +0000: > > >> I have just released 4.74.6-2 >> > > -rw-r--r-- 1 root root 4868907 Dec 11 15:02 MailScanner-4.74.6- > 1.rpm.tar.gz > -rw-r--r-- 1 root root 4868804 Dec 11 21:26 MailScanner-4.74.6- > 2.rpm.tar.gz > > I see now that the "Could not test file ownership abilities" occurred more > often than just on first restart. It didn't occur with this restart. > Apart from that it seems to be working fine, with or without that error. > I notice that both, MailScanner and the update wrapper, are writing to the > lockfile (in this case clamavBusy.lock). Won't this create any problem? > Or, as you seem to be writing line by line the current lock status, won't > this slow down performance a bit? (write that line to it, search/find it, > delete it ... for each batch). > This is how it has always worked, I have just moved the lock files. > Wait, it's still happening, it just took some time to get in the log: > Dec 11 22:01:59 d01 MailScanner[15174]: Could not test file ownership > abilities on > /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.15174, please > delete the file > > Somehow it doesn't seem to be able to confirm that the file is gone (it is > gone!). > The WorkArea.pm in my previous post will hopefully get rid of that. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Dec 12 09:29:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 12 09:29:50 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49422B24.7040900@ecs.soton.ac.uk> References: <49422B24.7040900@ecs.soton.ac.uk> Message-ID: <49422EFA.2020801@ecs.soton.ac.uk> I have just released 4.74.7 which fixes this problem and upgrades "tnef" to 1.4.5. On 12/12/08 09:13, Julian Field wrote: > > > On 11/12/08 21:05, Mark Sapiro wrote: >> Julian Field wrote: >>> On 11/12/08 16:43, Kai Schaetzl wrote: >>>> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >>>> >>>> >>>>> Please let me know what you think works and what still doesn't >>>>> work, if >>>>> anything. >>>>> >>>> So far so good. Got this on first restart: >>>> >>>> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership >>>> abilities on >>>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, >>>> please >>>> delete the file >>>> >>>> file doesn't exist, though. Directory contains lockfiles for all the >>>> virusscan wrappers, no matter if in use or not. Is this intended? >>>> >>>> Everything seems to be fine. >>>> How to test? Run /etc/cron.hourly/update_virus_scanners ? >>>> >>> Do >>> MailScanner --lint >>> and >>> /usr/sbin/update_virus_scanners >>> >>> If it complains about there not being a MailScannerCreateLocks or >>> anything in /usr/lib/MailScanner/mailscanner_create_locks or the >>> /usr/sbin/mailscanner_create_locks script not existing, please do >>> ls -ld /usr/sbin/mail* /usr/sbin/Mail* >> >> >> MailScanner --lint looks good. >> >> /usr/sbin/update_virus_scanners produces no error. >> >> Everything seems to be working normally, but each time a child starts, >> a message like the following is logged: >> >> Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file ownership >> abilities on >> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654, >> please delete the file > Please try the attached /usr/lib/MailScanner/MailScanner/WorkArea.pm > file and restart MailScanner. That should have fixed that problem. > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From prandal at herefordshire.gov.uk Fri Dec 12 10:18:20 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Dec 12 10:18:38 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49422EFA.2020801@ecs.soton.ac.uk> References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> Looks like WorkArea.pm is missing a use File::Temp; Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 12 December 2008 09:30 To: MailScanner discussion Subject: Re: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks I have just released 4.74.7 which fixes this problem and upgrades "tnef" to 1.4.5. On 12/12/08 09:13, Julian Field wrote: > > > On 11/12/08 21:05, Mark Sapiro wrote: >> Julian Field wrote: >>> On 11/12/08 16:43, Kai Schaetzl wrote: >>>> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >>>> >>>> >>>>> Please let me know what you think works and what still doesn't >>>>> work, if anything. >>>>> >>>> So far so good. Got this on first restart: >>>> >>>> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file >>>> ownership abilities on >>>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, >>>> please >>>> delete the file >>>> >>>> file doesn't exist, though. Directory contains lockfiles for all >>>> the virusscan wrappers, no matter if in use or not. Is this intended? >>>> >>>> Everything seems to be fine. >>>> How to test? Run /etc/cron.hourly/update_virus_scanners ? >>>> >>> Do >>> MailScanner --lint >>> and >>> /usr/sbin/update_virus_scanners >>> >>> If it complains about there not being a MailScannerCreateLocks or >>> anything in /usr/lib/MailScanner/mailscanner_create_locks or the >>> /usr/sbin/mailscanner_create_locks script not existing, please do ls >>> -ld /usr/sbin/mail* /usr/sbin/Mail* >> >> >> MailScanner --lint looks good. >> >> /usr/sbin/update_virus_scanners produces no error. >> >> Everything seems to be working normally, but each time a child >> starts, a message like the following is logged: >> >> Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file >> ownership abilities on >> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654, >> please delete the file > Please try the attached /usr/lib/MailScanner/MailScanner/WorkArea.pm > file and restart MailScanner. That should have fixed that problem. > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Dec 12 10:29:50 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 12 10:30:13 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> Message-ID: <49423D1E.3030703@ecs.soton.ac.uk> I have released a -2 to fix this. Sorry about that. On 12/12/08 10:18, Randal, Phil wrote: > Looks like WorkArea.pm is missing a > > use File::Temp; > > Cheers, > > Phil > > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 12 December 2008 09:30 > To: MailScanner discussion > Subject: Re: [Simon Walter] Bug#506353: mailscanner: many scripts allow > local users to overwrite arbitrary files, and more, via symlink attacks > > I have just released 4.74.7 which fixes this problem and upgrades "tnef" > > to 1.4.5. > > On 12/12/08 09:13, Julian Field wrote: > >> On 11/12/08 21:05, Mark Sapiro wrote: >> >>> Julian Field wrote: >>> >>>> On 11/12/08 16:43, Kai Schaetzl wrote: >>>> >>>>> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >>>>> >>>>> >>>>> >>>>>> Please let me know what you think works and what still doesn't >>>>>> work, if anything. >>>>>> >>>>>> >>>>> So far so good. Got this on first restart: >>>>> >>>>> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file >>>>> ownership abilities on >>>>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, >>>>> please >>>>> delete the file >>>>> >>>>> file doesn't exist, though. Directory contains lockfiles for all >>>>> the virusscan wrappers, no matter if in use or not. Is this >>>>> > intended? > >>>>> Everything seems to be fine. >>>>> How to test? Run /etc/cron.hourly/update_virus_scanners ? >>>>> >>>>> >>>> Do >>>> MailScanner --lint >>>> and >>>> /usr/sbin/update_virus_scanners >>>> >>>> If it complains about there not being a MailScannerCreateLocks or >>>> anything in /usr/lib/MailScanner/mailscanner_create_locks or the >>>> /usr/sbin/mailscanner_create_locks script not existing, please do ls >>>> > > >>>> -ld /usr/sbin/mail* /usr/sbin/Mail* >>>> >>> MailScanner --lint looks good. >>> >>> /usr/sbin/update_virus_scanners produces no error. >>> >>> Everything seems to be working normally, but each time a child >>> starts, a message like the following is logged: >>> >>> Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file >>> ownership abilities on >>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654, >>> please delete the file >>> >> Please try the attached /usr/lib/MailScanner/MailScanner/WorkArea.pm >> file and restart MailScanner. That should have fixed that problem. >> >> Jules >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Fri Dec 12 11:07:14 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 12 11:07:24 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Fri, 12 Dec 2008 10:18:20 -0000: > Looks like WorkArea.pm is missing a > > use File::Temp; Adding it at the start of the file didn't help. Jules, I reverted to the original WorkArea.pm. Mail is now processing again. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From prandal at herefordshire.gov.uk Fri Dec 12 11:23:38 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Dec 12 11:24:03 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49423D1E.3030703@ecs.soton.ac.uk> References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk><7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> <49423D1E.3030703@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA056F89EE@HC-MBX02.herefordshire.gov.uk> Fabulous. Works for me. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 12 December 2008 10:30 To: MailScanner discussion Subject: Re: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks I have released a -2 to fix this. Sorry about that. On 12/12/08 10:18, Randal, Phil wrote: > Looks like WorkArea.pm is missing a > > use File::Temp; > > Cheers, > > Phil > > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Julian Field > Sent: 12 December 2008 09:30 > To: MailScanner discussion > Subject: Re: [Simon Walter] Bug#506353: mailscanner: many scripts > allow local users to overwrite arbitrary files, and more, via symlink > attacks > > I have just released 4.74.7 which fixes this problem and upgrades "tnef" > > to 1.4.5. > > On 12/12/08 09:13, Julian Field wrote: > >> On 11/12/08 21:05, Mark Sapiro wrote: >> >>> Julian Field wrote: >>> >>>> On 11/12/08 16:43, Kai Schaetzl wrote: >>>> >>>>> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000: >>>>> >>>>> >>>>> >>>>>> Please let me know what you think works and what still doesn't >>>>>> work, if anything. >>>>>> >>>>>> >>>>> So far so good. Got this on first restart: >>>>> >>>>> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file >>>>> ownership abilities on >>>>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, >>>>> please >>>>> delete the file >>>>> >>>>> file doesn't exist, though. Directory contains lockfiles for all >>>>> the virusscan wrappers, no matter if in use or not. Is this >>>>> > intended? > >>>>> Everything seems to be fine. >>>>> How to test? Run /etc/cron.hourly/update_virus_scanners ? >>>>> >>>>> >>>> Do >>>> MailScanner --lint >>>> and >>>> /usr/sbin/update_virus_scanners >>>> >>>> If it complains about there not being a MailScannerCreateLocks or >>>> anything in /usr/lib/MailScanner/mailscanner_create_locks or the >>>> /usr/sbin/mailscanner_create_locks script not existing, please do >>>> ls >>>> > > >>>> -ld /usr/sbin/mail* /usr/sbin/Mail* >>>> >>> MailScanner --lint looks good. >>> >>> /usr/sbin/update_virus_scanners produces no error. >>> >>> Everything seems to be working normally, but each time a child >>> starts, a message like the following is logged: >>> >>> Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file >>> ownership abilities on >>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654, >>> please delete the file >>> >> Please try the attached /usr/lib/MailScanner/MailScanner/WorkArea.pm >> file and restart MailScanner. That should have fixed that problem. >> >> Jules >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Dec 12 11:53:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 12 11:53:37 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> Message-ID: <494250AB.2010305@ecs.soton.ac.uk> On 12/12/08 11:07, Kai Schaetzl wrote: > Phil Randal wrote on Fri, 12 Dec 2008 10:18:20 -0000: > > >> Looks like WorkArea.pm is missing a >> >> use File::Temp; >> > > Adding it at the start of the file didn't help. Jules, I reverted to the > original WorkArea.pm. Mail is now processing again. > That's because that's not what you need to add, it was your guess at what you needed to add :-) Download the -2 release and you'll be fine, that has the correct line at the top I believe. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Fri Dec 12 14:12:38 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 12 14:12:59 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <494250AB.2010305@ecs.soton.ac.uk> References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> <494250AB.2010305@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Fri, 12 Dec 2008 11:53:15 +0000: > That's because that's not what you need to add, it was your guess at > what you needed to add :-) It was almost correct, good guess by Phil. > Download the -2 release and you'll be fine, that has the correct line at > the top I believe. Installed, and it's processing. Good thing about all these rapid deployments after a while of not updating is that I wrote me a script now that just needs the version no. and takes care of the rest. Have a healthy weekend! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Tony.Yates at brunel.ac.uk Fri Dec 12 14:13:04 2008 From: Tony.Yates at brunel.ac.uk (Tony Yates) Date: Fri Dec 12 14:13:13 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <494250AB.2010305@ecs.soton.ac.uk> References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> <494250AB.2010305@ecs.soton.ac.uk> Message-ID: Julian, The 4.74.7-2 beta package Solaris/Others seems to be missing the tnef tarball? Regards, Tony.. -- Tony Yates Computer Centre, Brunel University, Uxbridge UB8 3PH Assistant Director Tel: 01895 265699 E-mail: Tony.Yates@brunel.ac.uk ------------------------------------------------------------------------ From MailScanner at ecs.soton.ac.uk Fri Dec 12 14:44:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 12 14:44:42 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> <494250AB.2010305@ecs.soton.ac.uk> Message-ID: <494278C5.4060200@ecs.soton.ac.uk> Should be in 4.74.7-3. Thanks for reporting that. I'll fix my scripts one of these days so I don't need to tweak them in as many places! :-) Jules. On 12/12/08 14:13, Tony Yates wrote: > Julian, > > The 4.74.7-2 beta package Solaris/Others seems to be missing the tnef > tarball? > > Regards, > > Tony.. > > -- > Tony Yates Computer Centre, Brunel University, Uxbridge UB8 3PH > Assistant Director Tel: 01895 265699 E-mail: Tony.Yates@brunel.ac.uk > ------------------------------------------------------------------------ > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Fri Dec 12 16:14:31 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Dec 12 16:14:42 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49422B24.7040900@ecs.soton.ac.uk> References: <49422B24.7040900@ecs.soton.ac.uk> Message-ID: <20081212161431.GA1356@msapiro> On Fri, Dec 12, 2008 at 09:13:08AM +0000, Julian Field wrote: > > > On 11/12/08 21:05, Mark Sapiro wrote: > > > >Everything seems to be working normally, but each time a child starts, > >a message like the following is logged: > > > >Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file ownership > >abilities on > >/var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654, > >please delete the file > > > Please try the attached /usr/lib/MailScanner/MailScanner/WorkArea.pm > file and restart MailScanner. That should have fixed that problem. > I'm a little slow. By the time I got to this it was 4.74.7-3, but I've installed that and the spurious log message is gone and everything else seems fine. Thank you. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From hvdkooij at vanderkooij.org Fri Dec 12 16:19:00 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 12 16:19:10 2008 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> <494250AB.2010305@ecs.soton.ac.uk> Message-ID: <49428EF4.2000903@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kai Schaetzl wrote: > Julian Field wrote on Fri, 12 Dec 2008 11:53:15 +0000: >> Download the -2 release and you'll be fine, that has the correct line at >> the top I believe. > > Installed, and it's processing. Good thing about all these rapid > deployments after a while of not updating is that I wrote me a script now > that just needs the version no. and takes care of the rest. Care to share it with the rest of the world? Put it online somewhere if you want others to enjoy it too. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJQo7zBvzDRVjxmYERAqWAAKCUdxwIkUYnWG/qvH+nkpgtOncQlACgkDcX wCW1CZrqM9T3T8+qV5F9ilY= =YlAp -----END PGP SIGNATURE----- From mmcintosh at infowall.com Fri Dec 12 18:29:26 2008 From: mmcintosh at infowall.com (mmcintosh) Date: Fri Dec 12 18:31:44 2008 Subject: MailScanner MailWatch Multi-Domain SPAM issue In-Reply-To: <49420635.4020909@vanderkooij.org> References: <1229062198.29037.40.camel@Sphinx-Dev> <49420635.4020909@vanderkooij.org> Message-ID: <1229106566.29037.57.camel@Sphinx-Dev> On Fri, 2008-12-12 at 07:35 +0100, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > mmcintosh wrote: > > > I have an issue with people from the same domain xxx@example.com sending > > to yyy@example.com sending mail to each other and the mail being listed > > as spam. I am not sure at this point if this is a mailwatch or > > mailscanner issue. How do I assure that this does not happen??? I have > > not had this issue before with any other domain. This is a newly added > > domain but nothing has changed I am on centos 5.2 mailscanner version > > 4.71.10 MailWatch 1.04 > > Why bother scanning local traffic? > > > Is it possible or advisable to whitelist domains within my list to be > > auto white listed ?? > > If you like spam. Then by all means. But I get plenty of spam send in > that claims to be either from me or someone else in my domain. > > > why from the same doamin would a piece of mail come up as spam (just > > text mail no attachments) ?? > > You are the person to answer that. You got the messages with headers. > You got the logs. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJQgYzBvzDRVjxmYERAtAHAJ9PYyNp4FdptAVxoDu5XXJPDU7QFQCgohVu > S0poMQlcLckVsmWjFmokMoc= > =IokE > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thanks for the response. I am including one of the headers and as can be seen it comes up as not spam. I agree I do not want to be scanning local traffic. I also don't want spam or anything like it. I pulled out the book looked for ways to skip scanning outbound from local. I am still at a loss as to what is causing this I have turned on the rule for spamassassin loging on rule hits. Any other ideas would be appreciated Mark McIntosh In my MailScanner/rules/spam.whitelist.rules From: 127.0.0.1 yes From: xxx.xxx.xxx.xxx yes (ip address of mail server) FromOrTo: defualt no I also changed Always Include SpamAssassin Report = yes to no MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_058A_01C956B8.50EFE500" X-Mailer: Microsoft Office Outlook 11 Thread-Index: AclW4jdeL+xf8wkPQ2KxGuEEua7A4w== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-Snakehill-MailScanner-Information: Please contact the ISP for more information X-Snakehill-MailScanner-ID: A833C14C001.B5DC0 X-Snakehill-MailScanner: Found to be clean X-Snakehill-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.001, required 5, autolearn=not spam, BAYES_50 0.00, HTML_MESSAGE 0.00, SPF_PASS -0.00) X-Snakehill-MailScanner-From: xxx@example.com X-Snakehill-MailScanner-Watermark: 1229090604.01629@G833yJfZg +9N0EPryIIXqg X-Spam-Status: No -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at designmedia.com Sat Dec 13 00:02:22 2008 From: lists at designmedia.com (Henry Kwan) Date: Sat Dec 13 00:02:38 2008 Subject: Mailscanner, CentOS 5, and updating perl. References: Message-ID: Kai Schaetzl conactive.com> writes: > > It popped up because you were installing 1.41 from Jules over 1.42 from CentOS > base. Again. (It was already part of MS 4.71). Not because 1.42 was on the > system. So, depending on your update cycle you were updating, overwriting, > updating, overwriting that and maybe other packages ... > [snip] > Here's the quick output, hope this helps. > Hi Kai, I figured out why my MS install didn't want to start with perl-Compress-Zlib 1.42-1.fc6. For some reason, MS didn't think that Scalar-List-Utils was installed. Once I re-installed Scalar-List-Utils-1.19, I was able to yum update to perl-Compress-Zlib 1.42-1.fc6 and MS restarted without any hiccups. Weird. Thanks for the tip/list about installing MS without any of the associated perl modules. I'll have to give that a try on a fresh test box when I get the chance. --Henry From ssilva at sgvwater.com Sat Dec 13 00:12:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Dec 13 00:13:09 2008 Subject: Mailscanner, CentOS 5, and updating perl. In-Reply-To: References: Message-ID: on 12-12-2008 4:02 PM Henry Kwan spake the following: > Kai Schaetzl conactive.com> writes: > > >> It popped up because you were installing 1.41 from Jules over 1.42 from CentOS >> base. Again. (It was already part of MS 4.71). Not because 1.42 was on the >> system. So, depending on your update cycle you were updating, overwriting, >> updating, overwriting that and maybe other packages ... >> [snip] >> Here's the quick output, hope this helps. >> > > Hi Kai, > > I figured out why my MS install didn't want to start with perl-Compress-Zlib > 1.42-1.fc6. For some reason, MS didn't think that Scalar-List-Utils was > installed. Once I re-installed Scalar-List-Utils-1.19, I was able to yum update > to perl-Compress-Zlib 1.42-1.fc6 and MS restarted without any hiccups. > > Weird. > > Thanks for the tip/list about installing MS without any of the associated perl > modules. I'll have to give that a try on a fresh test box when I get the chance. > > --Henry > > If you are going to install on a fresh CentOS 5 base you should try Hugo's yum repo... http://yum.vanderkooij.org/ -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081212/f96cdb72/signature.bin From hvdkooij at vanderkooij.org Sat Dec 13 08:30:49 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Dec 13 08:31:00 2008 Subject: MailScanner MailWatch Multi-Domain SPAM issue In-Reply-To: <1229106566.29037.57.camel@Sphinx-Dev> References: <1229062198.29037.40.camel@Sphinx-Dev> <49420635.4020909@vanderkooij.org> <1229106566.29037.57.camel@Sphinx-Dev> Message-ID: <494372B9.1020903@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mmcintosh wrote: > On Fri, 2008-12-12 at 07:35 +0100, Hugo van der Kooij wrote: > mmcintosh wrote: > >>>> I have an issue with people from the same domain xxx@example.com sending >>>> to yyy@example.com sending mail to each other and the mail being listed >>>> as spam. I am not sure at this point if this is a mailwatch or >>>> mailscanner issue. How do I assure that this does not happen??? I have >>>> not had this issue before with any other domain. This is a newly added >>>> domain but nothing has changed I am on centos 5.2 mailscanner version >>>> 4.71.10 MailWatch 1.04 > Why bother scanning local traffic? > >>>> Is it possible or advisable to whitelist domains within my list to be >>>> auto white listed ?? > If you like spam. Then by all means. But I get plenty of spam send in > that claims to be either from me or someone else in my domain. > >>>> why from the same doamin would a piece of mail come up as spam (just >>>> text mail no attachments) ?? > You are the person to answer that. You got the messages with headers. > You got the logs. > I am including one of the headers and as can be seen it comes up as not > spam. > I agree I do not want to be scanning local traffic. I also don't want > spam or anything like it. I pulled out the book looked for ways to skip > scanning outbound from local. > I am still at a loss as to what is causing this I have turned on the > rule for spamassassin loging on rule hits. Any other ideas would be > appreciated > Mark McIntosh > In my MailScanner/rules/spam.whitelist.rules > From: 127.0.0.1 yes > From: xxx.xxx.xxx.xxx yes (ip address of mail server) > FromOrTo: defualt no This line will not work. Try using "default" instead. But are you actually calling on this rules file in the MailScanner config itself? If you only changed this file then nothing will happen. > I also changed Always Include SpamAssassin Report = yes to no > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_058A_01C956B8.50EFE500" > X-Mailer: Microsoft Office Outlook 11 > Thread-Index: AclW4jdeL+xf8wkPQ2KxGuEEua7A4w== > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 > X-Snakehill-MailScanner-Information: Please contact the ISP for more > information > X-Snakehill-MailScanner-ID: A833C14C001.B5DC0 > X-Snakehill-MailScanner: Found to be clean > X-Snakehill-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=0.001, required 5, autolearn=not spam, BAYES_50 0.00, > HTML_MESSAGE 0.00, SPF_PASS -0.00) > X-Snakehill-MailScanner-From: xxx@example.com > X-Snakehill-MailScanner-Watermark: 1229090604.01629@G833yJfZg > +9N0EPryIIXqg > X-Spam-Status: No Well this clearly is not listed as spam by MailScanner. If it is listed as spam im MailWatch you need to address the issue on the MailWatch mailinglist but I suggest you include relevant details like version info, config details, log sample, ..... Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJQ3K3BvzDRVjxmYERAkntAJ0dx/9MxtTwPYmYXQFVsM3PGC7u3ACeJTvH 6yD3v5KRZMu3nfUWiOPOBuw= =CyUa -----END PGP SIGNATURE----- From email at ace.net.au Sat Dec 13 12:13:07 2008 From: email at ace.net.au (Peter Nitschke) Date: Sat Dec 13 12:14:26 2008 Subject: Mailscanner, CentOS 5, and updating perl. In-Reply-To: References: Message-ID: <200812132243070421.013B95DB@web.ace.net.au> On 12/12/2008 at 4:12 PM Scott Silva wrote: >If you are going to install on a fresh CentOS 5 base you should try Hugo's >yum >repo... http://yum.vanderkooij.org/ I can completely recommend this too. Peter From achim+mailscanner at qustodium.net Mon Dec 15 00:14:58 2008 From: achim+mailscanner at qustodium.net (Achim J. Latz) Date: Mon Dec 15 00:16:46 2008 Subject: Sanesecurity signatures are no longer being updated or distributed Message-ID: <4945A182.2050505@qustodium.net> In case others are receiving errors from their update scripts [1]: "Sanesecurity signatures are no longer being updated or distributed due to extremely high server resource usage, which appears to be from a distributed denial of service attack (DDoS). I've moved server hosts twice (which takes time) and both times have resulted in the site being suspened. As many of you know, I produce the signatures and run the site, in my spare time and with Christmas approaching I?m finding my spare time is currently limited. Hopefully this won?t be the end of the signatures and I?m hoping that they may return in the New Year. May I take this opportunity to thank everyone who has helped this project, either by providing samples, bandwidth, download scripts or donating. Thanks and sorry to let you all down. Steve Sanesecurity" [1] http://www.sanesecurity.com/clamav/ From beatinger at edenhosting.net Mon Dec 15 04:17:56 2008 From: beatinger at edenhosting.net (Bjorgen T. Eatinger) Date: Mon Dec 15 04:18:29 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST Message-ID: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? 2. There has been (for at least the last 3 weeks) a recent huge flood of emails that are setup to "appear" to have originated from the same email address which the SPAM is being sent to, and the addresses are perfectly valid addresses stored on our email server (NOT ACCOUNTS, but valid ALIASES). For example a valid alias on our mail server would be: booking@edenaudio.com The SPAM email is SENT to that email address and is also setup to COME from that address. Has there been any discussion or attempts to get rid of this most annoying new type of SPAM? I don't see it as very difficult to catch, as the following conditions are always TRUE in all cases: a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done when testing) b. Almost every email contains "status" in the subject c. Every email always contains HTML and the words "click here" in every one (see below) I believe any one of these items would work to stop this flood of email (especially b or c). Can you please let me know how I could implement any one or all of these methods? Thank you!
Click here to try!

Crazy weight loss formula


Arab and Middle East leaders meet in Riyadh, Saudifun."
into a different phase" of operations, and that Iran hasWednesday, March 28, 2007
63 seats are required for a majority government inreport was tabled. From brent.addis at spit.gen.nz Mon Dec 15 04:36:37 2008 From: brent.addis at spit.gen.nz (Brent Addis) Date: Mon Dec 15 04:37:00 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> Message-ID: <1229315797.7241.93.camel@baddis-laptop> On Sun, 2008-12-14 at 20:17 -0800, Bjorgen T. Eatinger wrote: > 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? > > 2. There has been (for at least the last 3 weeks) a recent huge flood of emails that are setup to "appear" to have originated from the same email address which the SPAM is being sent to, and the addresses are perfectly valid addresses stored on our email server (NOT ACCOUNTS, but valid ALIASES). > > For example a valid alias on our mail server would be: booking@edenaudio.com > > The SPAM email is SENT to that email address and is also setup to COME from that address. > > Has there been any discussion or attempts to get rid of this most annoying new type of SPAM? I don't see it as very difficult to catch, as the following conditions are always TRUE in all cases: > > a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done when testing) > > b. Almost every email contains "status" in the subject > > c. Every email always contains HTML and the words "click here" in every one (see below) > > I believe any one of these items would work to stop this flood of email (especially b or c). Can you please let me know how I could implement any one or all of these methods? > > Thank you! > > > >
Click here to try!
>
Crazy weight loss formula
>

> Arab and Middle East leaders meet in Riyadh, Saudifun."
> into a different phase" of operations, and that Iran hasWednesday, March 28, 2007
> 63 seats are required for a majority government inreport was tabled. > > 1 - uhh. what? I rarely see anything go unanswered 2 - Setup SPF or DKIM or both. I am guessing the mail isn't coming from your mail server in the first place? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/6c062d31/attachment.html From hvdkooij at vanderkooij.org Mon Dec 15 06:30:20 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Dec 15 06:30:31 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> Message-ID: <4945F97C.7010007@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bjorgen T. Eatinger wrote: > 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? Maybe because you are SHOUTING? Which is considered rather rude. Maybe because you send out email marked as plain text yet include HTML in it? And whatever is included looks a darn lot like spam. X-VANDERKOOIJ-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=11.349, required 3, BAYES_00 -2.60, DIET_1 0.08, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_DNSWL_LOW -1.00, SPF_PASS -0.00, SUBJ_ALL_CAPS 2.08, URIBL_AB_SURBL 1.86, URIBL_BLACK 1.96, URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SBL 1.50, URIBL_SC_SURBL 0.47, URIBL_WS_SURBL 1.50) You managed to get a "kill me for I am spam" score with your message. So get rid of the spam in your messages. Maybe because you are unaware of the common rules for questions on mailinglists like the useful hints given in http://www.catb.org/%7Eesr/faqs/smart-questions.html Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJRfl6BvzDRVjxmYERAnVlAJ4tx5X+b38cfk7vNKAbPs6vWaBG7wCeKcSD ofpvOUIEawj8DEJ9zH+VzrQ= =1Qk4 -----END PGP SIGNATURE----- From james at gray.net.au Mon Dec 15 06:44:04 2008 From: james at gray.net.au (James Gray) Date: Mon Dec 15 06:44:43 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> Message-ID: <82748E48-E455-4312-BF92-2DFA9EC349EE@gray.net.au> On 15/12/2008, at 3:17 PM, Bjorgen T. Eatinger wrote: > 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? > > 2. There has been (for at least the last 3 weeks) a recent huge > flood of emails that are setup to "appear" to have originated from > the same email address which the SPAM is being sent to, and the > addresses are perfectly valid addresses stored on our email server > (NOT ACCOUNTS, but valid ALIASES). > > For example a valid alias on our mail server would be: booking@edenaudio.com > > The SPAM email is SENT to that email address and is also setup to > COME from that address. > > Has there been any discussion or attempts to get rid of this most > annoying new type of SPAM? I don't see it as very difficult to > catch, as the following conditions are always TRUE in all cases: > > a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done > when testing) > > b. Almost every email contains "status" in the subject > > c. Every email always contains HTML and the words "click here" in > every one (see below) > > I believe any one of these items would work to stop this flood of > email (especially b or c). Can you please let me know how I could > implement any one or all of these methods? Whoa dude - slow down. Maybe I missed it, but I haven't seen any previous questions from you on this matter. Maybe I missed them too? BTW, starting a post to *any* list with "NOBODY EVER ANSWERS QUESTIONS TO THIS LIST" is almost guaranteed way to construct a self-fulfilling prophesy ;) In answer to your questions, the same TO/FROM address I'll leave for someone else and the remainder of your analysis should be enough. Simply add the following to /etc/MailScanner/spamassassin.prefs.conf: header __SUBJ_STATUS Subject =~ /status/i body __BODY_CLK_HERE /click here/i rawbody __BODY_HTML /(?:\|\|\)/i meta MYSPAM_RULE_1 (__SUBJ_STATUS && __BODY_CLK_HERE && __BODY_HTML) describe MYSPAM_RULE_1 This message appears to be spam score MYSPAM_RULE_1 6.0 This isn't perfect, but it should give you a starting point. For future reference, if you have some web space where you can put a RAW, copy of the message other people can have a look at it and together we can make some rules to address your specific problem. In future, if you flame everyone on the list with accusations of ignoring you, I personally will do exactly that :) I have been active (for various values of active) on this list for several years and always found this community attentive, informative and extremely helpful. Please be polite and show respect - especially if you expect the same in return. Peace, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/b8fdc71e/smime.bin From jcputter at numata.co.za Mon Dec 15 10:06:27 2008 From: jcputter at numata.co.za (JC Putter) Date: Mon Dec 15 10:06:47 2008 Subject: Adding RBL Checks to MailScanner Message-ID: Hi I want Mailscanner make use of RBL checks, i know of the option in MailScanner.conf called "spam list =" Do i point it to a file listed with the list of rbl url's or how used the file be constructed? Currently my file contains the following: SORBS-DNSBL dnsbl.sorbs.net. SORBS-HTTP http.dnsbl.sorbs.net. SORBS-SOCKS socks.dnsbl.sorbs.net. SORBS-MISC misc.dnsbl.sorbs.net. SORBS-SMTP smtp.dnsbl.sorbs.net. SORBS-WEB web.dnsbl.sorbs.net. SORBS-SPAM spam.dnsbl.sorbs.net. SORBS-BLOCK block.dnsbl.sorbs.net. SORBS-ZOMBIE zombie.dnsbl.sorbs.net. SORBS-DUL dul.dnsbl.sorbs.net. SORBS-RHSBL rhsbl.sorbs.net. SORBS-DNSBL dnsbl.sorbs.net. SORBS-HTTP http.dnsbl.sorbs.net. SORBS-SOCKS socks.dnsbl.sorbs.net. SORBS-MISC misc.dnsbl.sorbs.net. SORBS-SMTP smtp.dnsbl.sorbs.net. SORBS-WEB web.dnsbl.sorbs.net. SORBS-SPAM spam.dnsbl.sorbs.net. SORBS-BLOCK block.dnsbl.sorbs.net. SORBS-ZOMBIE zombie.dnsbl.sorbs.net. SORBS-DUL dul.dnsbl.sorbs.net. SORBS-RHSBL rhsbl.sorbs.net. spamhaus-XBL xbl.spamhaus.org. spamhaus-PBL pbl.spamhaus.org. spamhaus-ZEN zen.spamhaus.org. SBL+XBL sbl-xbl.spamhaus.org. spamcop.net bl.spamcop.net. NJABL dnsbl.njabl.org. This message has been scanned by Nexus Mail Gateway -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/d9d6f92c/attachment.html From maillists at conactive.com Mon Dec 15 12:03:35 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Dec 15 12:03:52 2008 Subject: Adding RBL Checks to MailScanner In-Reply-To: References: Message-ID: JC Putter wrote on Mon, 15 Dec 2008 12:06:27 +0200: > Currently my file contains the following: Oh, my god! You ought to *inform* yourself about RBLs before you use them! Then you would know that you duplicate, triplicate or what not in this list. Just grepping RBLs from a mailing list or some sites about RBLs is not the right way to go! And you do not want to use more than three. Anything over that just adds latency, but no better detection. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mikael at syska.dk Mon Dec 15 12:16:08 2008 From: mikael at syska.dk (Mikael Syska) Date: Mon Dec 15 12:16:18 2008 Subject: Adding RBL Checks to MailScanner In-Reply-To: References: Message-ID: <6beca9db0812150416q505575e1s2e253f1f3ccbab73@mail.gmail.com> Hi, On Mon, Dec 15, 2008 at 11:06 AM, JC Putter wrote: > Hi > > I want Mailscanner make use of RBL checks, i know of the option in > MailScanner.conf called "spam list =" > > > > Do i point it to a file listed with the list of rbl url's or how used the > file be constructed? > Not a file ... the list should be loaded ... Just add the names from the file to the lists you want to use .... >From the mailscanner.conf file: # This is the name of the file that translates the names of the "Spam List" # values to the real DNS names of the spam blacklists. Spam List Definitions = %etc-dir%/spam.lists.conf # This is the list of spam blacklists (RBLs) which you are using. # See the "Spam List Definitions" file for more information about what # you can put here. # This can also be the filename of a ruleset. Spam List = spamhaus-ZEN # SORBS-DNSBL spamcop.net NJABL # You can un-comment this to enable them > > Currently my file contains the following: > > > > SORBS-DNSBL dnsbl.sorbs.net. > > SORBS-HTTP http.dnsbl.sorbs.net. > > SORBS-SOCKS socks.dnsbl.sorbs.net. > > SORBS-MISC misc.dnsbl.sorbs.net. > > SORBS-SMTP smtp.dnsbl.sorbs.net. > > SORBS-WEB web.dnsbl.sorbs.net. > > SORBS-SPAM spam.dnsbl.sorbs.net. > > SORBS-BLOCK block.dnsbl.sorbs.net. > > SORBS-ZOMBIE zombie.dnsbl.sorbs.net. > > SORBS-DUL dul.dnsbl.sorbs.net. > > SORBS-RHSBL rhsbl.sorbs.net. > > SORBS-DNSBL dnsbl.sorbs.net. > > SORBS-HTTP http.dnsbl.sorbs.net. > > SORBS-SOCKS socks.dnsbl.sorbs.net. > > SORBS-MISC misc.dnsbl.sorbs.net. > > SORBS-SMTP smtp.dnsbl.sorbs.net. > > SORBS-WEB web.dnsbl.sorbs.net. > > SORBS-SPAM spam.dnsbl.sorbs.net. > > SORBS-BLOCK block.dnsbl.sorbs.net. > > SORBS-ZOMBIE zombie.dnsbl.sorbs.net. > > SORBS-DUL dul.dnsbl.sorbs.net. > > SORBS-RHSBL rhsbl.sorbs.net. > > spamhaus-XBL xbl.spamhaus.org. > > spamhaus-PBL pbl.spamhaus.org. > > spamhaus-ZEN zen.spamhaus.org. > > SBL+XBL sbl-xbl.spamhaus.org. > > spamcop.net bl.spamcop.net. > > NJABL dnsbl.njabl.org. > > __________ Information from ESET NOD32 Antivirus, version of virus signature > database 3373 (20080821) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > This message has been scanned by Nexus Mail Gateway > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > best regards Mikael Syska From ggroot at ateneo.unile.it Mon Dec 15 13:11:43 2008 From: ggroot at ateneo.unile.it (Gigio) Date: Mon Dec 15 13:12:05 2008 Subject: Not send notification to recipient In-Reply-To: <91B823FF3DAA9404D45088CF@sherlockholmes.local> References: <91B823FF3DAA9404D45088CF@sherlockholmes.local> Message-ID: <4946578F.5020909@ateneo.unile.it> Hi, Is there any way to do NOT send notification to recipient when attach exceed Maximum Attachment Size limit ? Thanks, Gg From gesbbb at yahoo.com Mon Dec 15 13:35:55 2008 From: gesbbb at yahoo.com (Jerry) Date: Mon Dec 15 13:36:10 2008 Subject: Not send notification to recipient In-Reply-To: <4946578F.5020909@ateneo.unile.it> References: <91B823FF3DAA9404D45088CF@sherlockholmes.local> <4946578F.5020909@ateneo.unile.it> Message-ID: <20081215083555.38840874@scorpio> On Mon, 15 Dec 2008 14:11:43 +0100 Gigio wrote: >Hi, >Is there any way to do NOT send notification to recipient when >attach exceed Maximum Attachment Size limit ? A policy that precludes the notification that an item could not/was not delivered, and the specific reason for such action would inevitably cause problems for both the sender and the intended recipient. Exactly what problem are you attempting to rectify? -- Jerry gesbbb@yahoo.com Cold, adj.: When the politicians walk around with their hands in their own pockets. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/18e553d4/signature.bin From ka at pacific.net Mon Dec 15 15:04:52 2008 From: ka at pacific.net (Ken A) Date: Mon Dec 15 15:04:59 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <4945A182.2050505@qustodium.net> References: <4945A182.2050505@qustodium.net> Message-ID: <49467214.5070802@pacific.net> Achim J. Latz wrote: > In case others are receiving errors from their update scripts [1]: > > "Sanesecurity signatures are no longer being updated or distributed due > to extremely high server resource usage, which appears to be from a > distributed denial of service attack (DDoS). I've moved server hosts > twice (which takes time) and both times have resulted in the site being > suspened. > > As many of you know, I produce the signatures and run the site, in my > spare time and with Christmas approaching I?m finding my spare time is > currently limited. > > Hopefully this won?t be the end of the signatures and I?m hoping that > they may return in the New Year. > > May I take this opportunity to thank everyone who has helped this > project, either by providing samples, bandwidth, download scripts or > donating. > > Thanks and sorry to let you all down. > > Steve > Sanesecurity" > > [1] http://www.sanesecurity.com/clamav/ That's too bad. I really saw a decent amount of crap detection. Any other 3rd party sigs that are recommended? I had tried msrbl sigs a while back and they produced a few fps, which isn't really tolerable with clamav sigs. Perhaps they have improved the process? Ken -- Ken Anderson http://www.pacific.net/ From nassera at alz-inc.com Mon Dec 15 15:12:06 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Mon Dec 15 15:12:21 2008 Subject: Consistent SPAM messages getting through Message-ID: Hi, I have RedHat ES 4 server running sendmail (8.13.1) and I am using the latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin 3.2.5. Lately this kind of message has been getting through: It says it is coming from my email or an alias on my system and it is marked urgent the subject is something like: "Your order", "Re: Your order", "Delivery Status Notification", "Delivery Status Notification (Failure)". The content is a jpg picture of Viagra, CIALIS, LEVITRA and VPXL drugs. Here is the message html source: -------------- Having trouble viewing this email? Click here to view as a webpage. --------- and here is the Internet headers: --------- Return-Path: Received: from catv54033BF7.pool.t-online.hu (catv54033BF7.pool.t-online.hu [84.3.59.247]) by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796 for ; Mon, 15 Dec 2008 09:50:47 -0500 Date: Mon, 15 Dec 2008 09:50:46 -0500 From: Nasser Al-Zawawi Message-Id: <200812151450.mBFEokoH025796@www.alz-inc.com> To: Subject: Re: Order status MIME-Version: 1.0 Importance: High Content-Type: text/html X-alz-inc-MailScanner-Information: Please contact the ISP for more information X-alz-inc-MailScanner-ID: mBFEokoH025796 X-alz-inc-MailScanner: Found to be clean X-alz-inc-MailScanner-From: sales@alz-inc.com X-Spam-Status: No Status: O X-UID: 455634 Content-Length: 364 X-Keywords: ----------- They seem to come in patches of 4 (4 emails at a time). I had it before I upgraded to the latest version and after upgrading. I probably get about 80 message of this type per day. Other types of SPAMs seem to be under control but this type is getting though. I appreciate any help with this problem. Best regards, Nasser -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/90fb06f1/attachment.html From ggroot at ateneo.unile.it Mon Dec 15 15:16:39 2008 From: ggroot at ateneo.unile.it (Gigio) Date: Mon Dec 15 15:17:05 2008 Subject: Not send notification to recipient In-Reply-To: <20081215083555.38840874@scorpio> References: <91B823FF3DAA9404D45088CF@sherlockholmes.local> <4946578F.5020909@ateneo.unile.it> <20081215083555.38840874@scorpio> Message-ID: <494674D7.4000702@ateneo.unile.it> >> Hi, >> Is there any way to do NOT send notification to recipient when >> attach exceed Maximum Attachment Size limit ? >> > > A policy that precludes the notification that an item could not/was not > delivered, and the specific reason for such action would inevitably > cause problems for both the sender and the intended recipient. Exactly > what problem are you attempting to rectify? > in MailScanner.conf I set Maximum Attachment Size = %rules-dir%/max.attach.size.rules ############# #max.attach.size.rules ############# From: xxx@yyy.com 1M FromOrTo: default 25M ############## I would like not notification to recipients when attach exceed Maximum Attachment Size limit and sender is xxx@yyy.com gg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/5fb4c44f/attachment.html From jcputter at numata.co.za Mon Dec 15 15:30:30 2008 From: jcputter at numata.co.za (JC Putter) Date: Mon Dec 15 15:31:03 2008 Subject: Consistent SPAM messages getting through In-Reply-To: References: Message-ID: Nasser Maybe this can be of a little help, the mail came through on my side as spam, with these hits 2.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.65 DRUGS_ERECTILE Refers to an erectile drug 1.54 DRUG_ED_CAPS Mentions an E.D. drug 0.00 HTML_MESSAGE HTML included in message -1.00 RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust 1.69 RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy 0.74 SARE_HTML_A_BODY Message body has very strange HTML sequence 1.67 SARE_HTML_IMG_ONLY Short HTML msg, IMG and A HREF, maybe naught else 1.61 URIBL_AB_SURBLt Contains an URL listed in the AB SURBL blocklist 4.00 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 2.13 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 2.47 URIBL_SBL Contains an URL listed in the SBL blocklist 2.52 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist 2.10 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist It pickup on the urls in the mail, http://couragedoctor.com I use the SARE ruleset for spamassassin, maybe you should try it...... From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nasser Al-Zawawi Sent: 15 December 2008 05:12 PM To: mailscanner@lists.mailscanner.info Subject: Consistent SPAM messages getting through Hi, I have RedHat ES 4 server running sendmail (8.13.1) and I am using the latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin 3.2.5. Lately this kind of message has been getting through: It says it is coming from my email or an alias on my system and it is marked urgent the subject is something like: "Your order", "Re: Your order", "Delivery Status Notification", "Delivery Status Notification (Failure)". The content is a jpg picture of Viagra, CIALIS, LEVITRA and VPXL drugs. Here is the message html source: -------------- Having trouble viewing this email? Click here to view as a webpage. --------- and here is the Internet headers: --------- Return-Path: Received: from catv54033BF7.pool.t-online.hu (catv54033BF7.pool.t-online.hu [84.3.59.247]) by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796 for ; Mon, 15 Dec 2008 09:50:47 -0500 Date: Mon, 15 Dec 2008 09:50:46 -0500 From: Nasser Al-Zawawi Message-Id: <200812151450.mBFEokoH025796@www.alz-inc.com> To: Subject: Re: Order status MIME-Version: 1.0 Importance: High Content-Type: text/html X-alz-inc-MailScanner-Information: Please contact the ISP for more information X-alz-inc-MailScanner-ID: mBFEokoH025796 X-alz-inc-MailScanner: Found to be clean X-alz-inc-MailScanner-From: sales@alz-inc.com X-Spam-Status: No Status: O X-UID: 455634 Content-Length: 364 X-Keywords: ----------- They seem to come in patches of 4 (4 emails at a time). I had it before I upgraded to the latest version and after upgrading. I probably get about 80 message of this type per day. Other types of SPAMs seem to be under control but this type is getting though. I appreciate any help with this problem. Best regards, Nasser This message has been scanned by Nexus Mail Gateway __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/ae88e59d/attachment.html From nassera at alz-inc.com Mon Dec 15 16:13:41 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Mon Dec 15 16:13:52 2008 Subject: Alias rule help Message-ID: <82B7A20399E24D3B9DA3445BBA1EB0F6@ALZGW2kXPMC> Hi, I have a RedHat ES 4 server running sendmail (8.13.1) and I am using the latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin 3.2.5. I need help with a rule that should block all outside users from sending emails to our aliases and only allow them to come from people from our domain. For example we have an alias called _all_users_ and it is literally all users on the system. Somehow spammers are able to see these aliases on the system (I hope there is a way to disallow them from seeing the aliases) and then they are sending SPAMs to these aliases so when they send a spam to _ all_users_@domain.com everybody gets that spam. Could somebody write this rule and show what directive to put in the MailScanner.conf if any. I have tried a few but none worked. Best regards, Nasser -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/ed9150f0/attachment.html From stef at aoc-uk.com Mon Dec 15 16:15:53 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Mon Dec 15 16:21:57 2008 Subject: Sanesecurity signatures are no longer being updated ordistributed In-Reply-To: References: <4945A182.2050505@qustodium.net> Message-ID: <200812151621.mBFGLmRT011879@safir.blacknight.ie> ka@pacific.net wrote: > That's too bad. I really saw a decent amount of crap detection. > Any other 3rd party sigs that are recommended? > You could look at http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatur es.shtml http://www.malware.com.br/lists.shtml Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From maxsec at gmail.com Mon Dec 15 16:38:32 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Dec 15 16:40:14 2008 Subject: Consistent SPAM messages getting through In-Reply-To: References: Message-ID: <72cf361e0812150838m78a86c96g9eb57541c6c59d43@mail.gmail.com> 2008/12/15 Nasser Al-Zawawi : > Hi, > > I have RedHat ES 4 server running sendmail (8.13.1) and I am using the > latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin > 3.2.5. Lately this kind of message has been getting through: > > It says it is coming from my email or an alias on my system and it is marked > urgent the subject is something like: "Your order", "Re: Your order", > "Delivery Status Notification", "Delivery Status Notification (Failure)". > The content is a jpg picture of Viagra, CIALIS, LEVITRA and VPXL drugs. > > Here is the message html source: > > -------------- > > > > > > > > > > > > Having trouble > viewing this email? > > Click here to view as a webpage. > > --------- > > and here is the Internet headers: > > --------- > > Return-Path: > > Received: from catv54033BF7.pool.t-online.hu (catv54033BF7.pool.t-online.hu > [84.3.59.247]) > > by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796 > > for ; Mon, 15 Dec 2008 09:50:47 -0500 > > Date: Mon, 15 Dec 2008 09:50:46 -0500 > > From: Nasser Al-Zawawi > > Message-Id: <200812151450.mBFEokoH025796@www.alz-inc.com> > > To: > > Subject: Re: Order status > > MIME-Version: 1.0 > > Importance: High > > Content-Type: text/html > > X-alz-inc-MailScanner-Information: Please contact the ISP for more > information > > X-alz-inc-MailScanner-ID: mBFEokoH025796 > > X-alz-inc-MailScanner: Found to be clean > > X-alz-inc-MailScanner-From: sales@alz-inc.com > > X-Spam-Status: No > > Status: O > > X-UID: 455634 > > Content-Length: 364 > > X-Keywords: > > ----------- > > > > They seem to come in patches of 4 (4 emails at a time). I had it before I > upgraded to the latest version and after upgrading. I probably get about 80 > message of this type per day. Other types of SPAMs seem to be under control > but this type is getting though. I appreciate any help with this problem. > > > > Best regards, > > Nasser > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > If you can post more than just the html source to a pastbin or web page (ie full raw message, headers and everything) people can check their setup and see what extra rules (like dcc/razor/SARE etc) hit. -- Martin Hepworth Oxford, UK From steve.freegard at fsl.com Mon Dec 15 16:50:55 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Dec 15 16:51:06 2008 Subject: Consistent SPAM messages getting through In-Reply-To: References: Message-ID: <49468AEF.1030206@fsl.com> Have you whitelisted your own e-mail address or domain?? If so - then that is part of the problem. Also - consider using some RBLs in your MTA: [root@mail src]# host 84.3.59.247 247.59.3.84.in-addr.arpa domain name pointer catv54033BF7.pool.t-online.hu. [root@mail src]# host 247.59.3.84.zen.spamhaus.org 247.59.3.84.zen.spamhaus.org has address 127.0.0.11 247.59.3.84.zen.spamhaus.org has address 127.0.0.4 The host that input this message was already listed in Spamhaus XBL and PBL lists. Regards, Steve. Nasser Al-Zawawi wrote: > Hi, > > I have RedHat ES 4 server running sendmail (8.13.1) and I am using the > latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin > 3.2.5. Lately this kind of message has been getting through: > > It says it is coming from my email or an alias on my system and it is > marked urgent the subject is something like: ?Your order?, ?Re: Your > order?, ?Delivery Status Notification?, ?Delivery Status Notification > (Failure)?. The content is a jpg picture of Viagra, CIALIS, LEVITRA and > VPXL drugs. > > Here is the message html source: > > -------------- > > > > > > > > > > > > Having > trouble viewing this email? > > Click here to view as a webpage. > > --------- > > and here is the Internet headers: > > --------- > > Return-Path: > > Received: from catv54033BF7.pool.t-online.hu > (catv54033BF7.pool.t-online.hu [84.3.59.247]) > > by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796 > > for ; Mon, 15 Dec 2008 09:50:47 -0500 > > Date: Mon, 15 Dec 2008 09:50:46 -0500 > > From: Nasser Al-Zawawi > > Message-Id: <200812151450.mBFEokoH025796@www.alz-inc.com> > > To: > > Subject: Re: Order status > > MIME-Version: 1.0 > > Importance: High > > Content-Type: text/html > > X-alz-inc-MailScanner-Information: Please contact the ISP for more > information > > X-alz-inc-MailScanner-ID: mBFEokoH025796 > > X-alz-inc-MailScanner: Found to be clean > > X-alz-inc-MailScanner-From: sales@alz-inc.com > > X-Spam-Status: No > > Status: O > > X-UID: 455634 > > Content-Length: 364 > > X-Keywords: > > ----------- > > > > They seem to come in patches of 4 (4 emails at a time). I had it before > I upgraded to the latest version and after upgrading. I probably get > about 80 message of this type per day. Other types of SPAMs seem to be > under control but this type is getting though. I appreciate any help > with this problem. > > > > Best regards, > > > Nasser > > > From matteo.filippetto at gmail.com Mon Dec 15 17:12:33 2008 From: matteo.filippetto at gmail.com (matteo filippetto) Date: Mon Dec 15 17:14:14 2008 Subject: quarantine release subject Message-ID: Hi all, I would like to modify this parameter define(QUARANTINE_SUBJECT, 'Message released from quarantine'); of conf.php as when I release a message from quarantine that message should have the same subject of the original email? Is it possible? Thank you very much Best regards -- Matteo Filippetto From maxsec at gmail.com Mon Dec 15 17:45:23 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Dec 15 17:47:22 2008 Subject: Alias rule help In-Reply-To: <82B7A20399E24D3B9DA3445BBA1EB0F6@ALZGW2kXPMC> References: <82B7A20399E24D3B9DA3445BBA1EB0F6@ALZGW2kXPMC> Message-ID: <72cf361e0812150945j43a570a2nbf463aea3adb983e@mail.gmail.com> 2008/12/15 Nasser Al-Zawawi : > Hi, > > I have a RedHat ES 4 server running sendmail (8.13.1) and I am using the > latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin > 3.2.5. I need help with a rule that should block all outside users from > sending emails to our aliases and only allow them to come from people from > our domain. For example we have an alias called _all_users_ and it is > literally all users on the system. Somehow spammers are able to see these > aliases on the system (I hope there is a way to disallow them from seeing > the aliases) and then they are sending SPAMs to these aliases so when they > send a spam to _all_users_@domain.com everybody gets that spam. Could > somebody write this rule and show what directive to put in the > MailScanner.conf if any. I have tried a few but none worked. > > > > > > Best regards, > > Nasser > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Nasser I'd do this at the MTA level. Put in a check for 'valid' users, You'll more than likely also need to split the emails into single recipients so emails to fred@domain & all_users@domain don't go through due the to envelope recipient being fred@domain. -- Martin Hepworth Oxford, UK From roland at inbox4u.de Mon Dec 15 18:32:59 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Mon Dec 15 18:34:13 2008 Subject: AW: quarantine release subject In-Reply-To: References: Message-ID: Hi Matteo, a little bit off-topic because MailWatch related, but if you set define(QUARANTINE_USE_SENDMAIL, true); in your conf.php the original subject is kept. Please note, if you release messages, that were quarantined due to bad attachments, the mail might not be delivered, if you have Microsoft Exchange Servers for the mailboxes, because the message ID is kept too. Regards, Roland ________________________________ Von: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] im Auftrag von matteo filippetto [matteo.filippetto@gmail.com] Gesendet: Montag, 15. Dezember 2008 18:12 An: MailScanner discussion Betreff: quarantine release subject Hi all, I would like to modify this parameter define(QUARANTINE_SUBJECT, 'Message released from quarantine'); of conf.php as when I release a message from quarantine that message should have the same subject of the original email? Is it possible? Thank you very much Best regards -- Matteo Filippetto -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/be40079b/attachment-0001.html From nassera at alz-inc.com Mon Dec 15 19:41:14 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Mon Dec 15 19:41:26 2008 Subject: Consistent SPAM messages getting through In-Reply-To: <49468AEF.1030206@fsl.com> Message-ID: Not sure if this is what you mean, but I have this line uncommented in my /etc/MailScanner/MailScanner.conf: Spam List = spamhaus-ZEN So it should be checking with spamhaus RBL Best regards, Nasser Al-Zawawi ALZ, Inc. http://www.alz-inc.com/ Phone: 313 887-9345 Fax: 888 467-1853 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Monday, December 15, 2008 11:51 AM To: MailScanner discussion Subject: Re: Consistent SPAM messages getting through Have you whitelisted your own e-mail address or domain?? If so - then that is part of the problem. Also - consider using some RBLs in your MTA: [root@mail src]# host 84.3.59.247 247.59.3.84.in-addr.arpa domain name pointer catv54033BF7.pool.t-online.hu. [root@mail src]# host 247.59.3.84.zen.spamhaus.org 247.59.3.84.zen.spamhaus.org has address 127.0.0.11 247.59.3.84.zen.spamhaus.org has address 127.0.0.4 The host that input this message was already listed in Spamhaus XBL and PBL lists. Regards, Steve. Nasser Al-Zawawi wrote: > Hi, > > I have RedHat ES 4 server running sendmail (8.13.1) and I am using the > latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin > 3.2.5. Lately this kind of message has been getting through: > > It says it is coming from my email or an alias on my system and it is > marked urgent the subject is something like: "Your order", "Re: Your > order", "Delivery Status Notification", "Delivery Status Notification > (Failure)". The content is a jpg picture of Viagra, CIALIS, LEVITRA and > VPXL drugs. > > Here is the message html source: > > -------------- > > > > > > > > > > > > Having > trouble viewing this email? > > Click here to view as a webpage. > > --------- > > and here is the Internet headers: > > --------- > > Return-Path: > > Received: from catv54033BF7.pool.t-online.hu > (catv54033BF7.pool.t-online.hu [84.3.59.247]) > > by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796 > > for ; Mon, 15 Dec 2008 09:50:47 -0500 > > Date: Mon, 15 Dec 2008 09:50:46 -0500 > > From: Nasser Al-Zawawi > > Message-Id: <200812151450.mBFEokoH025796@www.alz-inc.com> > > To: > > Subject: Re: Order status > > MIME-Version: 1.0 > > Importance: High > > Content-Type: text/html > > X-alz-inc-MailScanner-Information: Please contact the ISP for more > information > > X-alz-inc-MailScanner-ID: mBFEokoH025796 > > X-alz-inc-MailScanner: Found to be clean > > X-alz-inc-MailScanner-From: sales@alz-inc.com > > X-Spam-Status: No > > Status: O > > X-UID: 455634 > > Content-Length: 364 > > X-Keywords: > > ----------- > > > > They seem to come in patches of 4 (4 emails at a time). I had it before > I upgraded to the latest version and after upgrading. I probably get > about 80 message of this type per day. Other types of SPAMs seem to be > under control but this type is getting though. I appreciate any help > with this problem. > > > > Best regards, > > > Nasser > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.18/1848 - Release Date: 12/15/2008 9:01 AM From nassera at alz-inc.com Mon Dec 15 19:57:46 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Mon Dec 15 19:57:55 2008 Subject: Consistent SPAM messages getting through In-Reply-To: <72cf361e0812150838m78a86c96g9eb57541c6c59d43@mail.gmail.com> Message-ID: Here is the raw message as Martin suggested: #--------------- >From nassera@alz-inc.com Thu Dec 11 10:59:35 2008 Return-Path: Received: from afnor.fr ([61.106.223.211]) by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBBFxVeL031817 for ; Thu, 11 Dec 2008 10:59:33 -0500 Date: Thu, 11 Dec 2008 10:59:31 -0500 From: Nasser Al-Zawawi Message-Id: <200812111559.mBBFxVeL031817@www.alz-inc.com> To: Subject: Re: Order status MIME-Version: 1.0 Importance: High Content-Type: text/html X-alz-inc-MailScanner-Information: Please contact the ISP for more information X-alz-inc-MailScanner-ID: mBBFxVeL031817 X-alz-inc-MailScanner: Found to be clean X-alz-inc-MailScanner-From: nassera@alz-inc.com X-Spam-Status: No Status: RO X-UID: 455188 Content-Length: 355 X-Keywords: Having trouble viewing this email? Click here to view as a webpage. #--------------- Best regards, Nasser Al-Zawawi ALZ, Inc. http://www.alz-inc.com/ Phone: 313 887-9345 Fax: 888 467-1853 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Monday, December 15, 2008 11:39 AM To: MailScanner discussion Subject: Re: Consistent SPAM messages getting through 2008/12/15 Nasser Al-Zawawi : > Hi, > > I have RedHat ES 4 server running sendmail (8.13.1) and I am using the > latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin > 3.2.5. Lately this kind of message has been getting through: > > It says it is coming from my email or an alias on my system and it is marked > urgent the subject is something like: "Your order", "Re: Your order", > "Delivery Status Notification", "Delivery Status Notification (Failure)". > The content is a jpg picture of Viagra, CIALIS, LEVITRA and VPXL drugs. > > Here is the message html source: > > -------------- > > > > > > > > > > > > Having trouble > viewing this email? > > Click here to view as a webpage. > > --------- > > and here is the Internet headers: > > --------- > > Return-Path: > > Received: from catv54033BF7.pool.t-online.hu (catv54033BF7.pool.t-online.hu > [84.3.59.247]) > > by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796 > > for ; Mon, 15 Dec 2008 09:50:47 -0500 > > Date: Mon, 15 Dec 2008 09:50:46 -0500 > > From: Nasser Al-Zawawi > > Message-Id: <200812151450.mBFEokoH025796@www.alz-inc.com> > > To: > > Subject: Re: Order status > > MIME-Version: 1.0 > > Importance: High > > Content-Type: text/html > > X-alz-inc-MailScanner-Information: Please contact the ISP for more > information > > X-alz-inc-MailScanner-ID: mBFEokoH025796 > > X-alz-inc-MailScanner: Found to be clean > > X-alz-inc-MailScanner-From: sales@alz-inc.com > > X-Spam-Status: No > > Status: O > > X-UID: 455634 > > Content-Length: 364 > > X-Keywords: > > ----------- > > > > They seem to come in patches of 4 (4 emails at a time). I had it before I > upgraded to the latest version and after upgrading. I probably get about 80 > message of this type per day. Other types of SPAMs seem to be under control > but this type is getting though. I appreciate any help with this problem. > > > > Best regards, > > Nasser > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > If you can post more than just the html source to a pastbin or web page (ie full raw message, headers and everything) people can check their setup and see what extra rules (like dcc/razor/SARE etc) hit. -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.18/1848 - Release Date: 12/15/2008 9:01 AM From nassera at alz-inc.com Mon Dec 15 20:01:18 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Mon Dec 15 20:01:29 2008 Subject: {Spam?} RE: Consistent SPAM messages getting through In-Reply-To: Message-ID: <14701C7848AD4135BCD21EB66AF5B8A3@ALZGW2kXPMC> I do have this line in my: /etc/MailScanner/rules/spam.whitelist.rules From: @alz-inc.com yes So it sounds like I should delete it, right? Best regards, Nasser Al-Zawawi ALZ, Inc. http://www.alz-inc.com/ Phone: 313 887-9345 Fax: 888 467-1853 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nasser Al-Zawawi Sent: Monday, December 15, 2008 2:41 PM To: 'MailScanner discussion' Subject: RE: Consistent SPAM messages getting through Not sure if this is what you mean, but I have this line uncommented in my /etc/MailScanner/MailScanner.conf: Spam List = spamhaus-ZEN So it should be checking with spamhaus RBL Best regards, Nasser Al-Zawawi ALZ, Inc. http://www.alz-inc.com/ Phone: 313 887-9345 Fax: 888 467-1853 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Monday, December 15, 2008 11:51 AM To: MailScanner discussion Subject: Re: Consistent SPAM messages getting through Have you whitelisted your own e-mail address or domain?? If so - then that is part of the problem. Also - consider using some RBLs in your MTA: [root@mail src]# host 84.3.59.247 247.59.3.84.in-addr.arpa domain name pointer catv54033BF7.pool.t-online.hu. [root@mail src]# host 247.59.3.84.zen.spamhaus.org 247.59.3.84.zen.spamhaus.org has address 127.0.0.11 247.59.3.84.zen.spamhaus.org has address 127.0.0.4 The host that input this message was already listed in Spamhaus XBL and PBL lists. Regards, Steve. Nasser Al-Zawawi wrote: > Hi, > > I have RedHat ES 4 server running sendmail (8.13.1) and I am using the > latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin > 3.2.5. Lately this kind of message has been getting through: > > It says it is coming from my email or an alias on my system and it is > marked urgent the subject is something like: "Your order", "Re: Your > order", "Delivery Status Notification", "Delivery Status Notification > (Failure)". The content is a jpg picture of Viagra, CIALIS, LEVITRA and > VPXL drugs. > > Here is the message html source: > > -------------- > > > > > > > > > > > > Having > trouble viewing this email? > > Click here to view as a webpage. > > --------- > > and here is the Internet headers: > > --------- > > Return-Path: > > Received: from catv54033BF7.pool.t-online.hu > (catv54033BF7.pool.t-online.hu [84.3.59.247]) > > by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796 > > for ; Mon, 15 Dec 2008 09:50:47 -0500 > > Date: Mon, 15 Dec 2008 09:50:46 -0500 > > From: Nasser Al-Zawawi > > Message-Id: <200812151450.mBFEokoH025796@www.alz-inc.com> > > To: > > Subject: Re: Order status > > MIME-Version: 1.0 > > Importance: High > > Content-Type: text/html > > X-alz-inc-MailScanner-Information: Please contact the ISP for more > information > > X-alz-inc-MailScanner-ID: mBFEokoH025796 > > X-alz-inc-MailScanner: Found to be clean > > X-alz-inc-MailScanner-From: sales@alz-inc.com > > X-Spam-Status: No > > Status: O > > X-UID: 455634 > > Content-Length: 364 > > X-Keywords: > > ----------- > > > > They seem to come in patches of 4 (4 emails at a time). I had it before > I upgraded to the latest version and after upgrading. I probably get > about 80 message of this type per day. Other types of SPAMs seem to be > under control but this type is getting though. I appreciate any help > with this problem. > > > > Best regards, > > > Nasser > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.18/1848 - Release Date: 12/15/2008 9:01 AM -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.18/1848 - Release Date: 12/15/2008 9:01 AM From traced at xpear.de Mon Dec 15 20:01:21 2008 From: traced at xpear.de (traced) Date: Mon Dec 15 20:01:32 2008 Subject: Buy Mailscanner Book in Germany? Message-ID: <4946B791.1070201@xpear.de> Hi, is there any good way to buy the Mailscanner Book here in Germany? At Amazon.de & bol.de the book is unavailable... The problem is that I don?t have a credit card, and, I believe that is the best for me :-) With creditcard I could buy it at the online shop, but so?! Regards, Bastian From nassera at alz-inc.com Mon Dec 15 20:06:38 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Mon Dec 15 20:06:48 2008 Subject: {Spam?} RE: Alias rule help In-Reply-To: <72cf361e0812150945j43a570a2nbf463aea3adb983e@mail.gmail.com> Message-ID: Hi Martin, Could you translate your suggestion into instructions, something like add this line (a.b.c) to file /x/y/z.conf as I am not too proficient in email lingo? Best regards, Nasser Al-Zawawi ALZ, Inc. http://www.alz-inc.com/ Phone: 313 887-9345 Fax: 888 467-1853 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Monday, December 15, 2008 12:45 PM To: MailScanner discussion Subject: Re: Alias rule help 2008/12/15 Nasser Al-Zawawi : > Hi, > > I have a RedHat ES 4 server running sendmail (8.13.1) and I am using the > latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin > 3.2.5. I need help with a rule that should block all outside users from > sending emails to our aliases and only allow them to come from people from > our domain. For example we have an alias called _all_users_ and it is > literally all users on the system. Somehow spammers are able to see these > aliases on the system (I hope there is a way to disallow them from seeing > the aliases) and then they are sending SPAMs to these aliases so when they > send a spam to _all_users_@domain.com everybody gets that spam. Could > somebody write this rule and show what directive to put in the > MailScanner.conf if any. I have tried a few but none worked. > > > > > > Best regards, > > Nasser > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Nasser I'd do this at the MTA level. Put in a check for 'valid' users, You'll more than likely also need to split the emails into single recipients so emails to fred@domain & all_users@domain don't go through due the to envelope recipient being fred@domain. -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.18/1848 - Release Date: 12/15/2008 9:01 AM From Denis.Beauchemin at USherbrooke.ca Mon Dec 15 20:15:02 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Dec 15 20:15:24 2008 Subject: {Spam?} RE: Consistent SPAM messages getting through In-Reply-To: <14701C7848AD4135BCD21EB66AF5B8A3@ALZGW2kXPMC> References: <14701C7848AD4135BCD21EB66AF5B8A3@ALZGW2kXPMC> Message-ID: <4946BAC6.6040008@USherbrooke.ca> Nasser Al-Zawawi a ?crit : > I do have this line in my: > /etc/MailScanner/rules/spam.whitelist.rules > From: @alz-inc.com yes > > So it sounds like I should delete it, right? > Definitely yes! It's so easy to spoof a From: adress! Use IP addresses instead. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ms-list at alexb.ch Mon Dec 15 21:00:14 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Dec 15 21:00:24 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4946B791.1070201@xpear.de> References: <4946B791.1070201@xpear.de> Message-ID: <4946C55E.6030906@alexb.ch> On 12/15/2008 9:01 PM, traced wrote: > Hi, > > is there any good way to buy the Mailscanner Book here in Germany? > At Amazon.de & bol.de the book is unavailable... > The problem is that I don?t have a credit card, and, I believe > that is the best for me :-) With creditcard I could buy it at the > online shop, but so?! Any decent bookstore will order it for you. From traced at xpear.de Mon Dec 15 21:16:06 2008 From: traced at xpear.de (traced) Date: Mon Dec 15 21:16:17 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4946C55E.6030906@alexb.ch> References: <4946B791.1070201@xpear.de> <4946C55E.6030906@alexb.ch> Message-ID: <4946C916.6010601@xpear.de> Alex Broens schrieb: > On 12/15/2008 9:01 PM, traced wrote: >> Hi, >> >> is there any good way to buy the Mailscanner Book here in Germany? >> At Amazon.de & bol.de the book is unavailable... >> The problem is that I don?t have a credit card, and, I believe >> that is the best for me :-) With creditcard I could buy it at the >> online shop, but so?! > > Any decent bookstore will order it for you. > Thanks for the tip, maybe something for my christmas list ;) Regards, Bastian From dchee at uci.edu Mon Dec 15 21:22:44 2008 From: dchee at uci.edu (Derek Chee) Date: Mon Dec 15 21:22:57 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <4945A182.2050505@qustodium.net> References: <4945A182.2050505@qustodium.net> Message-ID: On Dec 14, 2008, at 4:14 PM, Achim J. Latz wrote: > In case others are receiving errors from their update scripts [1]: > > "Sanesecurity signatures are no longer being updated or distributed > due to extremely high server resource usage, which appears to be > from a distributed denial of service attack (DDoS). I've moved > server hosts twice (which takes time) and both times have resulted > in the site being suspened. > > As many of you know, I produce the signatures and run the site, in > my spare time and with Christmas approaching I?m finding my spare > time is currently limited. > > Hopefully this won?t be the end of the signatures and I?m hoping > that they may return in the New Year. > > May I take this opportunity to thank everyone who has helped this > project, either by providing samples, bandwidth, download scripts or > donating. > > Thanks and sorry to let you all down. > > Steve > Sanesecurity" > > [1] http://www.sanesecurity.com/clamav/ Just wanted to alert everybody that the shutdown appears to be more extensive than just not being distributed. The last update that we picked up from them had the signatures more or less zero'ed out with only a test signature in them. -- Derek Derek Chee Network & Support Programming Network & Academic Computing Services University of California, Irvine From maillists at conactive.com Mon Dec 15 21:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Dec 15 21:31:28 2008 Subject: Consistent SPAM messages getting through In-Reply-To: References: Message-ID: Nasser Al-Zawawi wrote on Mon, 15 Dec 2008 14:57:46 -0500: > Here is the raw message as Martin suggested: No, he suggested > If you can post more than just the html source to a pastbin or web > page it would be nice if you followed that next time, thank you! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Dec 15 22:31:23 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Dec 15 22:31:39 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4946C55E.6030906@alexb.ch> References: <4946B791.1070201@xpear.de> <4946C55E.6030906@alexb.ch> Message-ID: Alex Broens wrote on Mon, 15 Dec 2008 22:00:14 +0100: > Any decent bookstore will order it for you. No. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ms-list at alexb.ch Mon Dec 15 22:41:58 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Dec 15 22:42:08 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: References: <4946B791.1070201@xpear.de> <4946C55E.6030906@alexb.ch> Message-ID: <4946DD36.5020804@alexb.ch> On 12/15/2008 11:31 PM, Kai Schaetzl wrote: > Alex Broens wrote on Mon, 15 Dec 2008 22:00:14 +0100: > >> Any decent bookstore will order it for you. > > No. it has an ISBN number... its possible, if the store is willing From MailScanner at ecs.soton.ac.uk Mon Dec 15 22:32:56 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 15 23:36:54 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4946C916.6010601@xpear.de> References: <4946B791.1070201@xpear.de> <4946C55E.6030906@alexb.ch> <4946C916.6010601@xpear.de> Message-ID: <4946DB18.2060006@ecs.soton.ac.uk> On 15/12/08 21:16, traced wrote: > Alex Broens schrieb: >> On 12/15/2008 9:01 PM, traced wrote: >>> Hi, >>> >>> is there any good way to buy the Mailscanner Book here in Germany? >>> At Amazon.de & bol.de the book is unavailable... >>> The problem is that I don?t have a credit card, and, I believe >>> that is the best for me :-) With creditcard I could buy it at the >>> online shop, but so?! >> >> Any decent bookstore will order it for you. >> > > Thanks for the tip, maybe something for my christmas list ;) If you order it from a bookshop, I have to fulfil the order, and I'm very bad at remembering to do this. If you want it reliably, order it from lulu.com or cafepress.com, as they can ship it directly to you, without involving me in the process at all! Thanks. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Dec 15 20:31:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 15 23:43:02 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4946B791.1070201@xpear.de> References: <4946B791.1070201@xpear.de> Message-ID: <4946BE99.9060302@ecs.soton.ac.uk> The link on the MailScanner home page includes a link to buying it in Europe that takes you to lulu.com which is Europe-based and prints the book for me. On 15/12/08 20:01, traced wrote: > Hi, > > is there any good way to buy the Mailscanner Book here in Germany? > At Amazon.de & bol.de the book is unavailable... > The problem is that I don?t have a credit card, and, I believe > that is the best for me :-) With creditcard I could buy it at the > online shop, but so?! > > Regards, > Bastian Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Dec 15 20:27:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 15 23:43:57 2008 Subject: Alias rule help In-Reply-To: <82B7A20399E24D3B9DA3445BBA1EB0F6@ALZGW2kXPMC> References: <82B7A20399E24D3B9DA3445BBA1EB0F6@ALZGW2kXPMC> Message-ID: <4946BDC7.903@ecs.soton.ac.uk> I would do this at the MTA level, like other posters have advised. We have *-all lists, which withing them have *-all-people lists, and we don't want people outside being able to mail them. In sendmail.cf we implement this using the following: KIsEcsList1 regex -a@MATCH ^(cs|el|ce|ie)?ug[0-9]?$ KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ KIsEcsList3 regex -a@MATCH ^.*-(people|extras)(-[0-9])?$ These define the 3 regexps that match all the mailing lists (examples from each line are IsEcsList1 csug2 IsEcsList2 staff-all, staff-all-1 IsEcsList3 staff-all-people, staff-all-people-2 as that is how the lists are all constructed. Obviously you will need to change these to match your own setup. And then further down in sendmail.cf, this. If you know a reasonable amount about sendmail.cf files, then it should be obvious where the characters go to separate the 3 "fields" of each line of a sendmail rule. SLocal_check_rcpt R$* $: $>3 $1 Focus on host R$* $: $>"QualifyDomain" $1 Make fully-qualified R$* <@ $* $m. > $* $1 <@ *LOCAL* > Is recipient an ECS address? R$* <@ *LOCAL* > $* $: $(IsEcsList1 $1 $) <@ *LOCAL* > $2 ECS list? R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS list? R$* <@ *LOCAL* > $* $: $(IsEcsList3 $1 $) <@ *LOCAL* > $2 ECS list? R@MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS Help Desk # If address is unqualified, add *LOCAL* as the destination hostname. SQualifyDomain R$* < @ $* > $* $@ $1 < @ $2 > $3 Already fully qualified R$+ $@ $1 < @ *LOCAL* > Add local qualification That should tell you all you need to implement restrictions at MTA level in sendmail to disable addresses that match regular expressions. On 15/12/08 16:13, Nasser Al-Zawawi wrote: > > Hi, > > I have a RedHat ES 4 server running sendmail (8.13.1) and I am using > the latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and > SpamAssassin 3.2.5. I need help with a rule that should block all > outside users from sending emails to our aliases and only allow them > to come from people from our domain. For example we have an alias > called _/all_users/_ and it is literally all users on the system. > Somehow spammers are able to see these aliases on the system (I hope > there is a way to disallow them from seeing the aliases) and then they > are sending SPAMs to these aliases so when they send a spam to > _/all_users/_@domain.com everybody > gets that spam. Could somebody write this rule and show what directive > to put in the MailScanner.conf if any. I have tried a few but none worked. > > Best regards, > > > Nasser > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Tue Dec 16 00:31:37 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 16 00:31:53 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4946DD36.5020804@alexb.ch> References: <4946B791.1070201@xpear.de> <4946C55E.6030906@alexb.ch> <4946DD36.5020804@alexb.ch> Message-ID: Alex Broens wrote on Mon, 15 Dec 2008 23:41:58 +0100: > it has an ISBN number. it doesn't matter if it has one or not. This is really OT, so I just suggest you go to your local bookshop in Kemptthal and try to get it .-) Send me a private email about the outcome. (I had a bookshop 15 years ago and did some importing from the States and UK, btw.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From email at ace.net.au Tue Dec 16 04:35:28 2008 From: email at ace.net.au (Peter Nitschke) Date: Tue Dec 16 04:35:50 2008 Subject: Long Filename exception Message-ID: <200812161505280468.031AADBE@web.ace.net.au> I have a client that needs to accept very long filenames from a specific email address. Reading the conf, I get this. # Syntax is allow/deny/deny+delete/email-addresses, # then regular expression, # then log text, then user report text. # # The "email-addresses" can be a space or comma-separated list of email # addresses. If the rule hits, the message will be sent to these address(es) # instead of the original recipients. Which makes me think that a rule can only control what happens to long file names, but not to ignore from a particular sender or recipient. Is it possible to do so? Cheers, Peter From maillists at conactive.com Tue Dec 16 07:31:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 16 07:31:26 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4946BE99.9060302@ecs.soton.ac.uk> References: <4946B791.1070201@xpear.de> <4946BE99.9060302@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Mon, 15 Dec 2008 20:31:21 +0000: > lulu.com which is Europe-based and prints the > book for me. Their jobs page lists South Carolina ;-) And, frankly, I wouldn't buy from them. Their German imprint lacks all required data, you cannot find out their address, nor their telephone number nor any other whereabouts nor their business terms. They look like the scam we deal daily in spam. A good example of a company web site everyone in the know tells you not to buy from. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Tue Dec 16 08:05:29 2008 From: traced at xpear.de (traced@xpear.de) Date: Tue Dec 16 08:05:40 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: References: <4946B791.1070201@xpear.de> <4946BE99.9060302@ecs.soton.ac.uk> Message-ID: <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> On Tue, 16 Dec 2008 08:31:16 +0100, Kai Schaetzl wrote: > Julian Field wrote on Mon, 15 Dec 2008 20:31:21 +0000: > >> lulu.com which is Europe-based and prints the >> book for me. > > Their jobs page lists South Carolina ;-) > And, frankly, I wouldn't buy from them. Their German imprint lacks all > required data, you cannot find out their address, nor their telephone > number nor any other whereabouts nor their business terms. They look like > the scam we deal daily in spam. A good example of a company web site > everyone in the know tells you not to buy from. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > Never thought it could be so hard just to buy a book? My main problem is that I dont have a credit card, and I will not change that just for a book ;) Bastian From matteo.filippetto at gmail.com Tue Dec 16 08:16:57 2008 From: matteo.filippetto at gmail.com (matteo filippetto) Date: Tue Dec 16 08:17:07 2008 Subject: quarantine release subject In-Reply-To: References: Message-ID: Sorry, I mistook destination address while writing mail...thank you very much for you help Best regards Matteo 2008/12/15 Ehle, Roland : > Hi Matteo, > > a little bit off-topic because MailWatch related, but if you set > > define(QUARANTINE_USE_SENDMAIL, true); > > in your conf.php the original subject is kept. Please note, if you release > messages, that were quarantined due to bad attachments, the mail might not > be delivered, if you have Microsoft Exchange Servers for the mailboxes, > because the message ID is kept too. > > Regards, > Roland > ________________________________ > Von: mailscanner-bounces@lists.mailscanner.info > [mailscanner-bounces@lists.mailscanner.info] im Auftrag von matteo > filippetto [matteo.filippetto@gmail.com] > Gesendet: Montag, 15. Dezember 2008 18:12 > An: MailScanner discussion > Betreff: quarantine release subject > > Hi all, > > I would like to modify this parameter > > define(QUARANTINE_SUBJECT, 'Message released from quarantine'); > > of conf.php as when I release a message from quarantine that message > should have the same subject of the original email? > > Is it possible? > > Thank you very much > Best regards > > -- > Matteo Filippetto > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From maillists at conactive.com Tue Dec 16 10:15:00 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 16 10:15:10 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> References: <4946B791.1070201@xpear.de> <4946BE99.9060302@ecs.soton.ac.uk> <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> Message-ID: wrote on Tue, 16 Dec 2008 09:05:29 +0100: > My main problem is > that I dont have a credit card, and I will not change that just for a book Ask a friend/colleague/relative if they can pay for you by credit card. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Tue Dec 16 12:24:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 16 14:14:51 2008 Subject: Sanesecurity signatures are no longer being updated ordistributed In-Reply-To: <200812151621.mBFGLmRT011879@safir.blacknight.ie> References: <4945A182.2050505@qustodium.net> <200812151621.mBFGLmRT011879@safir.blacknight.ie> Message-ID: <49479DF6.8050600@ecs.soton.ac.uk> On 15/12/08 16:15, Stef Morrell wrote: > ka@pacific.net wrote: > >> That's too bad. I really saw a decent amount of crap detection. >> Any other 3rd party sigs that are recommended? >> >> > > You could look at > > http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatur > es.shtml > http://www.malware.com.br/lists.shtml > Also, the currently-published version of the sanesecurity signatures trap nothing at all. If you want the last "proper" version of the signature files, they are available here: https://secure.grepular.com/sane/ Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Dec 16 09:19:31 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 16 14:14:52 2008 Subject: Long Filename exception In-Reply-To: <200812161505280468.031AADBE@web.ace.net.au> References: <200812161505280468.031AADBE@web.ace.net.au> Message-ID: <494772A3.3010502@ecs.soton.ac.uk> You need to set it up to use one filename.rules.conf file for a specific address, and another one for all other addresses. This is documented in the mailing list archives, the wiki and the book. I don't know the exact wiki URL for this article, but I do know it's in there! :-) Jules. On 16/12/08 04:35, Peter Nitschke wrote: > I have a client that needs to accept very long filenames from a specific > email address. > > Reading the conf, I get this. > > # Syntax is allow/deny/deny+delete/email-addresses, > # then regular expression, > # then log text, then user report text. > # > # The "email-addresses" can be a space or comma-separated list of email > # addresses. If the rule hits, the message will be sent to these > address(es) > # instead of the original recipients. > > Which makes me think that a rule can only control what happens to long file > names, but not to ignore from a particular sender or recipient. > > Is it possible to do so? > > Cheers, > > Peter > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nassera at alz-inc.com Tue Dec 16 14:27:50 2008 From: nassera at alz-inc.com (Nasser Al-Zawawi) Date: Tue Dec 16 14:28:03 2008 Subject: {Spam?} RE: {Spam?} RE: Consistent SPAM messages getting through In-Reply-To: <4946BAC6.6040008@USherbrooke.ca> Message-ID: That was exactly it! I am not getting these annoying emails any more! It makes perfect sense now; I was telling the program not to scan anything coming from my domain so MailScanner diligently did what I asked it to do :-) Thank you guys for the quick and precise resolution. Best regards, Nasser Al-Zawawi ALZ, Inc. http://www.alz-inc.com/ Phone: 313 887-9345 Fax: 888 467-1853 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Monday, December 15, 2008 3:15 PM To: MailScanner discussion Subject: Re: {Spam?} RE: Consistent SPAM messages getting through Nasser Al-Zawawi a ?crit : > I do have this line in my: > /etc/MailScanner/rules/spam.whitelist.rules > From: @alz-inc.com yes > > So it sounds like I should delete it, right? > Definitely yes! It's so easy to spoof a From: adress! Use IP addresses instead. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.18/1848 - Release Date: 12/15/2008 5:04 PM From maxsec at gmail.com Tue Dec 16 14:37:08 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 16 14:37:48 2008 Subject: Long Filename exception In-Reply-To: <494772A3.3010502@ecs.soton.ac.uk> References: <200812161505280468.031AADBE@web.ace.net.au> <494772A3.3010502@ecs.soton.ac.uk> Message-ID: <72cf361e0812160637s4bec4840p4d1dd140c10f5c92@mail.gmail.com> 2008/12/16 Julian Field : > You need to set it up to use one filename.rules.conf file for a specific > address, and another one for all other addresses. This is documented in the > mailing list archives, the wiki and the book. I don't know the exact wiki > URL for this article, but I do know it's in there! :-) > > Jules. > > On 16/12/08 04:35, Peter Nitschke wrote: >> >> I have a client that needs to accept very long filenames from a specific >> email address. >> >> Reading the conf, I get this. >> >> # Syntax is allow/deny/deny+delete/email-addresses, >> # then regular expression, >> # then log text, then user report text. >> # >> # The "email-addresses" can be a space or comma-separated list of email >> # addresses. If the rule hits, the message will be sent to these >> address(es) >> # instead of the original recipients. >> >> Which makes me think that a rule can only control what happens to long >> file >> names, but not to ignore from a particular sender or recipient. >> >> Is it possible to do so? >> >> Cheers, >> >> Peter >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading overloading is the keyword ;-) -- Martin Hepworth Oxford, UK From ajcartmell at fonant.com Tue Dec 16 14:53:53 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Dec 16 14:53:56 2008 Subject: Sanesecurity signatures are no longer being updated ordistributed In-Reply-To: <49479DF6.8050600@ecs.soton.ac.uk> References: <4945A182.2050505@qustodium.net> <200812151621.mBFGLmRT011879@safir.blacknight.ie> <49479DF6.8050600@ecs.soton.ac.uk> Message-ID: > Also, the currently-published version of the sanesecurity signatures > trap nothing at all. > If you want the last "proper" version of the signature files, they are > available here: > > https://secure.grepular.com/sane/ Or you might find the -bak backup versions are the same and can just be copied into place... HTH Anthony -- www.fonant.com - Quality web sites From stef at aoc-uk.com Tue Dec 16 14:59:28 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Tue Dec 16 14:59:30 2008 Subject: Sanesecurity signatures are no longer beingupdated ordistributed In-Reply-To: References: <4945A182.2050505@qustodium.net><200812151621.mBFGLmRT011879@safir.blacknight.ie><49479DF6.8050600@ecs.soton.ac.uk> Message-ID: <200812161459.mBGExLkg003836@safir.blacknight.ie> ajcartmell@fonant.com wrote: >> Also, the currently-published version of the sanesecurity signatures >> trap nothing at all. If you want the last "proper" version of the >> signature files, they are available here: >> >> https://secure.grepular.com/sane/ > > Or you might find the -bak backup versions are the same and > can just be copied into place... Yes, if you use a particular update script. On the other hand, those linked by Julian appear to be ever so slightly newer than by -baks. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From gmatt at nerc.ac.uk Tue Dec 16 15:32:29 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Dec 16 15:32:44 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <4945A182.2050505@qustodium.net> References: <4945A182.2050505@qustodium.net> Message-ID: <4947CA0D.8080809@nerc.ac.uk> Anyone know if Sane Security are submitting signatures direct to ClamAV? I understand that many of their signatures would make their way into the official Clam updates. Sounds like a P2P distribution mech may have helped here. GREG Achim J. Latz wrote: > In case others are receiving errors from their update scripts [1]: > > "Sanesecurity signatures are no longer being updated or distributed due > to extremely high server resource usage, which appears to be from a > distributed denial of service attack (DDoS). I've moved server hosts > twice (which takes time) and both times have resulted in the site being > suspened. > > As many of you know, I produce the signatures and run the site, in my > spare time and with Christmas approaching I?m finding my spare time is > currently limited. > > Hopefully this won?t be the end of the signatures and I?m hoping that > they may return in the New Year. > > May I take this opportunity to thank everyone who has helped this > project, either by providing samples, bandwidth, download scripts or > donating. > > Thanks and sorry to let you all down. > > Steve > Sanesecurity" > > [1] http://www.sanesecurity.com/clamav/ -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From marco.mangione at gmail.com Tue Dec 16 17:43:48 2008 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Dec 16 17:43:57 2008 Subject: mailscanner dont process queue Message-ID: Hello, i have a big queue, about 2000 email ... load average of server is 0.20 ... nothing! but mailscanner dont process mail.. is so slow in processing ..... how can i fix the problem ? Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081216/4c4b36fc/attachment.html From alex at rtpty.com Tue Dec 16 17:54:51 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Dec 16 17:55:06 2008 Subject: mailscanner dont process queue In-Reply-To: References: Message-ID: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> You need to define the problem first. In the meantime you may want to turn off the processing and deliver the e-mails "as is". If you need help you need to specify a lot of things about your setup so people can start to help, otherwise we'd be just guessing. On Dec 16, 2008, at 12:43 PM, Marco mangione wrote: > i have a big queue, about 2000 email ... load average of server is > 0.20 ... nothing! but mailscanner dont process mail.. is so slow in > processing ..... how can i fix the problem ? From marco.mangione at gmail.com Tue Dec 16 18:02:42 2008 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Dec 16 18:02:51 2008 Subject: mailscanner dont process queue In-Reply-To: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> Message-ID: ok i'm new here.. what thing can be useful for you to define the problem ? 2008/12/16 Alex Neuman van der Hans > You need to define the problem first. > > In the meantime you may want to turn off the processing and deliver the > e-mails "as is". > > If you need help you need to specify a lot of things about your setup so > people can start to help, otherwise we'd be just guessing. > > > On Dec 16, 2008, at 12:43 PM, Marco mangione wrote: > > i have a big queue, about 2000 email ... load average of server is 0.20 >> ... nothing! but mailscanner dont process mail.. is so slow in processing >> ..... how can i fix the problem ? >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081216/334b197e/attachment.html From steve.freegard at fsl.com Tue Dec 16 18:44:59 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Dec 16 18:45:10 2008 Subject: mailscanner dont process queue In-Reply-To: References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> Message-ID: <4947F72B.6080405@fsl.com> Marco mangione wrote: > ok i'm new here.. what thing can be useful for you to define the problem ? Here's the standard procedure anyone should follow if they have a queue that is not being processed. 1) Stop MailScanner 2) run 'MailScanner --debug --debug-sa' 3) Post the tail end of the output of step 2 to the list the command does not finished with 'Stopping now as you are debugging me...' Cheers, Steve. From rabellino at di.unito.it Tue Dec 16 18:49:21 2008 From: rabellino at di.unito.it (Sergio Rabellino) Date: Tue Dec 16 18:49:52 2008 Subject: mailscanner dont process queue In-Reply-To: References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> Message-ID: <4947F831.7040402@di.unito.it> Your Mailscanner.conf and the filesystem layout can be a smarter start. A question: did mailscanner stop scanning after a while, or you never seen an email passing through ? Which mailer are you using ? Are you using a different queue directory from the one specified in the conf ?? Marco mangione ha scritto: > ok i'm new here.. what thing can be useful for you to define the problem ? > > 2008/12/16 Alex Neuman van der Hans > > > You need to define the problem first. > > In the meantime you may want to turn off the processing and > deliver the e-mails "as is". > > If you need help you need to specify a lot of things about your > setup so people can start to help, otherwise we'd be just guessing. > > > On Dec 16, 2008, at 12:43 PM, Marco mangione wrote: > > i have a big queue, about 2000 email ... load average of > server is 0.20 ... nothing! but mailscanner dont process > mail.. is so slow in processing ..... how can i fix the problem ? > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From marcel-ml at irc-addicts.de Tue Dec 16 20:45:42 2008 From: marcel-ml at irc-addicts.de (Marcel Blenkers) Date: Tue Dec 16 20:46:43 2008 Subject: MailScanner restarting really often.. Message-ID: Hi there, i just realized the following. My MailScanner is restarting quiet often, even if the Restart-Settings is set to Restart Every = 14400 This is just a grep grep "MailScanner child dying of old age" /var/log/mail Result: Dec 15 10:34:50 marcel MailScanner[22296]: MailScanner child dying of old age Dec 15 11:33:03 marcel MailScanner[23215]: MailScanner child dying of old age Dec 15 11:33:08 marcel MailScanner[23229]: MailScanner child dying of old age Dec 15 15:36:26 marcel MailScanner[24966]: MailScanner child dying of old age Dec 15 15:36:29 marcel MailScanner[24955]: MailScanner child dying of old age Dec 15 16:37:02 marcel MailScanner[31834]: MailScanner child dying of old age Dec 15 16:37:03 marcel MailScanner[31826]: MailScanner child dying of old age Dec 15 20:37:59 marcel MailScanner[1176]: MailScanner child dying of old age Dec 15 20:46:19 marcel MailScanner[1168]: MailScanner child dying of old age Dec 16 00:39:46 marcel MailScanner[9634]: MailScanner child dying of old age Dec 16 00:47:34 marcel MailScanner[9846]: MailScanner child dying of old age Dec 16 06:36:23 marcel MailScanner[20120]: MailScanner child dying of old age Dec 16 06:36:28 marcel MailScanner[20128]: MailScanner child dying of old age Dec 16 08:08:21 marcel MailScanner[23624]: MailScanner child dying of old age Dec 16 08:08:24 marcel MailScanner[23616]: MailScanner child dying of old age Dec 16 11:24:32 marcel MailScanner[25341]: MailScanner child dying of old age Dec 16 11:24:35 marcel MailScanner[25353]: MailScanner child dying of old age Dec 16 14:44:08 marcel MailScanner[30451]: MailScanner child dying of old age Dec 16 14:44:08 marcel MailScanner[30463]: MailScanner child dying of old age Dec 16 15:28:38 marcel MailScanner[4288]: MailScanner child dying of old age Dec 16 15:28:40 marcel MailScanner[4280]: MailScanner child dying of old age Dec 16 19:38:36 marcel MailScanner[5757]: MailScanner child dying of old age Dec 16 19:56:18 marcel MailScanner[5746]: MailScanner child dying of old age Dec 16 21:30:17 marcel MailScanner[12214]: MailScanner child dying of old age Dec 16 21:30:19 marcel MailScanner[12743]: MailScanner child dying of old age Every time with all connections closed and then restarting as if i had done a rcMailScanner restart Means new filetype-settings etc.. is this the normal behaviour? Running currently: Running on Linux marcel 2.6.13-15.18-default #1 Tue Oct 2 17:36:20 UTC 2007 i686 i686 i386 GNU/Linux This is SUSE LINUX 10.0 (i586) This is Perl version 5.008007 (5.8.7) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.23 bignum 1.04 Carp 2.012 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_04 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.03 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.05 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.03 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.07 Pod::Simple 1.08 POSIX 1.19 Scalar::Util 1.77 Socket 2.18 Storable 1.4 Sys::Hostname::Long 0.26 Sys::Syslog 1.26 Test::Pod 0.8 Test::Simple 1.9715 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.23 bignum 2.02 Business::ISBN 1.14 Business::ISBN::Data 1.08 Data::Dump 1.817 DB_File 1.14 DBD::SQLite 1.605 DBI 1.10 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17003 Error 0.23 ExtUtils::CBuilder 2.11 ExtUtils::ParseXS 2.37 Getopt::Long 0.44 Inline 1.06 IO::String 1.09 IO::Zlib 2.21 IP::Country 0.21 Mail::ClamAV 3.002005 Mail::SpamAssassin v2.005 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.18 Net::CIDR::Lite 0.63 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.33 Net::LDAP 4.004 NetAddr::IP 1.80 Parse::RecDescent missing SAVI 3.13 Test::Harness 1.17 Test::Manifest 1.95 Text::Balanced 1.36 URI 0.7203 version 0.66 YAML Any Help appreciated.. Marcel From maxsec at gmail.com Tue Dec 16 21:05:17 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Dec 16 21:05:26 2008 Subject: MailScanner restarting really often.. In-Reply-To: References: Message-ID: <72cf361e0812161305i4533fa26ja4c7d1c29b4c93e0@mail.gmail.com> 2008/12/16 Marcel Blenkers : > Hi there, > > i just realized the following. > > My MailScanner is restarting quiet often, even if the Restart-Settings is > set to > > Restart Every = 14400 > > This is just a grep > > grep "MailScanner child dying of old age" /var/log/mail > > Result: > > Dec 15 10:34:50 marcel MailScanner[22296]: MailScanner child dying of old > age > Dec 15 11:33:03 marcel MailScanner[23215]: MailScanner child dying of old > age > Dec 15 11:33:08 marcel MailScanner[23229]: MailScanner child dying of old > age > Dec 15 15:36:26 marcel MailScanner[24966]: MailScanner child dying of old > age > Dec 15 15:36:29 marcel MailScanner[24955]: MailScanner child dying of old > age > Dec 15 16:37:02 marcel MailScanner[31834]: MailScanner child dying of old > age > Dec 15 16:37:03 marcel MailScanner[31826]: MailScanner child dying of old > age > Dec 15 20:37:59 marcel MailScanner[1176]: MailScanner child dying of old > age > Dec 15 20:46:19 marcel MailScanner[1168]: MailScanner child dying of old > age > Dec 16 00:39:46 marcel MailScanner[9634]: MailScanner child dying of old > age > Dec 16 00:47:34 marcel MailScanner[9846]: MailScanner child dying of old > age > Dec 16 06:36:23 marcel MailScanner[20120]: MailScanner child dying of old > age > Dec 16 06:36:28 marcel MailScanner[20128]: MailScanner child dying of old > age > Dec 16 08:08:21 marcel MailScanner[23624]: MailScanner child dying of old > age > Dec 16 08:08:24 marcel MailScanner[23616]: MailScanner child dying of old > age > Dec 16 11:24:32 marcel MailScanner[25341]: MailScanner child dying of old > age > Dec 16 11:24:35 marcel MailScanner[25353]: MailScanner child dying of old > age > Dec 16 14:44:08 marcel MailScanner[30451]: MailScanner child dying of old > age > Dec 16 14:44:08 marcel MailScanner[30463]: MailScanner child dying of old > age > Dec 16 15:28:38 marcel MailScanner[4288]: MailScanner child dying of old > age > Dec 16 15:28:40 marcel MailScanner[4280]: MailScanner child dying of old > age > Dec 16 19:38:36 marcel MailScanner[5757]: MailScanner child dying of old > age > Dec 16 19:56:18 marcel MailScanner[5746]: MailScanner child dying of old > age > Dec 16 21:30:17 marcel MailScanner[12214]: MailScanner child dying of old > age > Dec 16 21:30:19 marcel MailScanner[12743]: MailScanner child dying of old > age > > > Every time with all connections closed and then restarting as if i had > done a > > rcMailScanner restart > > Means new filetype-settings etc.. > > is this the normal behaviour? > > Running currently: > > Running on > Linux marcel 2.6.13-15.18-default #1 Tue Oct 2 17:36:20 UTC 2007 i686 i686 > i386 GNU/Linux > This is SUSE LINUX 10.0 (i586) > This is Perl version 5.008007 (5.8.7) > > This is MailScanner version 4.71.10 > Module versions are: > 1.00 AnyDBM_File > 1.23 Archive::Zip > 0.23 bignum > 1.04 Carp > 2.012 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.121_04 Data::Dumper > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.20 File::Temp > 0.92 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.03 Mail::Header > 1.89 Math::BigInt > 0.22 Math::BigRat > 3.05 MIME::Base64 > 5.425 MIME::Decoder > 5.425 MIME::Decoder::UU > 5.425 MIME::Head > 5.425 MIME::Parser > 3.03 MIME::QuotedPrint > 5.425 MIME::Tools > 0.11 Net::CIDR > 1.25 Net::IP > 0.16 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.07 Pod::Simple > 1.08 POSIX > 1.19 Scalar::Util > 1.77 Socket > 2.18 Storable > 1.4 Sys::Hostname::Long > 0.26 Sys::Syslog > 1.26 Test::Pod > 0.8 Test::Simple > 1.9715 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.38 Archive::Tar > 0.23 bignum > 2.02 Business::ISBN > 1.14 Business::ISBN::Data > 1.08 Data::Dump > 1.817 DB_File > 1.14 DBD::SQLite > 1.605 DBI > 1.10 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > 1.00 Encode::Detect > 0.17003 Error > 0.23 ExtUtils::CBuilder > 2.11 ExtUtils::ParseXS > 2.37 Getopt::Long > 0.44 Inline > 1.06 IO::String > 1.09 IO::Zlib > 2.21 IP::Country > 0.21 Mail::ClamAV > 3.002005 Mail::SpamAssassin > v2.005 Mail::SPF > 1.999001 Mail::SPF::Query > 0.2808 Module::Build > 0.18 Net::CIDR::Lite > 0.63 Net::DNS > v0.003 Net::DNS::Resolver::Programmable > 0.33 Net::LDAP > 4.004 NetAddr::IP > 1.80 Parse::RecDescent > missing SAVI > 3.13 Test::Harness > 1.17 Test::Manifest > 1.95 Text::Balanced > 1.36 URI > 0.7203 version > 0.66 YAML > > > > Any Help appreciated.. > > > Marcel > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Upgrade to latest version of mailScanner. See if that helps. If not stop mailScanner, then "MailScanner --debug --debug-sa" and look at the end of output for any clues. -- Martin Hepworth Oxford, UK From steveb_clamav at sanesecurity.com Tue Dec 16 21:05:43 2008 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Tue Dec 16 21:06:01 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <4947CA0D.8080809@nerc.ac.uk> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> Message-ID: <49481827.8000708@sanesecurity.com> Greg Matthews wrote: > Anyone know if Sane Security are submitting signatures direct to > ClamAV? I understand that many of their signatures would make their > way into the official Clam updates. Sanesecurity signatures aren't being added into the ClamAV official signatures... they are totally third-party sigs. > Sounds like a P2P distribution mech may have helped here. > Well, I've just managed to find a little time to do a little log checking, now that the round-robin php script was turned off.. Checking the log for today: Position: IP: number of hits for today 1 196.35.158.184 2,538 2 86.96.229.88 1,504 3 196.25.255.218 1,080 4 66.159.122.2 1,066 5 198.54.202.218 1,028 6 198.54.202.70 656 7 62.12.131.147 642 8 198.144.196.51 620 9 202.60.56.252 528 10 198.54.202.146 504 11 64.119.33.98 467 12 70.167.192.42 461 13 196.25.255.210 389 14 82.190.241.234 360 15 121.52.89.35 359 16 85.44.247.211 354 17 89.186.90.219 354 18 88.38.193.116 352 19 82.54.83.49 350 20 83.216.177.35 350 21 85.43.92.188 348 22 216.201.128.42 346 23 83.216.181.170 344 24 198.54.202.210 314 25 64.132.142.170 308 26 198.144.196.52 308 27 63.123.82.75 308 28 142.32.208.231 266 29 85.18.239.12 264 30 217.76.134.221 244 31 196.2.124.253 244 32 193.225.225.18 240 33 193.225.225.16 240 34 217.166.60.146 240 35 217.7.104.28 240 36 217.7.104.26 240 37 217.7.104.27 240 38 82.165.187.176 224 39 62.77.162.9 224 40 72.36.139.242 191 41 207.195.79.250 176 42 217.98.12.118 176 43 198.54.202.182 176 44 88.40.197.18 175 45 64.78.22.100 168 46 217.188.47.4 154 47 68.179.9.105 151 48 195.229.237.38 150 49 213.132.250.2 136 50 208.21.38.66 136 In other words, if people downloaded the sigs every hour, each ip should only have 24 hits....as you can see, the above ips are WAY over that. Checking the log in detail... it's seems people are setting the download scripts to download every second.... all adding up to: 45,554 hits an hour, add the fact that 45,554 hits would run a php script... guess that's why the cpu usage was so high on a shared server and then got suspended. Signature Note: People have decided to mirror the last version of the public signatures: 1. The signatures were removed and a placeholder signature added, so that hopefully people would quickly notice that their scripts needed to be changed... as the server is still getting hammered by wget/curl requests (approx 45,554 hits per hour) 2. NO SUPPORT will be given on these unofficially mirrored signatures, in fact these mirrored signatures are already out of date, some false positives have already been corrected and new signatures have already been added to my private version of the signatures. Hope that helps, Steve Sanesecurity From shuttlebox at gmail.com Tue Dec 16 21:27:46 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Dec 16 21:27:55 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <49481827.8000708@sanesecurity.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> Message-ID: <625385e30812161327w20ed0c07w85662e38450a6b87@mail.gmail.com> On Tue, Dec 16, 2008 at 10:05 PM, Steve Basford wrote: > In other words, if people downloaded the sigs every hour, each ip should > only have 24 hits....as you can see, the above ips are WAY over that. > Checking the log in detail... it's seems people are setting the download > scripts to download every second.... all adding up to: 45,554 hits an hour, > add the fact that 45,554 hits would run a php script... guess that's why the > cpu usage was so high on a shared server and then got suspended. Can't you keep a rolling log for the last hour and if a connecting ip is already present in the log you block them for 24h? -- /peter From glenn.steen at gmail.com Tue Dec 16 22:08:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 16 22:08:40 2008 Subject: mailscanner dont process queue In-Reply-To: <4947F72B.6080405@fsl.com> References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> <4947F72B.6080405@fsl.com> Message-ID: <223f97700812161408p47163b63sc636d39323e85071@mail.gmail.com> 2008/12/16 Steve Freegard : > Marco mangione wrote: >> >> ok i'm new here.. what thing can be useful for you to define the problem ? > > Here's the standard procedure anyone should follow if they have a queue that > is not being processed. > > 1) Stop MailScanner > > 2) run 'MailScanner --debug --debug-sa' > > 3) Post the tail end of the output of step 2 to the list the command does > not finished with 'Stopping now as you are debugging me...' > > Cheers, > Steve. ... And when reporting the problem to the list, at least include (if not present in the info you post) the version of MailScanner and what MTA (and version) you are using... Perhaps details like if you use an rpm-based linux system, the tarball on a unix host, or similar things might also help. A few words about the server itself (RAM/CPU) and whatever config options one think necessary... might also be good. But at least version of MailScanner and MTA. If, just as an example, you run Postfix with a slightly wrongly configured system (razor slightly misconfigured), there might be a file in the hold queue that isn't a postfix queue file... This just might give the effect you describe. Or this could be one of a few bugs (already fixed:-) that under certain circumstances would have this effect. So we really need that info to be able to help better. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rcooper at dwford.com Tue Dec 16 22:44:42 2008 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 16 22:44:59 2008 Subject: Sanesecurity signatures are no longer being updatedor distributed In-Reply-To: <49481827.8000708@sanesecurity.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> Message-ID: <620AEF3B62844BDD9A7B0844F01CA70B@SAHOMELT> I would say if you do begin to maintain the sigs again it would be worth a little time to look into a blacklisting mechanism for ips that are above a set minimum. I believe that the snare people used to do that. Say more than 24 hits per 24 hrs results in a ban of say 48/72 hrs. Just a thought Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Steve Basford > Sent: Tuesday, December 16, 2008 4:06 PM > To: MailScanner discussion > Subject: Re: Sanesecurity signatures are no longer being > updatedor distributed > > > > Greg Matthews wrote: > > Anyone know if Sane Security are submitting signatures direct to > > ClamAV? I understand that many of their signatures would > make their > > way into the official Clam updates. > Sanesecurity signatures aren't being added into the ClamAV official > signatures... they are totally third-party sigs. > > > Sounds like a P2P distribution mech may have helped here. > > > Well, I've just managed to find a little time to do a little log > checking, now that the round-robin php script was turned > off.. Checking > the log for today: > > Position: IP: number of hits for today > > 1 196.35.158.184 2,538 > 2 86.96.229.88 1,504 > 3 196.25.255.218 1,080 > 4 66.159.122.2 1,066 > 5 198.54.202.218 1,028 > 6 198.54.202.70 656 > 7 62.12.131.147 642 > 8 198.144.196.51 620 > 9 202.60.56.252 528 > 10 198.54.202.146 504 > 11 64.119.33.98 467 > 12 70.167.192.42 461 > 13 196.25.255.210 389 > 14 82.190.241.234 360 > 15 121.52.89.35 359 > 16 85.44.247.211 354 > 17 89.186.90.219 354 > 18 88.38.193.116 352 > 19 82.54.83.49 350 > 20 83.216.177.35 350 > 21 85.43.92.188 348 > 22 216.201.128.42 346 > 23 83.216.181.170 344 > 24 198.54.202.210 314 > 25 64.132.142.170 308 > 26 198.144.196.52 308 > 27 63.123.82.75 308 > 28 142.32.208.231 266 > 29 85.18.239.12 264 > 30 217.76.134.221 244 > 31 196.2.124.253 244 > 32 193.225.225.18 240 > 33 193.225.225.16 240 > 34 217.166.60.146 240 > 35 217.7.104.28 240 > 36 217.7.104.26 240 > 37 217.7.104.27 240 > 38 82.165.187.176 224 > 39 62.77.162.9 224 > 40 72.36.139.242 191 > 41 207.195.79.250 176 > 42 217.98.12.118 176 > 43 198.54.202.182 176 > 44 88.40.197.18 175 > 45 64.78.22.100 168 > 46 217.188.47.4 154 > 47 68.179.9.105 151 > 48 195.229.237.38 150 > 49 213.132.250.2 136 > 50 208.21.38.66 136 > > In other words, if people downloaded the sigs every hour, > each ip should > only have 24 hits....as you can see, the above ips are WAY over that. > Checking the log in detail... it's seems people are setting > the download > scripts to download every second.... all adding up to: > 45,554 hits an hour, > add the fact that 45,554 hits would run a php script... > guess that's why > the cpu usage was so high on a shared server and then got suspended. > > Signature Note: > > People have decided to mirror the last version of the public > signatures: > > 1. The signatures were removed and a placeholder signature added, so > that hopefully people would quickly notice that their > scripts needed to > be changed... as the server is still getting hammered by wget/curl > requests (approx 45,554 hits per hour) > > 2. NO SUPPORT will be given on these unofficially mirrored > signatures, > in fact these mirrored signatures are already out of date, > some false > positives have already been corrected and new signatures > have already > been added to my private version of the signatures. > > Hope that helps, > > Steve > Sanesecurity > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From r.berber at computer.org Tue Dec 16 23:26:36 2008 From: r.berber at computer.org (=?windows-1252?Q?Ren=E9_Berber?=) Date: Tue Dec 16 23:26:58 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <49481827.8000708@sanesecurity.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> Message-ID: Steve Basford wrote: ... > In other words, if people downloaded the sigs every hour, each ip should > only have 24 hits....as you can see, the above ips are WAY over that. > Checking the log in detail... it's seems people are setting the download > scripts to download every second.... all adding up to: 45,554 hits an hour, > add the fact that 45,554 hits would run a php script... guess that's why > the cpu usage was so high on a shared server and then got suspended. ... I agree with the others, a blacklist mechanism is in order. Fail2ban would be easy to set up (if your server is Linux, better) with some rules like the ones Rick Cooper mentioned. Of course you won't test for failures, just for normal access within a given time period. I often wonder how many system admins are so incompetent (just read this list). -- Ren? Berber From maillists at conactive.com Tue Dec 16 23:31:53 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 16 23:32:02 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <49481827.8000708@sanesecurity.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> Message-ID: Steve Basford wrote on Tue, 16 Dec 2008 21:05:43 +0000: > as the server is still getting hammered by wget/curl > requests (approx 45,554 hits per hour) I fear this won't change much until you start distributing a few nice FP signatures. You won't get those idiots off the server any other way as we know from a lot of deceased RBLs. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From beatinger at edenhosting.net Wed Dec 17 07:35:34 2008 From: beatinger at edenhosting.net (Bjorgen T. Eatinger) Date: Wed Dec 17 07:36:07 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> Message-ID: <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> What the hell is the stupid mailing list for if nobody every fucking answers it?? -----Original Message----- From: Bjorgen T. Eatinger Sent: Sunday, December 14, 2008 8:18 PM To: mailscanner@lists.mailscanner.info Cc: Bjorgen T. Eatinger Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? 2. There has been (for at least the last 3 weeks) a recent huge flood of emails that are setup to "appear" to have originated from the same email address which the SPAM is being sent to, and the addresses are perfectly valid addresses stored on our email server (NOT ACCOUNTS, but valid ALIASES). For example a valid alias on our mail server would be: booking@edenaudio.com The SPAM email is SENT to that email address and is also setup to COME from that address. Has there been any discussion or attempts to get rid of this most annoying new type of SPAM? I don't see it as very difficult to catch, as the following conditions are always TRUE in all cases: a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done when testing) b. Almost every email contains "status" in the subject c. Every email always contains HTML and the words "click here" in every one (see below) I believe any one of these items would work to stop this flood of email (especially b or c). Can you please let me know how I could implement any one or all of these methods? Thank you!
Click here to try!

Crazy weight loss formula


Arab and Middle East leaders meet in Riyadh, Saudifun."
into a different phase" of operations, and that Iran hasWednesday, March 28, 2007
63 seats are required for a majority government inreport was tabled. From shuttlebox at gmail.com Wed Dec 17 08:22:21 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Dec 17 08:22:30 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> Message-ID: <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> On Wed, Dec 17, 2008 at 8:35 AM, Bjorgen T. Eatinger wrote: > What the hell is the stupid mailing list for if nobody every fucking answers it?? What's wrong with you? You've gotten several answers already. Look in the list archive if you don't believe us. Maybe you're so incompetent you have managed to block the list... :-) -- /peter From traced at xpear.de Wed Dec 17 08:28:53 2008 From: traced at xpear.de (traced) Date: Wed Dec 17 08:29:07 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> Message-ID: <4948B845.8030400@xpear.de> shuttlebox schrieb: > On Wed, Dec 17, 2008 at 8:35 AM, Bjorgen T. Eatinger > wrote: >> What the hell is the stupid mailing list for if nobody every fucking answers it?? > > What's wrong with you? You've gotten several answers already. Look in > the list archive if you don't believe us. Maybe you're so incompetent > you have managed to block the list... :-) > Strange things going on here :-) Regards, Bastian From glenn.steen at gmail.com Wed Dec 17 08:45:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 17 08:45:38 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> Message-ID: <223f97700812170045h1999b3der1f6fa5c32c160a6e@mail.gmail.com> 2008/12/17 Bjorgen T. Eatinger : > What the hell is the stupid mailing list for if nobody every fucking answers it?? > Well, for one thing... Your tone is non-conducive with replying. Bad manners/language tend to put people off from _helping YOU for free_. Apart from that Brent, Hugo and James had given you some good advice, so I (among several others) refrained from answering... although one could do other things than a pure SA solution, as James suggested (is it envelope sender of "From:" line that is spoofed? If the former, are you in a situation where you can REJECT such attempts (ie having a very controlled _sending_ situation, so to speak? Would save some resources compared to SA, perhaps bnnot so much compared to an SPF-based thing, as suggested by Brent). Why nobody answers to you directly (apart from me:-)? Because this is a mailing list. If you're on it, it should be enough to mail to that... hence noone press "reply all"... If you bother to ask the list, at least bother to try track it. If you don't like to be a member, then use gmane. Jeez... Why do you have a snippet of spam-looking HTML at the end? -- -- Glenn > -----Original Message----- > From: Bjorgen T. Eatinger > Sent: Sunday, December 14, 2008 8:18 PM > To: mailscanner@lists.mailscanner.info > Cc: Bjorgen T. Eatinger > Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST > > 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? > > 2. There has been (for at least the last 3 weeks) a recent huge flood of emails that are setup to "appear" to have originated from the same email address which the SPAM is being sent to, and the addresses are perfectly valid addresses stored on our email server (NOT ACCOUNTS, but valid ALIASES). > > For example a valid alias on our mail server would be: booking@edenaudio.com > > The SPAM email is SENT to that email address and is also setup to COME from that address. > > Has there been any discussion or attempts to get rid of this most annoying new type of SPAM? I don't see it as very difficult to catch, as the following conditions are always TRUE in all cases: > > a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done when testing) > > b. Almost every email contains "status" in the subject > > c. Every email always contains HTML and the words "click here" in every one (see below) > > I believe any one of these items would work to stop this flood of email (especially b or c). Can you please let me know how I could implement any one or all of these methods? > > Thank you! > > > >
Click here to try!
>
Crazy weight loss formula
>

> Arab and Middle East leaders meet in Riyadh, Saudifun."
> into a different phase" of operations, and that Iran hasWednesday, March 28, 2007
> 63 seats are required for a majority government inreport was tabled. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From brentgclarklist at gmail.com Wed Dec 17 09:37:58 2008 From: brentgclarklist at gmail.com (Brent Clark) Date: Wed Dec 17 09:38:11 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <49481827.8000708@sanesecurity.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> Message-ID: <4948C876.1080005@gmail.com> Steve Basford wrote: > Position: IP: number of hits for today > > 1 196.35.158.184 2,538 > 2 86.96.229.88 1,504 > 3 196.25.255.218 1,080 Hi I had a look at the IP's of 1 and 3. If im not mistaken, those are transparent proxies in south africa. I dont think you can block by per ip as it would mean no one would get a chance and would lead to a level of unfairness. In my opinion Sanesecurity should look at another solution and if I can too suggest blocking ips should be a last resort (if at all a solution) to solving your problem. Maybe look at this as a positive and understand that your project is great, indemand and successful therefore you should look to improve services and meet up with demand for coming year. Therefore why not look to increase the specs of the machine, setup mirrors, use torrents etc ... basically look at ways of distributing / load balancing. Regards and my 2c. Brent Clark From jcputter at numata.co.za Wed Dec 17 09:58:23 2008 From: jcputter at numata.co.za (JC Putter) Date: Wed Dec 17 09:58:52 2008 Subject: live.com spam getting througt In-Reply-To: <4948C876.1080005@gmail.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> Message-ID: Lately i have been receiving alot of spam from random @live.com addresses, 0.00 HS_INDEX_PARAM Link contains a common tracker pattern. Is the only hit that i get, Received: from bay0-omc3-s15.bay0.hotmail.com (bay0-omc3-s15.bay0.hotmail.com [65.54.246.215]) by mail.fenceandgate.co.za (Postfix) with ESMTP id 114CD8085FF for ; Wed, 17 Dec 2008 00:02:15 +0200 (SAST) Received: from BAY105-W50 ([65.54.224.150]) by bay0-omc3-s15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 16 Dec 2008 13:53:48 -0800 Message-ID: X-Originating-IP: [94.214.121.47] From: Louise Fitten Sender: To: Creditors Subject: Hot babe gets a double penetration. annoyance Date: Tue, 16 Dec 2008 10:53:48 -1100 Importance: Normal Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 16 Dec 2008 21:53:48.0942 (UTC) FILETIME=[C6C13AE0:01C95FC8] __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway From shuttlebox at gmail.com Wed Dec 17 10:02:34 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Dec 17 10:02:44 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <4948C876.1080005@gmail.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> Message-ID: <625385e30812170202p474a1381u71b4b0224f8dd4a4@mail.gmail.com> On Wed, Dec 17, 2008 at 10:37 AM, Brent Clark wrote: > I dont think you can block by per ip as it would mean no one would get a > chance and would lead to a level of unfairness. >From Steve's perspective that ip is still a problem no matter how many who is behind it. They should cache their requests. > Maybe look at this as a positive and understand that your project is great, > indemand and successful therefore you should look to improve services and > meet up with demand for coming year. > Therefore why not look to increase the specs of the machine, setup mirrors, > use torrents etc ... basically look at ways of distributing / load > balancing. People need to learn how to set up things in a reasonable way. Clam had to move to a DNS based update mechanism because people would hammer their mirrors every minute for updates. It's a shame that progress has to come from stupidity. :-) -- /peter From MailScanner at ecs.soton.ac.uk Wed Dec 17 11:46:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Dec 17 11:46:35 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> Message-ID: <4948E686.6050306@ecs.soton.ac.uk> For using language like that, I propose to ban him from the list. Any objections? (I have suspended his membership at the moment so that he's not party to this, and won't get any other traffic from this list) > On Wed, Dec 17, 2008 at 8:35 AM, Bjorgen T. Eatinger > wrote: > >> What the hell is the stupid mailing list for if nobody every fucking answers it?? >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jcputter at numata.co.za Wed Dec 17 12:09:18 2008 From: jcputter at numata.co.za (JC Putter) Date: Wed Dec 17 12:09:41 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <4948E686.6050306@ecs.soton.ac.uk> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> Message-ID: Ban him -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 17 December 2008 01:46 PM To: MailScanner discussion Subject: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST For using language like that, I propose to ban him from the list. Any objections? (I have suspended his membership at the moment so that he's not party to this, and won't get any other traffic from this list) > On Wed, Dec 17, 2008 at 8:35 AM, Bjorgen T. Eatinger > wrote: > >> What the hell is the stupid mailing list for if nobody every fucking answers it?? >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by Nexus Mail Gateway __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway From Amelein at dantumadeel.nl Wed Dec 17 12:15:58 2008 From: Amelein at dantumadeel.nl (Amelein@dantumadeel.nl) Date: Wed Dec 17 12:16:33 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <4948E686.6050306@ecs.soton.ac.uk> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> Message-ID: <4948FB8E.BDBC.008E.3@Dantumadeel.nl> I actually think all his e-mails have been filtered out for a lot of people because everyone on this list is more or less using the same anti spam service ;) .. I couldn't find any on my end anyway. But yea, no reason for bad language.. - Arjan >>> Op 17-12-2008 om 12:46 is in bericht <4948E686.6050306@ecs.soton.ac.uk> door Julian Field geschreven: > For using language like that, I propose to ban him from the list. > Any objections? > > (I have suspended his membership at the moment so that he's not party to > this, and won't get any other traffic from this list) > ************************************************************************** De inhoud van deze e-mail is uitsluitend bestemd voor de geadresseerde(n). Wanneer de e-mail ten onrechte bij u terecht is gekomen, wordt u verzocht contact op te nemen met de afzender. Gebruik van de inhoud van deze e-mail zonder toestemming van de afzender is niet toegestaan en onrechtmatig. Aan de inhoud van deze e-mail kunnen geen rechten worden ontleend. De gemeente Dantumadeel sluit iedere aansprakelijkheid uit die kan voortvloeien uit de inhoud van deze e-mail. DENK AAN ONS MILIEU VOORDAT U BESLUIT OM DEZE E-MAIL TE PRINTEN! ************************************************************************** From alijawad1 at gmail.com Wed Dec 17 12:17:24 2008 From: alijawad1 at gmail.com (Ali Jawad) Date: Wed Dec 17 12:17:34 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> Message-ID: Ban him On Wed, Dec 17, 2008 at 2:09 PM, JC Putter wrote: > Ban him > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 17 December 2008 01:46 PM > To: MailScanner discussion > Subject: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST > > For using language like that, I propose to ban him from the list. > Any objections? > > (I have suspended his membership at the moment so that he's not party to > this, and won't get any other traffic from this list) > >> On Wed, Dec 17, 2008 at 8:35 AM, Bjorgen T. Eatinger >> wrote: >> >>> What the hell is the stupid mailing list for if nobody every fucking answers it?? >>> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by Nexus Mail Gateway > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > This message has been scanned by Nexus Mail Gateway > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From sandrews at andrewscompanies.com Wed Dec 17 12:19:12 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Dec 17 12:19:22 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> Message-ID: <1964AAFBC212F742958F9275BF63DBB0A7270A@winchester.andrewscompanies.com> Will someone please kick him? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Bjorgen T. Eatinger Sent: Wednesday, December 17, 2008 2:36 AM To: Bjorgen T. Eatinger; mailscanner@lists.mailscanner.info Subject: RE: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST What the hell is the stupid mailing list for if nobody every fucking answers it?? -----Original Message----- From: Bjorgen T. Eatinger Sent: Sunday, December 14, 2008 8:18 PM To: mailscanner@lists.mailscanner.info Cc: Bjorgen T. Eatinger Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? 2. There has been (for at least the last 3 weeks) a recent huge flood of emails that are setup to "appear" to have originated from the same email address which the SPAM is being sent to, and the addresses are perfectly valid addresses stored on our email server (NOT ACCOUNTS, but valid ALIASES). For example a valid alias on our mail server would be: booking@edenaudio.com The SPAM email is SENT to that email address and is also setup to COME from that address. Has there been any discussion or attempts to get rid of this most annoying new type of SPAM? I don't see it as very difficult to catch, as the following conditions are always TRUE in all cases: a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done when testing) b. Almost every email contains "status" in the subject c. Every email always contains HTML and the words "click here" in every one (see below) I believe any one of these items would work to stop this flood of email (especially b or c). Can you please let me know how I could implement any one or all of these methods? Thank you!
Click here to try!

Crazy weight loss formula


Arab and Middle East leaders meet in Riyadh, Saudifun."
into a different phase" of operations, and that Iran hasWednesday, March 28, 2007
63 seats are required for a majority government inreport was tabled. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From james at gray.net.au Wed Dec 17 12:19:25 2008 From: james at gray.net.au (James Gray) Date: Wed Dec 17 12:19:51 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <4948E686.6050306@ecs.soton.ac.uk> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> Message-ID: On 17/12/2008, at 10:46 PM, Julian Field wrote: > For using language like that, I propose to ban him from the list. > Any objections? None from me. We're a civilised bunch here, and I for one found this guy's tone and manner rather abbrasive. He didn't take suggestions, he ignored advice, and then throws in a bunch of profanity to top it off. He's already in my MTA's kill file, so do what you wish with him on this list ;) Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/68c8e9aa/smime.bin From alex at rtpty.com Wed Dec 17 12:35:34 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Dec 17 12:35:50 2008 Subject: mailscanner dont process queue In-Reply-To: References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> Message-ID: Everything. OS version, mta, MailScanner version, hw specs, the more the better. On Dec 16, 2008, at 1:02 PM, "Marco mangione" wrote: > ok i'm new here.. what thing can be useful for you to define the > problem ? > > 2008/12/16 Alex Neuman van der Hans > You need to define the problem first. > > In the meantime you may want to turn off the processing and deliver > the e-mails "as is". > > If you need help you need to specify a lot of things about your > setup so people can start to help, otherwise we'd be just guessing. > > > On Dec 16, 2008, at 12:43 PM, Marco mangione wrote: > > i have a big queue, about 2000 email ... load average of server is > 0.20 ... nothing! but mailscanner dont process mail.. is so slow in > processing ..... how can i fix the problem ? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/1bc28178/attachment.html From alex at rtpty.com Wed Dec 17 12:40:35 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Dec 17 12:40:52 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <4948E686.6050306@ecs.soton.ac.uk> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> Message-ID: <764DBB65-BB9B-4709-92B9-FA6DD457D49D@rtpty.com> My only objection is that it isn't punishment enough. On Dec 17, 2008, at 6:46 AM, Julian Field wrote: > For using language like that, I propose to ban him from the list. > Any objections? > > (I have suspended his membership at the moment so that he's not > party to this, and won't get any other traffic from this list) > >> On Wed, Dec 17, 2008 at 8:35 AM, Bjorgen T. Eatinger >> wrote: >> >>> What the hell is the stupid mailing list for if nobody every >>> fucking answers it?? >>> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Dec 17 12:42:12 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Dec 17 12:42:29 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A7270A@winchester.andrewscompanies.com> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <1964AAFBC212F742958F9275BF63DBB0A7270A@winchester.andrewscompanies.com> Message-ID: <7B638CD2-D54D-448E-BCA0-1150FC28A0D1@rtpty.com> You don't mean from the list, right? I can understand why thoughts of physically doing it might pop up... ;-) On Dec 17, 2008, at 7:19 AM, "Steven Andrews" wrote: > Will someone please kick him? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Bjorgen > T. Eatinger > Sent: Wednesday, December 17, 2008 2:36 AM > To: Bjorgen T. Eatinger; mailscanner@lists.mailscanner.info > Subject: RE: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST > > What the hell is the stupid mailing list for if nobody every fucking > answers it?? > > -----Original Message----- > From: Bjorgen T. Eatinger > Sent: Sunday, December 14, 2008 8:18 PM > To: mailscanner@lists.mailscanner.info > Cc: Bjorgen T. Eatinger > Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST > > 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? > > 2. There has been (for at least the last 3 weeks) a recent huge > flood of > emails that are setup to "appear" to have originated from the same > email > address which the SPAM is being sent to, and the addresses are > perfectly > valid addresses stored on our email server (NOT ACCOUNTS, but valid > ALIASES). > > For example a valid alias on our mail server would be: > booking@edenaudio.com > > The SPAM email is SENT to that email address and is also setup to COME > from that address. > > Has there been any discussion or attempts to get rid of this most > annoying new type of SPAM? I don't see it as very difficult to catch, > as the following conditions are always TRUE in all cases: > > a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done > when > testing) > > b. Almost every email contains "status" in the subject > > c. Every email always contains HTML and the words "click here" in > every > one (see below) > > I believe any one of these items would work to stop this flood of > email > (especially b or c). Can you please let me know how I could implement > any one or all of these methods? > > Thank you! > > > >
src="http://images.downgrand.com/acai3.jpg" border=0 alt="Click here > to > try!">
>
Crazy weight loss > formula
>

> Arab and Middle East leaders meet in Riyadh, Saudifun."
> into a different phase" of operations, and that Iran hasWednesday, > March > 28, 2007
> 63 seats are required for a majority government inreport was > tabled. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jcputter at numata.co.za Wed Dec 17 12:45:33 2008 From: jcputter at numata.co.za (JC Putter) Date: Wed Dec 17 12:45:53 2008 Subject: Attachment Blocking Release In-Reply-To: References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> Message-ID: Hi I am blocking some attachments like mp3,avi,mpeg etc.. If a message is quarantined because of the filetype, and i want to release it from the quarantine then message is quarantined again, i don?t have this issue with normal spam, I am using Mailscanner 4.72 and mailwatch 1.04 This message has been scanned by Nexus Mail Gateway -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/c5840d8b/attachment.html From sandrews at andrewscompanies.com Wed Dec 17 12:59:46 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Dec 17 12:59:56 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <7B638CD2-D54D-448E-BCA0-1150FC28A0D1@rtpty.com> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><1964AAFBC212F742958F9275BF63DBB0A7270A@winchester.andrewscompanies.com> <7B638CD2-D54D-448E-BCA0-1150FC28A0D1@rtpty.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB0A7270B@winchester.andrewscompanies.com> Oh, you meant from the list...sorry, I didn't think of that. Yeah, we can kick him from the list, I just thought queuing up and everyone having a kick at his backside would be a nice Christmas present for everyone here. Silly me. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Wednesday, December 17, 2008 7:42 AM To: MailScanner discussion Subject: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST You don't mean from the list, right? I can understand why thoughts of physically doing it might pop up... ;-) On Dec 17, 2008, at 7:19 AM, "Steven Andrews" wrote: > Will someone please kick him? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Bjorgen > T. Eatinger > Sent: Wednesday, December 17, 2008 2:36 AM > To: Bjorgen T. Eatinger; mailscanner@lists.mailscanner.info > Subject: RE: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST > > What the hell is the stupid mailing list for if nobody every fucking > answers it?? > > -----Original Message----- > From: Bjorgen T. Eatinger > Sent: Sunday, December 14, 2008 8:18 PM > To: mailscanner@lists.mailscanner.info > Cc: Bjorgen T. Eatinger > Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST > > 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? > > 2. There has been (for at least the last 3 weeks) a recent huge > flood of > emails that are setup to "appear" to have originated from the same > email > address which the SPAM is being sent to, and the addresses are > perfectly > valid addresses stored on our email server (NOT ACCOUNTS, but valid > ALIASES). > > For example a valid alias on our mail server would be: > booking@edenaudio.com > > The SPAM email is SENT to that email address and is also setup to COME > from that address. > > Has there been any discussion or attempts to get rid of this most > annoying new type of SPAM? I don't see it as very difficult to catch, > as the following conditions are always TRUE in all cases: > > a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done > when > testing) > > b. Almost every email contains "status" in the subject > > c. Every email always contains HTML and the words "click here" in > every > one (see below) > > I believe any one of these items would work to stop this flood of > email > (especially b or c). Can you please let me know how I could implement > any one or all of these methods? > > Thank you! > > > >
src="http://images.downgrand.com/acai3.jpg" border=0 alt="Click here > to > try!">
>
Crazy weight loss > formula
>

> Arab and Middle East leaders meet in Riyadh, Saudifun."
> into a different phase" of operations, and that Iran hasWednesday, > March > 28, 2007
> 63 seats are required for a majority government inreport was > tabled. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sandrews at andrewscompanies.com Wed Dec 17 13:15:42 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Dec 17 13:15:53 2008 Subject: Attachment Blocking Release In-Reply-To: References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB0A72710@winchester.andrewscompanies.com> Really more of a mailwatch question, but here?s the answer: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of JC Putter Sent: Wednesday, December 17, 2008 7:46 AM To: MailScanner discussion Subject: Attachment Blocking Release Hi I am blocking some attachments like mp3,avi,mpeg etc.. If a message is quarantined because of the filetype, and i want to release it from the quarantine then message is quarantined again, i don?t have this issue with normal spam, I am using Mailscanner 4.72 and mailwatch 1.04 __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/00886c5c/attachment.html From jcputter at numata.co.za Wed Dec 17 13:21:58 2008 From: jcputter at numata.co.za (JC Putter) Date: Wed Dec 17 13:22:23 2008 Subject: Attachment Blocking Release In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72710@winchester.andrewscompanies.com> References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> <1964AAFBC212F742958F9275BF63DBB0A72710@winchester.andrewscompanies.com> Message-ID: Sorry, but thank you for point me to the answer From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: 17 December 2008 03:16 PM To: MailScanner discussion Subject: RE: Attachment Blocking Release Really more of a mailwatch question, but here?s the answer: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of JC Putter Sent: Wednesday, December 17, 2008 7:46 AM To: MailScanner discussion Subject: Attachment Blocking Release Hi I am blocking some attachments like mp3,avi,mpeg etc.. If a message is quarantined because of the filetype, and i want to release it from the quarantine then message is quarantined again, i don?t have this issue with normal spam, I am using Mailscanner 4.72 and mailwatch 1.04 __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway This message has been scanned by Nexus Mail Gateway __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/029ecd6d/attachment.html From glenn.steen at gmail.com Wed Dec 17 13:34:52 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 17 13:35:02 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <4948FB8E.BDBC.008E.3@Dantumadeel.nl> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> <4948FB8E.BDBC.008E.3@Dantumadeel.nl> Message-ID: <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> 2008/12/17 : > I actually think all his e-mails have been filtered out for a lot of people because everyone on this list is more or less using the same anti spam service ;) .. I couldn't find any on my end anyway. > But yea, no reason for bad language.. > > - > Arjan There's been seven conversations started by Bjorgen T Eatinger during the last two years. Most have been some kind of complaint about the mailing list or the mail list digest, or similar. So far s/he has never replied to any of the feedback rendered. I think we can safely say that any problem reside between a certain bersons chair and keyboard...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Dec 17 14:00:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Dec 17 14:00:59 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> <4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> Message-ID: <49490608.7090806@ecs.soton.ac.uk> On 17/12/08 13:34, Glenn Steen wrote: > 2008/12/17: > >> I actually think all his e-mails have been filtered out for a lot of people because everyone on this list is more or less using the same anti spam service ;) .. I couldn't find any on my end anyway. >> But yea, no reason for bad language.. >> >> - >> Arjan >> > There's been seven conversations started by Bjorgen T Eatinger during > the last two years. Most have been some kind of complaint about the > mailing list or the mail list digest, or similar. > So far s/he has never replied to any of the feedback rendered. > > I think we can safely say that any problem reside between a certain > bersons chair and keyboard...:-) > > That was pretty quick and conclusive. I have unsubscribed him and banned him from ever joining again from that address. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at technologytiger.net Wed Dec 17 14:27:17 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Wed Dec 17 14:27:49 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <49490608.7090806@ecs.soton.ac.uk> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> <4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> <49490608.7090806@ecs.soton.ac.uk> Message-ID: <21D2C140-9B0B-4CB1-83EA-26549EDFDE21@technologytiger.net> On 17 Dec 2008, at 14:00, Julian Field wrote: > On 17/12/08 13:34, Glenn Steen wrote: >> 2008/12/17: >> >>> I actually think all his e-mails have been filtered out for a lot >>> of people because everyone on this list is more or less using the >>> same anti spam service ;) .. I couldn't find any on my end anyway. >>> But yea, no reason for bad language.. >>> >>> - >>> Arjan >>> >> There's been seven conversations started by Bjorgen T Eatinger during >> the last two years. Most have been some kind of complaint about the >> mailing list or the mail list digest, or similar. >> So far s/he has never replied to any of the feedback rendered. >> >> I think we can safely say that any problem reside between a certain >> bersons chair and keyboard...:-) >> >> > That was pretty quick and conclusive. I have unsubscribed him and > banned him from ever joining again from that address. > > Jules It's what I love about community based processes; a question was posed, a number or 'stake holders' responded and a decision was made all with in 2 hours. You try doing that in a corporate environment! Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From maxsec at gmail.com Wed Dec 17 16:00:17 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Dec 17 16:01:26 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> Message-ID: <72cf361e0812170800i1e8f6648i275ec8359bd21e32@mail.gmail.com> 2008/12/17 Bjorgen T. Eatinger : > What the hell is the stupid mailing list for if nobody every fucking answers it?? > > -----Original Message----- > From: Bjorgen T. Eatinger > Sent: Sunday, December 14, 2008 8:18 PM > To: mailscanner@lists.mailscanner.info > Cc: Bjorgen T. Eatinger > Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST > > 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why? > > 2. There has been (for at least the last 3 weeks) a recent huge flood of emails that are setup to "appear" to have originated from the same email address which the SPAM is being sent to, and the addresses are perfectly valid addresses stored on our email server (NOT ACCOUNTS, but valid ALIASES). > > For example a valid alias on our mail server would be: booking@edenaudio.com > > The SPAM email is SENT to that email address and is also setup to COME from that address. > > Has there been any discussion or attempts to get rid of this most annoying new type of SPAM? I don't see it as very difficult to catch, as the following conditions are always TRUE in all cases: > > a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done when testing) > > b. Almost every email contains "status" in the subject > > c. Every email always contains HTML and the words "click here" in every one (see below) > > I believe any one of these items would work to stop this flood of email (especially b or c). Can you please let me know how I could implement any one or all of these methods? > > Thank you! > > > >
Click here to try!
>
Crazy weight loss formula
>

> Arab and Middle East leaders meet in Riyadh, Saudifun."
> into a different phase" of operations, and that Iran hasWednesday, March 28, 2007
> 63 seats are required for a majority government inreport was tabled. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Are you getting answers or have you got mailscanner blocking this list? -- Martin Hepworth Oxford, UK From r.berber at computer.org Wed Dec 17 17:41:13 2008 From: r.berber at computer.org (=?windows-1252?Q?Ren=E9_Berber?=) Date: Wed Dec 17 17:41:31 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <4948C876.1080005@gmail.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> Message-ID: Brent Clark wrote: ... > In my opinion Sanesecurity should look at another solution and if I can > too suggest blocking ips should be a last resort (if at all a solution) > to solving your problem. ... Blocking IPs is common operating procedure, usually well documented (see for instance : http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml which is very close to SaneSecurity and have a "DO NOT DOWNLOAD THIS FILE MORE THAN ONCE A DAY. ANY ABUSE = BANNED IP ADDRESS." policy. -- Ren? Berber From gesbbb at yahoo.com Wed Dec 17 17:47:22 2008 From: gesbbb at yahoo.com (GESBBB) Date: Wed Dec 17 17:47:33 2008 Subject: Sanesecurity signatures are no longer being updated or distributed References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> Message-ID: <621646.31247.qm@web32102.mail.mud.yahoo.com> ----- Original Message ---- > From: Ren? Berber > To: mailscanner@lists.mailscanner.info > Sent: Wednesday, December 17, 2008 12:41:13 PM > Subject: Re: Sanesecurity signatures are no longer being updated or distributed > > Brent Clark wrote: > > ... > > In my opinion Sanesecurity should look at another solution and if I can > > too suggest blocking ips should be a last resort (if at all a solution) > > to solving your problem. > ... > > Blocking IPs is common operating procedure, usually well documented (see > for instance : > > http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml > > which is very close to SaneSecurity and have a "DO NOT DOWNLOAD THIS > FILE MORE THAN ONCE A DAY. ANY ABUSE = BANNED IP ADDRESS." policy. Except, it is not enforced. I know, because I personally tried it. They may have a limit; however, it exceeds "Once per Day". From traced at xpear.de Wed Dec 17 18:10:27 2008 From: traced at xpear.de (traced) Date: Wed Dec 17 18:10:37 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <621646.31247.qm@web32102.mail.mud.yahoo.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> <621646.31247.qm@web32102.mail.mud.yahoo.com> Message-ID: <49494092.2080603@xpear.de> GESBBB schrieb: > > > > ----- Original Message ---- >> From: Ren? Berber >> To: mailscanner@lists.mailscanner.info >> Sent: Wednesday, December 17, 2008 12:41:13 PM >> Subject: Re: Sanesecurity signatures are no longer being updated or distributed >> >> Brent Clark wrote: >> >> ... >>> In my opinion Sanesecurity should look at another solution and if I can >>> too suggest blocking ips should be a last resort (if at all a solution) >>> to solving your problem. >> ... >> >> Blocking IPs is common operating procedure, usually well documented (see >> for instance : >> >> http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml >> >> which is very close to SaneSecurity and have a "DO NOT DOWNLOAD THIS >> FILE MORE THAN ONCE A DAY. ANY ABUSE = BANNED IP ADDRESS." policy. > > Except, it is not enforced. I know, because I personally tried it. They may have a limit; however, it exceeds "Once per Day". > Downloading more than once a day per server? I think thats not very usefull, and only costs bandwidth. From sandrews at andrewscompanies.com Wed Dec 17 19:05:57 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Dec 17 19:06:09 2008 Subject: Attachment Blocking Release In-Reply-To: References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com><1964AAFBC212F742958F9275BF63DBB0A72710@winchester.andrewscompanies.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB0A7271B@winchester.andrewscompanies.com> No problem. Take that Mr. Bjorgen T. Eatinger! See, we really do answer questions on this list and we?re even nice about it. Oh, you can?t see any more messages? Whoops, too bad. sorry guys, had to dig that in there in case he ever stumbles upon the archives; we now return you to your regularly scheduled program. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of JC Putter Sent: Wednesday, December 17, 2008 8:22 AM To: MailScanner discussion Subject: RE: Attachment Blocking Release Sorry, but thank you for point me to the answer From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: 17 December 2008 03:16 PM To: MailScanner discussion Subject: RE: Attachment Blocking Release Really more of a mailwatch question, but here?s the answer: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of JC Putter Sent: Wednesday, December 17, 2008 7:46 AM To: MailScanner discussion Subject: Attachment Blocking Release Hi I am blocking some attachments like mp3,avi,mpeg etc.. If a message is quarantined because of the filetype, and i want to release it from the quarantine then message is quarantined again, i don?t have this issue with normal spam, I am using Mailscanner 4.72 and mailwatch 1.04 __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway This message has been scanned by Nexus Mail Gateway __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/ca4fb722/attachment.html From ssilva at sgvwater.com Wed Dec 17 19:15:09 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 17 19:15:28 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <4948E686.6050306@ecs.soton.ac.uk> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> Message-ID: on 12-17-2008 3:46 AM Julian Field spake the following: > For using language like that, I propose to ban him from the list. > Any objections? > > (I have suspended his membership at the moment so that he's not party to > this, and won't get any other traffic from this list) > >> On Wed, Dec 17, 2008 at 8:35 AM, Bjorgen T. Eatinger >> wrote: >> >>> What the hell is the stupid mailing list for if nobody every fucking >>> answers it?? >>> > > Jules > Good choice! Although I think he had already blocked himself, or his own spam filter caught his SHOUTING and dumped it. When will people learn that this list is heavily volunteer run and not a paid 24x7 support list! If you want quick answers, there are places to buy a support contract. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/0e6def0e/signature.bin From ssilva at sgvwater.com Wed Dec 17 19:16:09 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 17 19:20:14 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net> <1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net> <625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com> <4948E686.6050306@ecs.soton.ac.uk> Message-ID: Burn him! Burn the witch!! ;-P on 12-17-2008 4:17 AM Ali Jawad spake the following: > Ban him > > On Wed, Dec 17, 2008 at 2:09 PM, JC Putter wrote: >> Ban him >> -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/52daedc3/signature.bin From ssilva at sgvwater.com Wed Dec 17 19:45:54 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 17 19:46:16 2008 Subject: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A7270B@winchester.andrewscompanies.com> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><1964AAFBC212F742958F9275BF63DBB0A7270A@winchester.andrewscompanies.com> <7B638CD2-D54D-448E-BCA0-1150FC28A0D1@rtpty.com> <1964AAFBC212F742958F9275BF63DBB0A7270B@winchester.andrewscompanies.com> Message-ID: on 12-17-2008 4:59 AM Steven Andrews spake the following: > Oh, you meant from the list...sorry, I didn't think of that. Yeah, we > can kick him from the list, I just thought queuing up and everyone > having a kick at his backside would be a nice Christmas present for > everyone here. Silly me. > Now that is a remote reboot! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/a3daaa27/signature.bin From ssilva at sgvwater.com Wed Dec 17 19:50:10 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 17 19:55:16 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> References: <4946B791.1070201@xpear.de> <4946BE99.9060302@ecs.soton.ac.uk> <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> Message-ID: >> > > Never thought it could be so hard just to buy a book? My main problem is > that I dont have a credit card, and I will not change that just for a book > ;) > > Bastian Maybe you can find a local bookshop that will buy it online for you if you pay in advance their costs. Although it is getting harder to find a local bookshop that isn't a big corporation anymore. Or maybe a credit card based gift card, if they have them in your country. You buy them at a face value plus a handling fee. When empty you toss them. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/516cb0c6/signature.bin From ssilva at sgvwater.com Wed Dec 17 20:02:46 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Dec 17 20:03:02 2008 Subject: MailScanner restarting really often.. In-Reply-To: References: Message-ID: on 12-16-2008 12:45 PM Marcel Blenkers spake the following: > Hi there, > > i just realized the following. > > My MailScanner is restarting quiet often, even if the Restart-Settings is > set to > > Restart Every = 14400 > > This is just a grep > > grep "MailScanner child dying of old age" /var/log/mail > > Result: That is normal for children to die off and get restarted. That isn't the same as a mailscanner restart. You will see less hits with things like grep "MailScanner child caught a SIGHUP" /var/log/mail which looks like it would come from a full restart. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081217/3c487e2b/signature.bin From max at assuredata.com Wed Dec 17 22:02:05 2008 From: max at assuredata.com (Max Kipness) Date: Wed Dec 17 22:03:45 2008 Subject: Rule for blocking own domain spam? Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> Hi All, I've been trying to figure out the best method for blocking spam that appears to be sent from my own domain. Is this best done through a MailScanner rule, and if so, how? Or can it be done in Sendmail? We've been getting tons lately. Thanks, Max From Kevin_Miller at ci.juneau.ak.us Wed Dec 17 22:16:40 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Dec 17 22:16:51 2008 Subject: Rule for blocking own domain spam? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> Message-ID: Using SPF has worked pretty well for us... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Max Kipness Sent: Wednesday, December 17, 2008 1:02 PM To: MailScanner discussion Subject: Rule for blocking own domain spam? Hi All, I've been trying to figure out the best method for blocking spam that appears to be sent from my own domain. Is this best done through a MailScanner rule, and if so, how? Or can it be done in Sendmail? We've been getting tons lately. Thanks, Max -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Jeff.Mills at versacold.com.au Wed Dec 17 22:27:48 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Wed Dec 17 22:28:00 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><4948E686.6050306@ecs.soton.ac.uk><4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> Message-ID: > > - > > Arjan > There's been seven conversations started by Bjorgen T > Eatinger during the last two years. Most have been some kind > of complaint about the mailing list or the mail list digest, > or similar. > So far s/he has never replied to any of the feedback rendered. > > I think we can safely say that any problem reside between a > certain bersons chair and keyboard...:-) > Personally, I think it was a troll/bait post right from the start. > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From spamlists at coders.co.uk Wed Dec 17 23:14:29 2008 From: spamlists at coders.co.uk (Matt) Date: Wed Dec 17 23:14:50 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><4948E686.6050306@ecs.soton.ac.uk><4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> Message-ID: <494987D5.803@coders.co.uk> But nobody has ever answered why MailScanner causes swapping! ;-) From alex at rtpty.com Wed Dec 17 23:24:28 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Dec 17 23:24:47 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <494987D5.803@coders.co.uk> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><4948E686.6050306@ecs.soton.ac.uk><4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> <494987D5.803@coders.co.uk> Message-ID: I believe it has to do with something called Vietsev Enema. ;-) On Dec 17, 2008, at 6:14 PM, Matt wrote: > > > But nobody has ever answered why MailScanner causes swapping! ;-) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From david at bass.net.au Thu Dec 18 01:21:25 2008 From: david at bass.net.au (David Lee) Date: Thu Dec 18 01:21:39 2008 Subject: Email report of stripped attachment when exceeding size limit Message-ID: <4949A595.30507@bass.net.au> Hi All, Am currently running Mailscanner (v4.67.6) with MailWatch on a FreeBSD 7.0 server (I realise the version of MailScanner is quite old, but I have installed it via the FreeBSD Ports system). I have a question regarding reporting a stripped mail attachments when they exceed the maximum configured message size limit. When this occurs the intended recipient of the email receives the report detailing what has happened on possible actions to take to prevent it (e.g. compressing the attachment). I would of thought that this report should be sent back to the sender of the email, since they are the ones who can do something about it? Is this the expected functionality of MailScanner or do I have some mis-configured? -- David From traced at xpear.de Thu Dec 18 07:44:48 2008 From: traced at xpear.de (traced) Date: Thu Dec 18 07:44:58 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: References: <4946B791.1070201@xpear.de> <4946BE99.9060302@ecs.soton.ac.uk> <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> Message-ID: <4949FF70.8060202@xpear.de> Scott Silva schrieb: >> Never thought it could be so hard just to buy a book? My main problem is >> that I dont have a credit card, and I will not change that just for a book >> ;) >> >> Bastian > Maybe you can find a local bookshop that will buy it online for you if you pay > in advance their costs. > > Although it is getting harder to find a local bookshop that isn't a big > corporation anymore. > > Or maybe a credit card based gift card, if they have them in your country. > You buy them at a face value plus a handling fee. When empty you toss them. > > > Hi Scott, thanks for reply, I found someone in my family with card. Now there should be no problem :) Is cafepress.com reliable with shipping in other countries? Thanks, Bastian From traced at xpear.de Thu Dec 18 07:47:03 2008 From: traced at xpear.de (traced) Date: Thu Dec 18 07:47:14 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><4948E686.6050306@ecs.soton.ac.uk><4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> <494987D5.803@coders.co.uk> Message-ID: <4949FFF7.7060400@xpear.de> Alex Neuman van der Hans schrieb: > I believe it has to do with something called Vietsev Enema. ;-) > > > > On Dec 17, 2008, at 6:14 PM, Matt wrote: > >> >> >> But nobody has ever answered why MailScanner causes swapping! ;-) >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! Have i missed something in the last days? ;) From maxsec at gmail.com Thu Dec 18 08:27:00 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Dec 18 08:27:09 2008 Subject: Rule for blocking own domain spam? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> Message-ID: <72cf361e0812180027i4c03feafo41a216fa986b6d7e@mail.gmail.com> 2008/12/17 Max Kipness : > Hi All, > > I've been trying to figure out the best method for blocking spam that > appears to be sent from my own domain. Is this best done through a > MailScanner rule, and if so, how? Or can it be done in Sendmail? > > We've been getting tons lately. > > Thanks, > Max > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Start will only whitelisting your own ip-addreses (not the domain). SPF can help as can the watermarking in mailscanner (helps remove the joe-job bounces). -- Martin Hepworth Oxford, UK From maxsec at gmail.com Thu Dec 18 08:30:50 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Dec 18 08:30:59 2008 Subject: Email report of stripped attachment when exceeding size limit In-Reply-To: <4949A595.30507@bass.net.au> References: <4949A595.30507@bass.net.au> Message-ID: <72cf361e0812180030h43f00361na900c427d815f919@mail.gmail.com> 2008/12/18 David Lee : > Hi All, > > Am currently running Mailscanner (v4.67.6) with MailWatch on a FreeBSD 7.0 > server (I realise the version of MailScanner is quite old, but I have > installed it via the FreeBSD Ports system). > > I have a question regarding reporting a stripped mail attachments when they > exceed the maximum configured message size limit. When this occurs the > intended recipient of the email receives the report detailing what has > happened on possible actions to take to prevent it (e.g. compressing the > attachment). I would of thought that this report should be sent back to the > sender of the email, since they are the ones who can do something about it? > > Is this the expected functionality of MailScanner or do I have some > mis-configured? > > -- > David > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > David I suggest emailing the recipient is best as there are some very large PDF's etc around that are actually spam and hence the 'from' would be incorrect. If you're seeing alot of this then I'd up the attachment limit. -- Martin Hepworth Oxford, UK From support at systux.nl Thu Dec 18 08:36:36 2008 From: support at systux.nl (Wim Bakker) Date: Thu Dec 18 08:42:04 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <4949FFF7.7060400@xpear.de> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><4948E686.6050306@ecs.soton.ac.uk><4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> <494987D5.803@coders.co.uk> <4949FFF7.7060400@xpear.de> Message-ID: <494A0B94.4080302@systux.nl> traced wrote: > Alex Neuman van der Hans schrieb: >> I believe it has to do with something called Vietsev Enema. ;-) >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! > > Have i missed something in the last days? ;) You expect an answer really ? From traced at xpear.de Thu Dec 18 09:50:37 2008 From: traced at xpear.de (traced@xpear.de) Date: Thu Dec 18 09:50:49 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <494A0B94.4080302@systux.nl> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><4948E686.6050306@ecs.soton.ac.uk><4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> <494987D5.803@coders.co.uk> <4949FFF7.7060400@xpear.de> <494A0B94.4080302@systux.nl> Message-ID: <0d864903e445c9a96204bb9355f73454@localhost> On Thu, 18 Dec 2008 09:36:36 +0100, Wim Bakker wrote: > traced wrote: >> Alex Neuman van der Hans schrieb: >>> I believe it has to do with something called Vietsev Enema. ;-) >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >> >> Have i missed something in the last days? ;) > You expect an answer really ? > No, did not even expect your answer. :) From gesbbb at yahoo.com Thu Dec 18 11:23:06 2008 From: gesbbb at yahoo.com (Jerry) Date: Thu Dec 18 11:23:18 2008 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <49494092.2080603@xpear.de> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> <621646.31247.qm@web32102.mail.mud.yahoo.com> <49494092.2080603@xpear.de> Message-ID: <20081218062306.4e906ae7@scorpio> On Wed, 17 Dec 2008 19:10:27 +0100 traced wrote: [snip] >>> Blocking IPs is common operating procedure, usually well documented >>> (see for instance : >>> >>> http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml >>> >>> which is very close to SaneSecurity and have a "DO NOT DOWNLOAD THIS >>> FILE MORE THAN ONCE A DAY. ANY ABUSE = BANNED IP ADDRESS." policy. >> >> Except, it is not enforced. I know, because I personally tried it. >> They may have a limit; however, it exceeds "Once per Day". >> >Downloading more than once a day per server? I think thats not very >usefull, and only costs bandwidth. You are missing the point entirely. They (securiteinfo) are advertising something that they are not actively enforcing. As such, it is useless. I tried contacting them personally regarding this matter a few months ago. I never received a reply. Since I felt it was not of any real importance to myself, I declined to pursue the matter any further. Perhaps you might want to take it up with them personally. -- Jerry gesbbb@yahoo.com The little pieces of my life I give to you, with love, to make a quilt to keep away the cold. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/720e4973/signature.bin From R.Sterenborg at netsourcing.nl Thu Dec 18 11:56:57 2008 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Thu Dec 18 11:57:03 2008 Subject: Betr.: Re: NOBODY EVER ANSWERS QUESTIONS TO THIS LIST In-Reply-To: <0d864903e445c9a96204bb9355f73454@localhost> References: <1B74CA8F7AB18445B7355100411C4E1957F20C6839@edenusa.ehads.edenhosting.net><1B74CA8F7AB18445B7355100411C4E1957F20C68A6@edenusa.ehads.edenhosting.net><625385e30812170022w27185d92g18acd71084f08df9@mail.gmail.com><4948E686.6050306@ecs.soton.ac.uk><4948FB8E.BDBC.008E.3@Dantumadeel.nl> <223f97700812170534h365c14fdo7d9abef3cff18d99@mail.gmail.com> <494987D5.803@coders.co.uk> <4949FFF7.7060400@xpear.de> <494A0B94.4080302@systux.nl> <0d864903e445c9a96204bb9355f73454@localhost> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2405D957B1@WISENT.dcyb.net> >>> Have i missed something in the last days? ;) You expect an answer >>> really ? >> > > No, did not even expect your answer. :) Indeed, because nobody ever answers anything on this list.. ;^) Nice troll however, looking at the fuzz it created. But then I guess it's funny in it's own way. From mkercher at nfsmith.com Thu Dec 18 12:12:22 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Dec 18 12:12:34 2008 Subject: Error in maillog Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FF51249@HOUPEX01.nfsmith.info> I started seeing the following error in my maillog this morning. Anyone have an idea what database is having a problem? Dec 18 06:09:36 HOUPMS01 MailScanner[4071]: New Batch: Scanning 1 messages, 55878 bytes Dec 18 06:09:36 HOUPMS01 MailScanner[4071]: Spam Checks: Starting Dec 18 06:09:38 HOUPMS01 MailScanner[4071]: Virus and Content Scanning: Starting Dec 18 06:09:38 HOUPMS01 MailScanner[4071]: database disk image is malformed(11) at dbdimp.c line 403 Dec 18 06:09:38 HOUPMS01 MailScanner[4071]: Uninfected: Delivered 1 messages Dec 18 06:09:38 HOUPMS01 MailScanner[4071]: Logging message mBIC9Ocf008530 to SQL From maillists at conactive.com Thu Dec 18 12:31:33 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 18 12:31:50 2008 Subject: Error in maillog In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36FF51249@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36FF51249@HOUPEX01.nfsmith.info> Message-ID: Mike Kercher wrote on Thu, 18 Dec 2008 06:12:22 -0600: > Dec 18 06:09:38 HOUPMS01 MailScanner[4071]: database disk image is > malformed(11) at dbdimp.c line 403 The MS spamassassin results cache probably. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From spamlists at coders.co.uk Thu Dec 18 12:43:59 2008 From: spamlists at coders.co.uk (Matt) Date: Thu Dec 18 12:44:55 2008 Subject: Error in maillog In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FF51249@HOUPEX01.nfsmith.info> Message-ID: <494A458F.9050107@coders.co.uk> Kai Schaetzl wrote: > Mike Kercher wrote on Thu, 18 Dec 2008 06:12:22 -0600: > > >> Dec 18 06:09:38 HOUPMS01 MailScanner[4071]: database disk image is >> malformed(11) at dbdimp.c line 403 >> > > The MS spamassassin results cache probably. > > Kai > > Stop mailscanner Delete the file as defined in "SpamAssassin Cache Database File" in your MailScanner.conf (on my system it is /var/spool/MailScanner/incoming/SpamAssassin.cache.db) restart MailScanner matt From ka at pacific.net Thu Dec 18 14:51:35 2008 From: ka at pacific.net (Ken A) Date: Thu Dec 18 14:51:38 2008 Subject: O.T. anyone tried scam-backscatter milter? Message-ID: <494A6377.30004@pacific.net> Has anyone had any experience with this milter - http://www.elandsys.com/scam/scam-backscatter/ ? It's poorly named imho, since it's a call ahead milter, similar to smf-sav, and milter-ahead, and doesn't do anything to stop backscatter to legit addresses. Ken -- Ken Anderson http://www.pacific.net/ From MailScanner at ecs.soton.ac.uk Thu Dec 18 15:05:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 18 15:06:16 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <4949FF70.8060202@xpear.de> References: <4946B791.1070201@xpear.de> <4946BE99.9060302@ecs.soton.ac.uk> <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> <4949FF70.8060202@xpear.de> Message-ID: <494A66C6.8080208@ecs.soton.ac.uk> On 18/12/08 07:44, traced wrote: > Scott Silva schrieb: >>> Never thought it could be so hard just to buy a book? My main >>> problem is >>> that I dont have a credit card, and I will not change that just for >>> a book >>> ;) >>> >>> Bastian >> Maybe you can find a local bookshop that will buy it online for you >> if you pay >> in advance their costs. >> >> Although it is getting harder to find a local bookshop that isn't a big >> corporation anymore. >> >> Or maybe a credit card based gift card, if they have them in your >> country. >> You buy them at a face value plus a handling fee. When empty you toss >> them. >> >> >> > Hi Scott, > > thanks for reply, I found someone in my family with card. Now there > should be no problem :) Is cafepress.com reliable with shipping in > other countries? If you're in Europe, click on the link on www.mailscanner.info that mentions "purchase from the EU". Then you don't pay trans-Atlantic shipping charges! Much cheaper for you :) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sandrews at andrewscompanies.com Thu Dec 18 15:06:37 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Dec 18 15:06:48 2008 Subject: Rule for blocking own domain spam? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> Message-ID: <1964AAFBC212F742958F9275BF63DBB0A72742@winchester.andrewscompanies.com> Assuming your ms box only handles inbound you could do an sa rule of something like: header bad_inbound From =~/domain\.com/i score bad_inbound 20 this is where domain.com is your domain. Do yourself a favor and set the score to be something like 0.1 to test the rule out first; don't make it zero or it won't even trigger. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Max Kipness Sent: Wednesday, December 17, 2008 5:02 PM To: MailScanner discussion Subject: Rule for blocking own domain spam? Hi All, I've been trying to figure out the best method for blocking spam that appears to be sent from my own domain. Is this best done through a MailScanner rule, and if so, how? Or can it be done in Sendmail? We've been getting tons lately. Thanks, Max -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kit at simplysites.co.uk Thu Dec 18 15:33:37 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Thu Dec 18 15:33:54 2008 Subject: Rule for blocking own domain spam? In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72742@winchester.andrewscompanies.com> References: <11375BD8FE838A409E10DB32B9BFFE9B06AF9C@addc01.assuredata.local> <1964AAFBC212F742958F9275BF63DBB0A72742@winchester.andrewscompanies.com> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: 18 December 2008 15:07 To: MailScanner discussion Subject: RE: Rule for blocking own domain spam? Assuming your ms box only handles inbound you could do an sa rule of something like: header bad_inbound From =~/domain\.com/i score bad_inbound 20 this is where domain.com is your domain. Do yourself a favor and set the score to be something like 0.1 to test the rule out first; don't make it zero or it won't even trigger. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Max Kipness Sent: Wednesday, December 17, 2008 5:02 PM To: MailScanner discussion Subject: Rule for blocking own domain spam? Hi All, I've been trying to figure out the best method for blocking spam that appears to be sent from my own domain. Is this best done through a MailScanner rule, and if so, how? Or can it be done in Sendmail? We've been getting tons lately. Thanks, Max -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. ------------------------------------------------------------------------ ------ We are getting lots of junk with to email being the same as from email (which is what you are getting I guess). MailScanner has caught every single one of them and with very high scores as well. Here is a typical one and its score. score=35.056 4 required autolearn=spam 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.04 HTML_IMAGE_ONLY_04 HTML: images with 0-400 bytes of words 0.00 HTML_MESSAGE HTML included in message 0.00 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image 2.00 KAM_RBL Higher scores for hitting multiple trusted RBLs 1.46 MIME_HTML_ONLY Message only has text/html MIME parts 3.70 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 3.00 RCVD_IN_JMF_BL Sender listed in JMF-BLACK 0.91 RCVD_IN_PBL Received via a relay in Spamhaus PBL 0.88 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 3.03 RCVD_IN_XBL Received via a relay in Spamhaus XBL 1.67 SARE_HTML_IMG_ONLY 0.84 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) 2.22 TVD_SPACE_RATIO 1.86 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 1.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist 1.50 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 1.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 1.50 URIBL_SBL Contains an URL listed in the SBL blocklist 1.50 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist From c.granisso at dnshosting.it Thu Dec 18 15:38:55 2008 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Thu Dec 18 15:39:06 2008 Subject: PROBLEM Message-ID: <200812181539.mBIFcwKL016383@safir.blacknight.ie> Hello everybody. I've a combination of postfix and mailscanner to filter my mails. >From friday I've problem with bounce mail. In postfix queue I've lots of messages of "MAILER-DAEMON". Mail queue reached about 2000 of bounce messages. So in postfix I've put: bounce_queue_lifetime = 10s maximal_queue_lifetime = 120s Queue is working better but in mail.log I've lots o lines with: Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after DATA (0 bytes) from XXXXXX or Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after CONNECT from Have you got ideas? Thanks, Carlo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/e037c590/attachment.html From gibbard at chem.fsu.edu Thu Dec 18 16:14:45 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Thu Dec 18 16:15:10 2008 Subject: Mailscanner.rc start up script file location Message-ID: <494A76F5.9000506@chem.fsu.edu> Where is: 6. Download /opt/MailScanner/bin/rc.MailScanner Fetch the file from http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner chmod a=rx /opt/MailScanner/bin/rc.MailScanner This information was Obtained from the FREEBSD.INSTALL file in /opt/Mailscanner after downloading and installing it from the mailscanner.info website. Can't run mailscanner unless I have this script or run the check_mailscanner script in the bin/ directory. But that doesn't seem right. Thanks -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Thu Dec 18 15:47:47 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Dec 18 16:21:22 2008 Subject: PROBLEM In-Reply-To: <200812181539.mBIFcwKL016383@safir.blacknight.ie> References: <200812181539.mBIFcwKL016383@safir.blacknight.ie> Message-ID: <1229615266.10481.10.camel@gblades-suse.linguaphone-intranet.co.uk> Can you give a bit more information about your setup. Do you have mailscanner sitting infront of your mail server? Are you using recipient verification so you reject mail to unknown users? If not then you will end up accepting the mail and then try to send out non delivery messages which could result in the problem you are seeing. On Thu, 2008-12-18 at 15:38, Carlo Granisso wrote: > Hello everybody. > I've a combination of postfix and mailscanner to filter my mails. > From friday I've problem with bounce mail. > In postfix queue I've lots of messages of "MAILER-DAEMON". > Mail queue reached about 2000 of bounce messages. > > So in postfix I've put: > > bounce_queue_lifetime = 10s > maximal_queue_lifetime = 120s > > > Queue is working better but in mail.log I've lots o lines with: > > Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after > DATA (0 bytes) from XXXXXX > > or > > Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after > CONNECT from > > > Have you got ideas? > > Thanks, > > > > Carlo > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From shupej at hermetek.com Thu Dec 18 16:50:22 2008 From: shupej at hermetek.com (James Shupe) Date: Thu Dec 18 16:50:26 2008 Subject: PROBLEM In-Reply-To: <200812181539.mBIFcwKL016383@safir.blacknight.ie> References: <200812181539.mBIFcwKL016383@safir.blacknight.ie> Message-ID: <1229619022.7721.38.camel@isus2> On Thu, 2008-12-18 at 16:38 +0100, Carlo Granisso wrote: > Hello everybody. > I've a combination of postfix and mailscanner to filter my mails. > From friday I've problem with bounce mail. > In postfix queue I've lots of messages of "MAILER-DAEMON". > Mail queue reached about 2000 of bounce messages. > > So in postfix I've put: > > bounce_queue_lifetime = 10s > maximal_queue_lifetime = 120s > > > Queue is working better but in mail.log I've lots o lines with: > > Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after > DATA (0 bytes) from XXXXXX > > or > > Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after > CONNECT from > > > Have you got ideas? > > Thanks, > > > > Carlo This isn't an answer to your question, but rather a thought about your post. These mailing lists are archived for later searching and non-descriptive subjects such as "PROBLEM" or "HELP PLZ" (we've all seen these) dampen that process. Also, many people on these lists selectively read through these posts based on the subject lines. Using a specific subject line in your post will both waste less time and increase the likelihood of somebody being able to assist you. As for your problem, sender verification is probably a large part of your problem. If you're going to set bounce_queue_lifetime so short, just set it to 0. That way it will only be tried once. I wouldn't set maximal_queue_lifetime so short, as it will eventually come back to bite you when somebody's server is down for a short period of time, and it probably breaks communications with servers that employ greylisting. -- James Maurice Shupe | HermeTek Network Solutions shupej@hermetek.com | *NIX Consulting and Hosting GPG signed mail preferred | http://www.hermetek.com Plain text mail preferred | 1.866.325.6207 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/feb1d09f/attachment.bin From shupej at hermetek.com Thu Dec 18 16:58:22 2008 From: shupej at hermetek.com (James Shupe) Date: Thu Dec 18 16:58:42 2008 Subject: PROBLEM In-Reply-To: <1229619022.7721.38.camel@isus2> References: <200812181539.mBIFcwKL016383@safir.blacknight.ie> <1229619022.7721.38.camel@isus2> Message-ID: <1229619502.7721.39.camel@isus2> Correction to my previous post: recipient verification, not sender verification. On Thu, 2008-12-18 at 10:50 -0600, James Shupe wrote: > On Thu, 2008-12-18 at 16:38 +0100, Carlo Granisso wrote: > > Hello everybody. > > I've a combination of postfix and mailscanner to filter my mails. > > From friday I've problem with bounce mail. > > In postfix queue I've lots of messages of "MAILER-DAEMON". > > Mail queue reached about 2000 of bounce messages. > > > > So in postfix I've put: > > > > bounce_queue_lifetime = 10s > > maximal_queue_lifetime = 120s > > > > > > Queue is working better but in mail.log I've lots o lines with: > > > > Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after > > DATA (0 bytes) from XXXXXX > > > > or > > > > Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after > > CONNECT from > > > > > > Have you got ideas? > > > > Thanks, > > > > > > > > Carlo > > This isn't an answer to your question, but rather a thought about your > post. These mailing lists are archived for later searching and > non-descriptive subjects such as "PROBLEM" or "HELP PLZ" (we've all seen > these) dampen that process. Also, many people on these lists selectively > read through these posts based on the subject lines. Using a specific > subject line in your post will both waste less time and increase the > likelihood of somebody being able to assist you. > > As for your problem, sender verification is probably a large part of > your problem. If you're going to set bounce_queue_lifetime so short, > just set it to 0. That way it will only be tried once. I wouldn't set > maximal_queue_lifetime so short, as it will eventually come back to bite > you when somebody's server is down for a short period of time, and it > probably breaks communications with servers that employ greylisting. > -- James Maurice Shupe | HermeTek Network Solutions shupej@hermetek.com | *NIX Consulting and Hosting GPG signed mail preferred | http://www.hermetek.com Plain text mail preferred | 1.866.325.6207 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/c6416e7b/attachment.bin From ssilva at sgvwater.com Thu Dec 18 17:04:54 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Dec 18 17:05:14 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494A76F5.9000506@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> Message-ID: on 12-18-2008 8:14 AM Hiram Gibbard spake the following: > Where is: > 6. Download /opt/MailScanner/bin/rc.MailScanner > > Fetch the file from > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner > chmod a=rx /opt/MailScanner/bin/rc.MailScanner > > This information was Obtained from the FREEBSD.INSTALL file in > /opt/Mailscanner after downloading and installing it from the > mailscanner.info website. > > Can't run mailscanner unless I have this script or run the > check_mailscanner script in the bin/ directory. But that doesn't seem > right. > > Thanks Try following these instructions instead; http://www.mailscanner.info/FreeBSD.html -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/85df64da/signature.bin From ssilva at sgvwater.com Thu Dec 18 17:05:15 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Dec 18 17:10:17 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494A76F5.9000506@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> Message-ID: on 12-18-2008 8:14 AM Hiram Gibbard spake the following: > Where is: > 6. Download /opt/MailScanner/bin/rc.MailScanner > > Fetch the file from > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner > chmod a=rx /opt/MailScanner/bin/rc.MailScanner > > This information was Obtained from the FREEBSD.INSTALL file in > /opt/Mailscanner after downloading and installing it from the > mailscanner.info website. > > Can't run mailscanner unless I have this script or run the > check_mailscanner script in the bin/ directory. But that doesn't seem > right. > > Thanks Try following these instructions instead; http://www.mailscanner.info/FreeBSD.html -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/9197528e/signature.bin From c.granisso at dnshosting.it Thu Dec 18 17:15:54 2008 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Thu Dec 18 17:16:06 2008 Subject: MAIL QUEUE TOO LONG AND HIGH LOAD In-Reply-To: <1229619022.7721.38.camel@isus2> Message-ID: <200812181716.mBIHFuFO019266@safir.blacknight.ie> Ok, sorry. I've modified subject. We have no greylisting activated. So, you think that sender verification could be the problem. There's some way that can help me to improve sender verification? Thanks, Carlo -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di James Shupe Inviato: gioved? 18 dicembre 2008 17.50 A: MailScanner discussion Oggetto: Re: PROBLEM On Thu, 2008-12-18 at 16:38 +0100, Carlo Granisso wrote: > Hello everybody. > I've a combination of postfix and mailscanner to filter my mails. > From friday I've problem with bounce mail. > In postfix queue I've lots of messages of "MAILER-DAEMON". > Mail queue reached about 2000 of bounce messages. > > So in postfix I've put: > > bounce_queue_lifetime = 10s > maximal_queue_lifetime = 120s > > > Queue is working better but in mail.log I've lots o lines with: > > Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after > DATA (0 bytes) from XXXXXX > > or > > Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after > CONNECT from > > > Have you got ideas? > > Thanks, > > > > Carlo This isn't an answer to your question, but rather a thought about your post. These mailing lists are archived for later searching and non-descriptive subjects such as "PROBLEM" or "HELP PLZ" (we've all seen these) dampen that process. Also, many people on these lists selectively read through these posts based on the subject lines. Using a specific subject line in your post will both waste less time and increase the likelihood of somebody being able to assist you. As for your problem, sender verification is probably a large part of your problem. If you're going to set bounce_queue_lifetime so short, just set it to 0. That way it will only be tried once. I wouldn't set maximal_queue_lifetime so short, as it will eventually come back to bite you when somebody's server is down for a short period of time, and it probably breaks communications with servers that employ greylisting. -- James Maurice Shupe | HermeTek Network Solutions shupej@hermetek.com | *NIX Consulting and Hosting GPG signed mail preferred | http://www.hermetek.com Plain text mail preferred | 1.866.325.6207 No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.19/1854 - Release Date: 17/12/2008 19.21 From shupej at hermetek.com Thu Dec 18 17:22:36 2008 From: shupej at hermetek.com (James Shupe) Date: Thu Dec 18 17:22:39 2008 Subject: MAIL QUEUE TOO LONG AND HIGH LOAD In-Reply-To: <200812181716.mBIHFuFO019266@safir.blacknight.ie> References: <200812181716.mBIHFuFO019266@safir.blacknight.ie> Message-ID: <1229620956.7721.42.camel@isus2> Explain your setup... Is the mail delivered on the same box that MailScanner is on? Is MailScanner serving just as a mail gateway? IIRC, it will effect delivery retries on outbound mail too, so even if you don't have greylisting enabled it will cause issues with somebody who does. ie: You have an outbound message, sent to mail.example.tld. mail.example.tld rejects the message, due to greylist. it greylists the IP for 10 minutes. Your queue expires after 2 minutes, and never gets resubmitted. On Thu, 2008-12-18 at 18:15 +0100, Carlo Granisso wrote: > Ok, sorry. > I've modified subject. > > We have no greylisting activated. > So, you think that sender verification could be the problem. > There's some way that can help me to improve sender verification? > > > Thanks, > > > Carlo > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di James Shupe > Inviato: gioved? 18 dicembre 2008 17.50 > A: MailScanner discussion > Oggetto: Re: PROBLEM > > On Thu, 2008-12-18 at 16:38 +0100, Carlo Granisso wrote: > > Hello everybody. > > I've a combination of postfix and mailscanner to filter my mails. > > From friday I've problem with bounce mail. > > In postfix queue I've lots of messages of "MAILER-DAEMON". > > Mail queue reached about 2000 of bounce messages. > > > > So in postfix I've put: > > > > bounce_queue_lifetime = 10s > > maximal_queue_lifetime = 120s > > > > > > Queue is working better but in mail.log I've lots o lines with: > > > > Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after > > DATA (0 bytes) from XXXXXX > > > > or > > > > Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after > > CONNECT from > > > > > > Have you got ideas? > > > > Thanks, > > > > > > > > Carlo > > This isn't an answer to your question, but rather a thought about your post. > These mailing lists are archived for later searching and non-descriptive > subjects such as "PROBLEM" or "HELP PLZ" (we've all seen > these) dampen that process. Also, many people on these lists selectively > read through these posts based on the subject lines. Using a specific > subject line in your post will both waste less time and increase the > likelihood of somebody being able to assist you. > > As for your problem, sender verification is probably a large part of your > problem. If you're going to set bounce_queue_lifetime so short, just set it > to 0. That way it will only be tried once. I wouldn't set > maximal_queue_lifetime so short, as it will eventually come back to bite you > when somebody's server is down for a short period of time, and it probably > breaks communications with servers that employ greylisting. > > -- > James Maurice Shupe | HermeTek Network Solutions > shupej@hermetek.com | *NIX Consulting and Hosting > GPG signed mail preferred | http://www.hermetek.com Plain text mail > preferred | 1.866.325.6207 > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.176 / Virus Database: 270.9.19/1854 - Release Date: 17/12/2008 > 19.21 > -- Please read: https://www.hermetek.com/merger.shtml James Maurice Shupe | HermeTek Network Solutions shupej@hermetek.com | *NIX Consulting and Hosting GPG signed mail preferred | http://www.hermetek.com Plain text mail preferred | 1.866.325.6207 Key fingerprint: D484 EACC 9D0F A2A5 5277 C4A8 5704 1987 A938 DF3A ------------------------------------------------------------------------ This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone 1.866.325.6207 and destroy the original message. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/a1fac9ce/attachment.bin From ssilva at sgvwater.com Thu Dec 18 17:24:40 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Dec 18 17:24:56 2008 Subject: PROBLEM In-Reply-To: <1229619022.7721.38.camel@isus2> References: <200812181539.mBIFcwKL016383@safir.blacknight.ie> <1229619022.7721.38.camel@isus2> Message-ID: on 12-18-2008 8:50 AM James Shupe spake the following: > On Thu, 2008-12-18 at 16:38 +0100, Carlo Granisso wrote: >> Hello everybody. >> I've a combination of postfix and mailscanner to filter my mails. >> From friday I've problem with bounce mail. >> In postfix queue I've lots of messages of "MAILER-DAEMON". >> Mail queue reached about 2000 of bounce messages. >> >> So in postfix I've put: >> >> bounce_queue_lifetime = 10s >> maximal_queue_lifetime = 120s >> >> >> Queue is working better but in mail.log I've lots o lines with: >> >> Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after >> DATA (0 bytes) from XXXXXX >> >> or >> >> Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after >> CONNECT from >> >> >> Have you got ideas? >> >> Thanks, >> >> >> >> Carlo > > This isn't an answer to your question, but rather a thought about your > post. These mailing lists are archived for later searching and > non-descriptive subjects such as "PROBLEM" or "HELP PLZ" (we've all seen > these) dampen that process. Also, many people on these lists selectively > read through these posts based on the subject lines. Using a specific > subject line in your post will both waste less time and increase the > likelihood of somebody being able to assist you. > > As for your problem, sender verification is probably a large part of > your problem. If you're going to set bounce_queue_lifetime so short, > just set it to 0. That way it will only be tried once. I wouldn't set > maximal_queue_lifetime so short, as it will eventually come back to bite > you when somebody's server is down for a short period of time, and it > probably breaks communications with servers that employ greylisting. > > And also, posting anything in ALL CAPS is considered shouting, and is somewhat rude. Most people on this list and others like it are already overworked and underpaid, and help when they have time. Shouting will not get you noticed, it will get you ignored. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081218/fab89aed/signature.bin From maillists at conactive.com Thu Dec 18 18:31:20 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 18 18:31:36 2008 Subject: MAIL QUEUE TOO LONG AND HIGH LOAD In-Reply-To: <200812181716.mBIHFuFO019266@safir.blacknight.ie> References: <200812181716.mBIHFuFO019266@safir.blacknight.ie> Message-ID: Did you consider by now looking at the actual bounces so you know what they are? As has already been said by others first likely cause is that you are a mail gateway that doesn't verify end users and bounces messages to non-existent users because the next hop refuses to take them. If that is really the case: don't do this! Verify recipients and reject right in MTA phase. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Dec 18 18:31:19 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 18 18:31:36 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494A76F5.9000506@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> Message-ID: Hiram Gibbard wrote on Thu, 18 Dec 2008 11:14:45 -0500: > This information was Obtained from the FREEBSD.INSTALL file in > /opt/Mailscanner after downloading and installing it from the > mailscanner.info website. It seems you should follow these instructions and use a port: http://mailscanner.info/FreeBSD.html Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Thu Dec 18 19:34:18 2008 From: traced at xpear.de (traced) Date: Thu Dec 18 19:34:33 2008 Subject: Buy Mailscanner Book in Germany? In-Reply-To: <494A66C6.8080208@ecs.soton.ac.uk> References: <4946B791.1070201@xpear.de> <4946BE99.9060302@ecs.soton.ac.uk> <6a25bd893bd8c3f9f49d1b50262e7adb@localhost> <4949FF70.8060202@xpear.de> <494A66C6.8080208@ecs.soton.ac.uk> Message-ID: <494AA5BA.5020904@xpear.de> Julian Field schrieb: > If you're in Europe, click on the link on www.mailscanner.info that > mentions "purchase from the EU". Then you don't pay trans-Atlantic > shipping charges! Much cheaper for you :) > > Jules > Nice tip! Thanks a lot! Bastian From mkercher at nfsmith.com Thu Dec 18 19:40:19 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Dec 18 19:40:33 2008 Subject: Error in maillog In-Reply-To: <494A458F.9050107@coders.co.uk> References: <224FA7E11EA39E45843E11CEBBD3A36FF51249@HOUPEX01.nfsmith.info> <494A458F.9050107@coders.co.uk> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F013DE324@HOUPEX01.nfsmith.info> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Sent: Thursday, December 18, 2008 06:44 To: MailScanner discussion Subject: Re: Error in maillog Kai Schaetzl wrote: > Mike Kercher wrote on Thu, 18 Dec 2008 06:12:22 -0600: > > >> Dec 18 06:09:38 HOUPMS01 MailScanner[4071]: database disk image is >> malformed(11) at dbdimp.c line 403 >> > > The MS spamassassin results cache probably. > > Kai > > Stop mailscanner Delete the file as defined in "SpamAssassin Cache Database File" in your MailScanner.conf (on my system it is /var/spool/MailScanner/incoming/SpamAssassin.cache.db) restart MailScanner matt -- Thanks Matt and Kai. The error is gone now. Mike From maxsec at gmail.com Thu Dec 18 20:07:54 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Dec 18 20:09:09 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: References: <494A76F5.9000506@chem.fsu.edu> Message-ID: <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> 2008/12/18 Kai Schaetzl : > Hiram Gibbard wrote on Thu, 18 Dec 2008 11:14:45 -0500: > >> This information was Obtained from the FREEBSD.INSTALL file in >> /opt/Mailscanner after downloading and installing it from the >> mailscanner.info website. > > It seems you should follow these instructions and use a port: > http://mailscanner.info/FreeBSD.html > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Yeah but the port's really 'old' (relatively) ----- JP hint hint, you don't need Christmas day off ;-) Personally I just take another of the startup scripts and hack it for mailscanner starts. -- Martin Hepworth Oxford, UK From gibbard at chem.fsu.edu Thu Dec 18 21:07:22 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Thu Dec 18 21:08:01 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> Message-ID: <494ABB8A.9070201@chem.fsu.edu> Yes. Thats the problem. I was originally using the ports (which I prefer), but since I'm using ClamAV, I was told (From someone on this list) to use the latest version of Mailscanner in order to avoid the issues I was previously having. I would hack a current mailscanner script, but I'm not that good at stuff like that. Do I have any other options? Martin Hepworth wrote: > 2008/12/18 Kai Schaetzl : >> Hiram Gibbard wrote on Thu, 18 Dec 2008 11:14:45 -0500: >> >>> This information was Obtained from the FREEBSD.INSTALL file in >>> /opt/Mailscanner after downloading and installing it from the >>> mailscanner.info website. >> It seems you should follow these instructions and use a port: >> http://mailscanner.info/FreeBSD.html >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > Yeah but the port's really 'old' (relatively) ----- JP hint hint, you > don't need Christmas day off ;-) > > Personally I just take another of the startup scripts and hack it for > mailscanner starts. > -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Thu Dec 18 22:03:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Dec 18 22:03:33 2008 Subject: MAIL QUEUE TOO LONG AND HIGH LOAD In-Reply-To: <200812181716.mBIHFuFO019266@safir.blacknight.ie> References: <200812181716.mBIHFuFO019266@safir.blacknight.ie> Message-ID: All caps is often filtered. Looks like spam. On Dec 18, 2008, at 12:15 PM, "Carlo Granisso" wrote: > Ok, sorry. > I've modified subject. > > We have no greylisting activated. > So, you think that sender verification could be the problem. > There's some way that can help me to improve sender verification? > > > Thanks, > > > Carlo > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di > James Shupe > Inviato: gioved? 18 dicembre 2008 17.50 > A: MailScanner discussion > Oggetto: Re: PROBLEM > > On Thu, 2008-12-18 at 16:38 +0100, Carlo Granisso wrote: >> Hello everybody. >> I've a combination of postfix and mailscanner to filter my mails. >> From friday I've problem with bounce mail. >> In postfix queue I've lots of messages of "MAILER-DAEMON". >> Mail queue reached about 2000 of bounce messages. >> >> So in postfix I've put: >> >> bounce_queue_lifetime = 10s >> maximal_queue_lifetime = 120s >> >> >> Queue is working better but in mail.log I've lots o lines with: >> >> Dec 18 16:37:10 filtro1 postfix/smtpd[17725]: lost connection after >> DATA (0 bytes) from XXXXXX >> >> or >> >> Dec 18 16:32:13 filtro1 postfix/smtpd[17357]: lost connection after >> CONNECT from >> >> >> Have you got ideas? >> >> Thanks, >> >> >> >> Carlo > > This isn't an answer to your question, but rather a thought about > your post. > These mailing lists are archived for later searching and non- > descriptive > subjects such as "PROBLEM" or "HELP PLZ" (we've all seen > these) dampen that process. Also, many people on these lists > selectively > read through these posts based on the subject lines. Using a specific > subject line in your post will both waste less time and increase the > likelihood of somebody being able to assist you. > > As for your problem, sender verification is probably a large part of > your > problem. If you're going to set bounce_queue_lifetime so short, just > set it > to 0. That way it will only be tried once. I wouldn't set > maximal_queue_lifetime so short, as it will eventually come back to > bite you > when somebody's server is down for a short period of time, and it > probably > breaks communications with servers that employ greylisting. > > -- > James Maurice Shupe | HermeTek Network Solutions > shupej@hermetek.com | *NIX Consulting and Hosting > GPG signed mail preferred | http://www.hermetek.com Plain text mail > preferred | 1.866.325.6207 > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.176 / Virus Database: 270.9.19/1854 - Release Date: > 17/12/2008 > 19.21 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maxsec at gmail.com Thu Dec 18 22:05:18 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Dec 18 22:05:36 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494ABB8A.9070201@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> Message-ID: <72cf361e0812181405l17649672ke4c1f062b66df846@mail.gmail.com> 2008/12/18 Hiram Gibbard : > Yes. Thats the problem. I was originally using the ports (which I prefer), > but since I'm using ClamAV, I was told (From someone on this list) to use > the latest version of Mailscanner in order to avoid the issues I was > previously having. I would hack a current mailscanner script, but I'm not > that good at stuff like that. Do I have any other options? > > > > Martin Hepworth wrote: >> >> 2008/12/18 Kai Schaetzl : >>> >>> Hiram Gibbard wrote on Thu, 18 Dec 2008 11:14:45 -0500: >>> >>>> This information was Obtained from the FREEBSD.INSTALL file in >>>> /opt/Mailscanner after downloading and installing it from the >>>> mailscanner.info website. >>> >>> It seems you should follow these instructions and use a port: >>> http://mailscanner.info/FreeBSD.html >>> >>> Kai >>> >>> -- >>> Kai Sch?tzl, Berlin, Germany >>> Get your web at Conactive Internet Services: http://www.conactive.com >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> Yeah but the port's really 'old' (relatively) ----- JP hint hint, you >> don't need Christmas day off ;-) >> >> Personally I just take another of the startup scripts and hack it for >> mailscanner starts. >> > > -- > -------------------------------------------- > Hiram Gibbard > Florida State University > Computer Support > > Department of Chemistry > Phone: 850.644.3004 > Fax: 850.644.8281 > URL: http://www.chem.fsu.edu/~gibbard > -------------------------------------------- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > If you've got the mailscanner ports rc script then hacking it to point at a new location for the tar/gz ain;t hard (just one line I think, change the thing to start to /opt/MailScanner/bin/check_MailScanner from /usr/local/sbin/check_MailScanner I think). -- Martin Hepworth Oxford, UK From drew.marshall at technologytiger.net Thu Dec 18 22:05:33 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Thu Dec 18 22:05:52 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494ABB8A.9070201@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> Message-ID: <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> On 18 Dec 2008, at 21:07, Hiram Gibbard wrote: > Yes. Thats the problem. I was originally using the ports (which I > prefer), but since I'm using ClamAV, I was told (From someone on > this list) to use the latest version of Mailscanner in order to > avoid the issues I was previously having. I would hack a current > mailscanner script, but I'm not that good at stuff like that. Do I > have any other options? > Why don't you hack the port? You will need to edit the Makefile to read the right version number and edit the distinfo file to reflect the right version (And change the checksums and file sizes) you should then be able to make and install as normal (I don't think any of the dependencies have changed so you should be fine). While this is not the elegant solution the JP would create, I have done this a couple of times quite successfully. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From david at bass.net.au Thu Dec 18 22:24:05 2008 From: david at bass.net.au (David Lee) Date: Thu Dec 18 22:24:21 2008 Subject: Email report of stripped attachment when exceeding size limit In-Reply-To: <72cf361e0812180030h43f00361na900c427d815f919@mail.gmail.com> References: <4949A595.30507@bass.net.au> <72cf361e0812180030h43f00361na900c427d815f919@mail.gmail.com> Message-ID: <494ACD85.2010304@bass.net.au> Hi Martin, Thanks for the response. When looking at it from a spamming perspective that makes senses. I've up the maximum message size limit to match that of our internal SMTP server so this shouldn't be an issue any more for outbound mail. >> Hi All, >> >> Am currently running Mailscanner (v4.67.6) with MailWatch on a FreeBSD 7.0 >> server (I realise the version of MailScanner is quite old, but I have >> installed it via the FreeBSD Ports system). >> >> I have a question regarding reporting a stripped mail attachments when they >> exceed the maximum configured message size limit. When this occurs the >> intended recipient of the email receives the report detailing what has >> happened on possible actions to take to prevent it (e.g. compressing the >> attachment). I would of thought that this report should be sent back to the >> sender of the email, since they are the ones who can do something about it? >> >> Is this the expected functionality of MailScanner or do I have some >> mis-configured? >> >> -- >> David >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > David > > I suggest emailing the recipient is best as there are some very large > PDF's etc around that are actually spam and hence the 'from' would be > incorrect. If you're seeing alot of this then I'd up the attachment > limit. > From maillists at conactive.com Thu Dec 18 22:31:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 18 22:31:32 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494ABB8A.9070201@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> Message-ID: Hiram Gibbard wrote on Thu, 18 Dec 2008 16:07:22 -0500: > Yes. Thats the problem. I was originally using the ports (which I > prefer), but since I'm using ClamAV, I was told (From someone on this > list) to use the latest version of Mailscanner in order to avoid the > issues I was previously having. I would hack a current mailscanner > script, but I'm not that good at stuff like that. Do I have any other > options? can't you "save" that script from the originally installed port before upgrading with the tarball? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From hvdkooij at vanderkooij.org Fri Dec 19 06:31:27 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 19 06:31:36 2008 Subject: live.com spam getting througt In-Reply-To: References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> Message-ID: <494B3FBF.7060202@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JC Putter wrote: > Lately i have been receiving alot of spam from random @live.com addresses, Maybe you should start a new thread and not hijack one. Thread-Topic: live.com spam getting througt Thread-Index: AclgLAGNoNqiMRfNQ5+L1px3UU2xAwAAZ+jg Message-ID: References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> <4948C876.1080005@gmail.com> Please stick to the thread "Re: Sanesecurity signatures are no longer being updated or distributed" or start a new thread with a fresh message and not a reply. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklLP7sACgkQBvzDRVjxmYENrwCcD8bnHFdH8ba53kOkZI5SH8aC q/UAoKmmmoDqSPz6qSfcW2biXIReuKzt =PSD+ -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Fri Dec 19 06:37:22 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 19 06:37:32 2008 Subject: MAIL QUEUE TOO LONG AND HIGH LOAD In-Reply-To: References: <200812181716.mBIHFuFO019266@safir.blacknight.ie> Message-ID: <494B4122.1020703@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > All caps is often filtered. Looks like spam. At the very least it is considered unpolite. Because no one likes SHOUTING. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklLQSAACgkQBvzDRVjxmYHZHQCglsKFqnZZpK1CJ70rQT+Zx3nb b4UAn0fMlpLfIjGYd2vb2GIlac2m3J2x =XqQR -----END PGP SIGNATURE----- From maxsec at gmail.com Fri Dec 19 08:18:33 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Dec 19 08:18:43 2008 Subject: Email report of stripped attachment when exceeding size limit In-Reply-To: <494ACD85.2010304@bass.net.au> References: <4949A595.30507@bass.net.au> <72cf361e0812180030h43f00361na900c427d815f919@mail.gmail.com> <494ACD85.2010304@bass.net.au> Message-ID: <72cf361e0812190018t10f20d1fqf35ad40e20ff272@mail.gmail.com> 2008/12/18 David Lee : > Hi Martin, > > Thanks for the response. > When looking at it from a spamming perspective that makes senses. > I've up the maximum message size limit to match that of our internal SMTP > server so this shouldn't be an issue any more for outbound mail. > >>> Hi All, >>> >>> Am currently running Mailscanner (v4.67.6) with MailWatch on a FreeBSD >>> 7.0 >>> server (I realise the version of MailScanner is quite old, but I have >>> installed it via the FreeBSD Ports system). >>> >>> I have a question regarding reporting a stripped mail attachments when >>> they >>> exceed the maximum configured message size limit. When this occurs the >>> intended recipient of the email receives the report detailing what has >>> happened on possible actions to take to prevent it (e.g. compressing the >>> attachment). I would of thought that this report should be sent back to >>> the >>> sender of the email, since they are the ones who can do something about >>> it? >>> >>> Is this the expected functionality of MailScanner or do I have some >>> mis-configured? >>> >>> -- >>> David >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> David >> >> I suggest emailing the recipient is best as there are some very large >> PDF's etc around that are actually spam and hence the 'from' would be >> incorrect. If you're seeing alot of this then I'd up the attachment >> limit. >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Ah - if you're scanning outbound email you might want to change the settings for this based on the 'from' ip-address. -- Martin Hepworth Oxford, UK From jcputter at numata.co.za Fri Dec 19 09:13:38 2008 From: jcputter at numata.co.za (JC Putter) Date: Fri Dec 19 09:14:03 2008 Subject: Spam from hotmail,yahoo and live.com getting throught Message-ID: Hi i am using Mailscanner 4.72 with SARE ruleset, but spam from hotmail,live.com and yahoo gets thought, is there anything else i can do? This message has been scanned by Nexus Mail Gateway -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081219/93b0cc4d/attachment.html From pascal.maes at elec.ucl.ac.be Fri Dec 19 10:47:19 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Dec 19 10:47:45 2008 Subject: Host in whitelist but tagged as SPAM Message-ID: Hello, I have the following lines in the file /opt/MailScanner/etc/rules/ spam_whitelist.rules From: 85.201.63.77 yes From: 85.201.63.77/32 yes From: user-85-201-63-77.static.tvcablenet.be yes From: uclsbs.ucl.lan yes In MailScanner.conf, I have : Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules but the following mail comming from 85.201.63.77 has been tagged as spam : Received: from uclsbs.ucl.lan (unknown [85.201.63.77]) by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP; Fri, 12 Dec 2008 12:50:43 +0100 (CET) Date: Fri, 12 Dec 2008 12:50:30 +0100 Subject: {Spam?} =?iso-8859-1?Q? menus_de_la_semaine_du_15_au_20_d=E9cembre?= Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A7136DC5@uclsbs.ucl.lan> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft Exchange V6.5 Content-type: multipart/mixed; boundary="Boundary_(ID_VQ/ aEKvQHjAdmdemkEt+nw)" Content-class: urn:content-classes:message Thread-topic: =?iso-8859-1?Q? menus_de_la_semaine_du_15_au_20_d=E9cembre?= Thread-index: AclcT9T6bxsC0TvWSXWGMBdltMBdCg== X-MS-Has-Attach: yes X-MS-TNEF-Correlator: X-AV-Checked: ClamAV using ClamSMTP X-SGSI-MailScanner-ID: 9132FEB69D.EA3EE X-SGSI-MailScanner: Found to be clean X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, score=9.216, requis 5, BAYES_00 -1.60, BOTNET_BADDNS 2.50, BOTNET_CLIENT 1.50, BOTNET_CLIENTWORDS 1.50, BOTNET_IPINHOSTNAME 1.50, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, RDNS_NONE 0.10) X-SGSI-Spam-Score: sssssssss X-SGSI-Spam-Status: Yes Why ? -- Pascal From jcputter at numata.co.za Fri Dec 19 11:04:34 2008 From: jcputter at numata.co.za (JC Putter) Date: Fri Dec 19 11:04:55 2008 Subject: Host in whitelist but tagged as SPAM In-Reply-To: References: Message-ID: Hi,i still new at mailscanner by you can whitelist the mail in spamassassin with the whitelist_from parameter?? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Pascal Maes Sent: 19 December 2008 12:47 PM To: MailScanner discussion Subject: Host in whitelist but tagged as SPAM Hello, I have the following lines in the file /opt/MailScanner/etc/rules/ spam_whitelist.rules From: 85.201.63.77 yes From: 85.201.63.77/32 yes From: user-85-201-63-77.static.tvcablenet.be yes From: uclsbs.ucl.lan yes In MailScanner.conf, I have : Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules but the following mail comming from 85.201.63.77 has been tagged as spam : Received: from uclsbs.ucl.lan (unknown [85.201.63.77]) by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP; Fri, 12 Dec 2008 12:50:43 +0100 (CET) Date: Fri, 12 Dec 2008 12:50:30 +0100 Subject: {Spam?} =?iso-8859-1?Q? menus_de_la_semaine_du_15_au_20_d=E9cembre?= Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A7136DC5@uclsbs.ucl.lan> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft Exchange V6.5 Content-type: multipart/mixed; boundary="Boundary_(ID_VQ/ aEKvQHjAdmdemkEt+nw)" Content-class: urn:content-classes:message Thread-topic: =?iso-8859-1?Q? menus_de_la_semaine_du_15_au_20_d=E9cembre?= Thread-index: AclcT9T6bxsC0TvWSXWGMBdltMBdCg== X-MS-Has-Attach: yes X-MS-TNEF-Correlator: X-AV-Checked: ClamAV using ClamSMTP X-SGSI-MailScanner-ID: 9132FEB69D.EA3EE X-SGSI-MailScanner: Found to be clean X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, score=9.216, requis 5, BAYES_00 -1.60, BOTNET_BADDNS 2.50, BOTNET_CLIENT 1.50, BOTNET_CLIENTWORDS 1.50, BOTNET_IPINHOSTNAME 1.50, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, RDNS_NONE 0.10) X-SGSI-Spam-Score: sssssssss X-SGSI-Spam-Status: Yes Why ? -- Pascal -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by Nexus Mail Gateway __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway From ram at netcore.co.in Fri Dec 19 11:41:38 2008 From: ram at netcore.co.in (ram) Date: Fri Dec 19 11:41:51 2008 Subject: How do skip HOLD for some messages in postfix header_checks Message-ID: <1229686898.23267.49.camel@darkstar.netcore.co.in> I use MailScanner + postfix to do Antivirus scan on our servers So I use the header_checks to put messages in Hold for MailScanner to pickup and scan For some from-ids I do not want to put the mails on hold and send without scan. These are high volume system alerts , and no scan is required How do I achieve this ? Thanks Ram PS: I know this is more of a postfix query , but on the pf-list He-who-shall-not-be-named would not like a Mailscanner question :-) From list-mailscanner at linguaphone.com Fri Dec 19 11:50:14 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Dec 19 11:50:26 2008 Subject: How do skip HOLD for some messages in postfix header_checks In-Reply-To: <1229686898.23267.49.camel@darkstar.netcore.co.in> References: <1229686898.23267.49.camel@darkstar.netcore.co.in> Message-ID: <1229687414.30385.3.camel@gblades-suse.linguaphone-intranet.co.uk> Best way I think would be to configure those servers to send mail on a different port. Then in postfix edit master.cf to make it listen on the additional port and specify an option to not use a header checks file. On Fri, 2008-12-19 at 11:41, ram wrote: > I use MailScanner + postfix to do Antivirus scan on our servers > So I use the header_checks to put messages in Hold for MailScanner to > pickup and scan > > For some from-ids I do not want to put the mails on hold and send > without scan. These are high volume system alerts , and no scan is > required > > How do I achieve this ? > > > > Thanks > Ram > > > PS: I know this is more of a postfix query , but on the pf-list > He-who-shall-not-be-named would not like a Mailscanner question :-) > > > > > From ram at netcore.co.in Fri Dec 19 11:51:28 2008 From: ram at netcore.co.in (ram) Date: Fri Dec 19 11:51:40 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: Message-ID: <1229687488.23267.54.camel@darkstar.netcore.co.in> On Fri, 2008-12-19 at 11:13 +0200, JC Putter wrote: > Hi i am using Mailscanner 4.72 with SARE ruleset, but spam from > hotmail,live.com and yahoo gets thought, is there anything else i can > do? > What is the version of spamassassin , What SARE rules do you use Just put your spammail with full headers on some pastebin so that people could check. And post the mail to the Spamassassin list too Thanks Ram From antencek at volja.net Fri Dec 19 11:54:21 2008 From: antencek at volja.net (Antencek) Date: Fri Dec 19 11:55:01 2008 Subject: How do skip HOLD for some messages in postfix header_checks In-Reply-To: <1229686898.23267.49.camel@darkstar.netcore.co.in> References: <1229686898.23267.49.camel@darkstar.netcore.co.in> Message-ID: <494B8B6D.90406@volja.net> Hello, Ram! You could use MailScanner functionallity: FromOrTo: email@address no FromOrTo: default yes in scan.messages.rules which is defined in MailScanner.conf with: Scan Messages = %rules-dir%/scan.messages.rules Regards, A ram wrote: > I use MailScanner + postfix to do Antivirus scan on our servers > So I use the header_checks to put messages in Hold for MailScanner to > pickup and scan > > For some from-ids I do not want to put the mails on hold and send > without scan. These are high volume system alerts , and no scan is > required > > How do I achieve this ? > > > > Thanks > Ram > > > PS: I know this is more of a postfix query , but on the pf-list > He-who-shall-not-be-named would not like a Mailscanner question :-) > > > > > > > > > > From jcputter at numata.co.za Fri Dec 19 12:08:14 2008 From: jcputter at numata.co.za (JC Putter) Date: Fri Dec 19 12:08:55 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: <1229687488.23267.54.camel@darkstar.netcore.co.in> References: <1229687488.23267.54.camel@darkstar.netcore.co.in> Message-ID: I am using Rules du Jour from www.fsl.com/support And the spamassassin package from www.mailscanner.info i think it is 3.2.5 Here is the headers http://pastebin.com/m3ac3d25c -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram Sent: 19 December 2008 01:51 PM To: MailScanner discussion Subject: Re: Spam from hotmail,yahoo and live.com getting throught On Fri, 2008-12-19 at 11:13 +0200, JC Putter wrote: > Hi i am using Mailscanner 4.72 with SARE ruleset, but spam from > hotmail,live.com and yahoo gets thought, is there anything else i can > do? > What is the version of spamassassin , What SARE rules do you use Just put your spammail with full headers on some pastebin so that people could check. And post the mail to the Spamassassin list too Thanks Ram -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by Nexus Mail Gateway __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway From alex at rtpty.com Fri Dec 19 12:18:17 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Dec 19 12:18:57 2008 Subject: Host in whitelist but tagged as SPAM In-Reply-To: References: Message-ID: You have no default line. On Dec 19, 2008, at 5:47 AM, Pascal Maes wrote: > > Hello, > > I have the following lines in the file /opt/MailScanner/etc/rules/ > spam_whitelist.rules > > > From: 85.201.63.77 yes > From: 85.201.63.77/32 yes > From: user-85-201-63-77.static.tvcablenet.be yes > From: uclsbs.ucl.lan yes > > In MailScanner.conf, I have : > > Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > > > but the following mail comming from 85.201.63.77 has been tagged as > spam : > > Received: from uclsbs.ucl.lan (unknown [85.201.63.77]) > by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP; Fri, > 12 Dec 2008 12:50:43 +0100 (CET) > Date: Fri, 12 Dec 2008 12:50:30 +0100 > Subject: {Spam?} =?iso-8859-1?Q? > menus_de_la_semaine_du_15_au_20_d=E9cembre?= > Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A7136DC5@uclsbs.ucl.lan> > MIME-version: 1.0 > X-MIMEOLE: Produced By Microsoft Exchange V6.5 > Content-type: multipart/mixed; boundary="Boundary_(ID_VQ/ > aEKvQHjAdmdemkEt+nw)" > Content-class: urn:content-classes:message > Thread-topic: =?iso-8859-1?Q? > menus_de_la_semaine_du_15_au_20_d=E9cembre?= > Thread-index: AclcT9T6bxsC0TvWSXWGMBdltMBdCg== > X-MS-Has-Attach: yes > X-MS-TNEF-Correlator: > X-AV-Checked: ClamAV using ClamSMTP > X-SGSI-MailScanner-ID: 9132FEB69D.EA3EE > X-SGSI-MailScanner: Found to be clean > X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, score=9.216, > requis 5, > BAYES_00 -1.60, BOTNET_BADDNS 2.50, BOTNET_CLIENT 1.50, > BOTNET_CLIENTWORDS 1.50, BOTNET_IPINHOSTNAME 1.50, HELO_LH_HOME > 3.71, > HTML_MESSAGE 0.00, RDNS_NONE 0.10) > X-SGSI-Spam-Score: sssssssss > X-SGSI-Spam-Status: Yes > > > Why ? > > -- > Pascal > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From pascal.maes at elec.ucl.ac.be Fri Dec 19 12:43:20 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Dec 19 12:43:33 2008 Subject: Host in whitelist but tagged as SPAM In-Reply-To: References: Message-ID: <9898C770-6859-41E5-B01B-DC609D4E1A80@elec.ucl.ac.be> Le 19-d?c.-08 ? 13:18, Alex Neuman van der Hans a ?crit : > You have no default line. > > > > On Dec 19, 2008, at 5:47 AM, Pascal Maes > wrote: > >> >> Hello, >> >> I have the following lines in the file /opt/MailScanner/etc/rules/ >> spam_whitelist.rules >> >> >> From: 85.201.63.77 yes >> From: 85.201.63.77/32 yes >> From: user-85-201-63-77.static.tvcablenet.be yes >> From: uclsbs.ucl.lan yes >> >> It was an extract. The last line of the file is : FromOrTo: default no -- Pascal From gesbbb at yahoo.com Fri Dec 19 12:43:53 2008 From: gesbbb at yahoo.com (Jerry) Date: Fri Dec 19 12:44:53 2008 Subject: How do skip HOLD for some messages in postfix header_checks In-Reply-To: <494B8B6D.90406@volja.net> References: <1229686898.23267.49.camel@darkstar.netcore.co.in> <494B8B6D.90406@volja.net> Message-ID: <20081219074353.5f27d441@scorpio> On Fri, 19 Dec 2008 12:54:21 +0100 Antencek wrote: >ram wrote: >> I use MailScanner + postfix to do Antivirus scan on our servers >> So I use the header_checks to put messages in Hold for MailScanner to >> pickup and scan >> >> For some from-ids I do not want to put the mails on hold and send >> without scan. These are high volume system alerts , and no scan is >> required >> >> How do I achieve this ? >> >> PS: I know this is more of a postfix query , but on the pf-list >> He-who-shall-not-be-named would not like a Mailscanner question :-) >Hello, Ram! > > >You could use MailScanner functionallity: > >FromOrTo: email@address no >FromOrTo: default yes > > >in scan.messages.rules > > >which is defined in MailScanner.conf with: > >Scan Messages = %rules-dir%/scan.messages.rules That does not actually answer the OP's question. He wants to specifically bypass the "HOLD" function. Having his users use SASL and authenticate on a different SMTP port, 587 is the usually one to use, is the method I have found to be most secure and efficient. -- Jerry gesbbb@yahoo.com Menu, n.: A list of dishes which the restaurant has just run out of. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081219/bce8c021/signature.bin From pascal.maes at elec.ucl.ac.be Fri Dec 19 12:53:56 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Dec 19 12:54:14 2008 Subject: Host in whitelist but tagged as SPAM : SOLVED In-Reply-To: <9898C770-6859-41E5-B01B-DC609D4E1A80@elec.ucl.ac.be> References: <9898C770-6859-41E5-B01B-DC609D4E1A80@elec.ucl.ac.be> Message-ID: <54DD942E-4E0E-469D-AAD0-B2E9F630438E@elec.ucl.ac.be> Le 19-d?c.-08 ? 13:43, Pascal Maes a ?crit : > > Le 19-d?c.-08 ? 13:18, Alex Neuman van der Hans a ?crit : > >> You have no default line. >> >> >> >> On Dec 19, 2008, at 5:47 AM, Pascal Maes >> wrote: >> >>> >>> Hello, >>> >>> I have the following lines in the file /opt/MailScanner/etc/rules/ >>> spam_whitelist.rules >>> >>> >>> From: 85.201.63.77 yes >>> From: 85.201.63.77/32 yes >>> From: user-85-201-63-77.static.tvcablenet.be yes >>> From: uclsbs.ucl.lan yes >>> >>> > > It was an extract. The last line of the file is : > > FromOrTo: default no > > -- > Pascal > Sorry, the mail has a lot of recipients and therefore whas not whitelisted : Dec 12 13:19:30 smtp-1 MailScanner[18319]: Message 9132FEB69D.EA3EE from 85.201.63.77 (restaurants-universitaires@uclouvain.be) ignored whitelist, had 162 recipients (>50) -- Pascal -- Pascal From ram at netcore.co.in Fri Dec 19 12:55:11 2008 From: ram at netcore.co.in (ram) Date: Fri Dec 19 12:55:23 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> Message-ID: <1229691311.23267.72.camel@darkstar.netcore.co.in> On Fri, 2008-12-19 at 14:08 +0200, JC Putter wrote: > I am using Rules du Jour from www.fsl.com/support > > And the spamassassin package from www.mailscanner.info i think it is 3.2.5 > > Here is the headers > http://pastebin.com/m3ac3d25c Where is the mail ? Just the headers wont help From jcputter at numata.co.za Fri Dec 19 13:20:05 2008 From: jcputter at numata.co.za (JC Putter) Date: Fri Dec 19 13:20:37 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: <1229691311.23267.72.camel@darkstar.netcore.co.in> References: <1229687488.23267.54.camel@darkstar.netcore.co.in> <1229691311.23267.72.camel@darkstar.netcore.co.in> Message-ID: Sorry http://pastebin.com/maf68d54 there the full raw message, -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram Sent: 19 December 2008 02:55 PM To: MailScanner discussion Subject: RE: Spam from hotmail,yahoo and live.com getting throught On Fri, 2008-12-19 at 14:08 +0200, JC Putter wrote: > I am using Rules du Jour from www.fsl.com/support > > And the spamassassin package from www.mailscanner.info i think it is 3.2.5 > > Here is the headers > http://pastebin.com/m3ac3d25c Where is the mail ? Just the headers wont help -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by Nexus Mail Gateway This message has been scanned by Nexus Mail Gateway From maillists at conactive.com Fri Dec 19 13:31:15 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 19 13:31:29 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> Message-ID: JC Putter wrote on Fri, 19 Dec 2008 14:08:14 +0200: > I am using Rules du Jour from www.fsl.com/support You do not need to use that. SARA rules are not getting updated anymore. So, if you want to use them (many don't use them anymore or only a very small subset) just get them once and stop updating. However, you want to make sure that your sa-updates work. -> http://wiki.apache.org/spamassassin? action=fullsearch&context=180&value=sa-update > Here is the headers > http://pastebin.com/m3ac3d25c These are not the original headers, this is from Mailwatch. Paste the *complete* *original* message to pastebin. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From jcputter at numata.co.za Fri Dec 19 13:43:57 2008 From: jcputter at numata.co.za (JC Putter) Date: Fri Dec 19 13:44:37 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> Message-ID: This is more a spamassassin question, but if the SARE ruleset are not been updated, which rulesets can i then use because the default rules with spamassassin are not enough, If i run sa-update i get the following [31936] dbg: dns: 5.2.3.updates.spamassassin.org => 709395, parsed as 709395 [31936] dbg: channel: current version is 709395, new version is 709395, skipping channel [31936] dbg: diag: updates complete, exiting with code 1 If never received an update using sa-update... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl Sent: 19 December 2008 03:31 PM To: mailscanner@lists.mailscanner.info Subject: Re: Spam from hotmail,yahoo and live.com getting throught JC Putter wrote on Fri, 19 Dec 2008 14:08:14 +0200: > I am using Rules du Jour from www.fsl.com/support You do not need to use that. SARA rules are not getting updated anymore. So, if you want to use them (many don't use them anymore or only a very small subset) just get them once and stop updating. However, you want to make sure that your sa-updates work. -> http://wiki.apache.org/spamassassin? action=fullsearch&context=180&value=sa-update > Here is the headers > http://pastebin.com/m3ac3d25c These are not the original headers, this is from Mailwatch. Paste the *complete* *original* message to pastebin. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by Nexus Mail Gateway This message has been scanned by Nexus Mail Gateway From maillists at conactive.com Fri Dec 19 13:51:24 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 19 13:51:39 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> <1229691311.23267.72.camel@darkstar.netcore.co.in> Message-ID: JC Putter wrote on Fri, 19 Dec 2008 15:20:05 +0200: > there the full raw message, scores 3.1 without network tests here (score=3.1 required=5.0 tests=BAYES_50,LOCALPART_IN_SUBJECT,URIBL_RHS_DOB) But there's plenty of text you could use for custom SA rules in it. And after learning it to Bayes I get BAYES_99 which kicks it over 5. You may want to remove that address from your AWL (spamassassin --remove- addr-from-whitelist). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Dec 19 13:51:24 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 19 13:51:40 2008 Subject: Host in whitelist but tagged as SPAM In-Reply-To: References: Message-ID: make sure that your rules are used by adding a buggy line to these rules and restarting MS. (should throw an error) > From: uclsbs.ucl.lan yes The hostname of [85.201.63.77] is user-85-201-63-77.static.tvcablenet.be. So, this can't fire. Furthermore, you seem to have a dns problem as your mailserver cannot resolve the PTR for this IP (unknown) and the given helo seems to be wrong as well (I get mail.sru.ucl.ac.be). Received: from uclsbs.ucl.lan (unknown [85.201.63.77]) and going by the SA hits you didn't set up your trusted_networks. Go to wiki.spamassassin.org and search for it. You can also search the SA mailing list for that. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Dec 19 14:05:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 19 14:05:27 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> Message-ID: JC Putter wrote on Fri, 19 Dec 2008 15:43:57 +0200: > This is more a spamassassin question, but if the SARE ruleset are > not been updated, which rulesets can i then use because the default > rules with spamassassin are not enough, In many cases they *are* enough. Just blindly adding lots of rules won't really help. You have to analyze what gets thru why and then take the appropriate measures. Reading the sa list will really help in this. Just adding a few rules special to your environment may be enough (e.g. I could just score on "deposit" while others can't as they may get ligitimate mail with this word). There are lots of good "markers" in the mail you provided. > > If i run sa-update i get the following > > [31936] dbg: dns: 5.2.3.updates.spamassassin.org => 709395, parsed as 709395 > [31936] dbg: channel: current version is 709395, new version is 709395, skipping channel > [31936] dbg: diag: updates complete, exiting with code 1 > > If never received an update using sa-update... You received one as it shows that you are up-to-date. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From lucianog at metline.it Fri Dec 19 15:28:01 2008 From: lucianog at metline.it (Luciano Grego) Date: Fri Dec 19 15:32:33 2008 Subject: clamav-wrapper: /usr/bin/clamscan: No such file or directory References: <9898C770-6859-41E5-B01B-DC609D4E1A80@elec.ucl.ac.be> <54DD942E-4E0E-469D-AAD0-B2E9F630438E@elec.ucl.ac.be> Message-ID: <84D2054A06094D6F940C46A5A859666B@LUCIANO> Hi at all, I' ve installed MailScanner latest stable version on Fedora Core 8 with Postfix mailserver. On Fedora i've removed spamassasin before the installation of MailScanner. It' s OK! Now i' ve compiled and installed "install-Clam-SA-latest.tar.gz". but ... MailScanner --lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 5820 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.73.4) is correct. ... MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting >>>>>>> /usr/lib/MailScanner/clamav-wrapper: line 162: /usr/bin/clamscan: No >>>>>>> such file or directory Why? I' ve clamscan in /usr/local/bin !! =========================================================================== If any of your virus scanners () are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Thank you L. -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto. From s.oreilly at linnovations.co.uk Fri Dec 19 15:41:59 2008 From: s.oreilly at linnovations.co.uk (s.oreilly) Date: Fri Dec 19 15:42:08 2008 Subject: clamav-wrapper: /usr/bin/clamscan: No such file or directory Message-ID: <29744.1229701319@linnovations.co.uk> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } On Fri 19/12/08 3:28 PM , "Luciano Grego" lucianog@metline.it sent: Hi at all, I' ve installed MailScanner latest stable version on Fedora Core 8 with Postfix mailserver. On Fedora i've removed spamassasin before the installation of MailScanner. It' s OK! Now i' ve compiled and installed "install-Clam-SA-latest.tar.gz". but ... MailScanner --lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 5820 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.73.4) is correct. ... MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting >>>>>>> /usr/lib/MailScanner/clamav-wrapper: line 162: /usr/bin/clamscan: No >>>>>>> such file or directory Why? I' ve clamscan in /usr/local/bin !! =========================================================================== If any of your virus scanners () are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Thank you L. -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto. -- MailScanner mailing list mailscanner@lists.mailscanner.info [1] http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Links: ------ [1] mailto:mailscanner@lists.mailscanner.info -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081219/d6373cdd/attachment.html From s.oreilly at linnovations.co.uk Fri Dec 19 15:43:24 2008 From: s.oreilly at linnovations.co.uk (s.oreilly) Date: Fri Dec 19 15:43:33 2008 Subject: clamav-wrapper: /usr/bin/clamscan: No such file or directory Message-ID: <32810.1229701404@linnovations.co.uk> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } You have clamscan in /usr/local/bin and clamav-wrapper is looking for it in /usr/bin/ Either change the configuration to look in /usr/local/bin or create a symbolic link in /usr/bin Regards Sean On Fri 19/12/08 3:28 PM , "Luciano Grego" lucianog@metline.it sent: Hi at all, I' ve installed MailScanner latest stable version on Fedora Core 8 with Postfix mailserver. On Fedora i've removed spamassasin before the installation of MailScanner. It' s OK! Now i' ve compiled and installed "install-Clam-SA-latest.tar.gz". but ... MailScanner --lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 5820 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.73.4) is correct. ... MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting >>>>>>> /usr/lib/MailScanner/clamav-wrapper: line 162: /usr/bin/clamscan: No >>>>>>> such file or directory Why? I' ve clamscan in /usr/local/bin !! =========================================================================== If any of your virus scanners () are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Thank you L. -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto. -- MailScanner mailing list mailscanner@lists.mailscanner.info [1] http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Links: ------ [1] mailto:mailscanner@lists.mailscanner.info -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081219/4dbb5b93/attachment.html From MailScanner at ecs.soton.ac.uk Fri Dec 19 16:14:56 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Dec 19 16:15:16 2008 Subject: clamav-wrapper: /usr/bin/clamscan: No such file or directory In-Reply-To: <32810.1229701404@linnovations.co.uk> References: <32810.1229701404@linnovations.co.uk> Message-ID: <494BC880.8000003@ecs.soton.ac.uk> Change your /etc/MailScanner/virus.scanners.conf to correctly indicate the location of your copy of ClamAV. On 19/12/08 15:43, s.oreilly wrote: > > You have clamscan in /usr/local/bin and clamav-wrapper is looking for > it in /usr/bin/ > > Either change the configuration to look in /usr/local/bin or create a > symbolic link in /usr/bin > > Regards > > Sean > > > On Fri 19/12/08 3:28 PM , "Luciano Grego" lucianog@metline.it sent: > > > > Hi at all, > I' ve installed MailScanner latest stable version on Fedora Core 8 > with > Postfix mailserver. > On Fedora i've removed spamassasin before the installation of > MailScanner. > It' s OK! > Now i' ve compiled and installed "install-Clam-SA-latest.tar.gz". > but ... > > MailScanner --lint > Trying to setlogsock(unix) > Read 848 hostnames from the phishing whitelist > Read 5820 hostnames from the phishing blacklist > Checking version numbers... > Version number in MailScanner.conf (4.73.4) is correct. > > ... > > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > > >>>>>>> /usr/lib/MailScanner/clamav-wrapper: line 162: > /usr/bin/clamscan: No > >>>>>>> such file or directory > Why? > > I' ve clamscan in /usr/local/bin !! > =========================================================================== > > > If any of your virus scanners () > are not listed there, you should check that they are installed > correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Thank you > L. > > > > -- > Il messaggio e' stato analizzato alla ricerca di virus o > contenuti pericolosi da MailScanner, ed e' > risultato non infetto. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Dec 19 17:55:32 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 19 17:55:48 2008 Subject: How do skip HOLD for some messages in postfix header_checks In-Reply-To: <1229686898.23267.49.camel@darkstar.netcore.co.in> References: <1229686898.23267.49.camel@darkstar.netcore.co.in> Message-ID: <494BE014.1070405@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: > I use MailScanner + postfix to do Antivirus scan on our servers > So I use the header_checks to put messages in Hold for MailScanner to > pickup and scan > > For some from-ids I do not want to put the mails on hold and send > without scan. These are high volume system alerts , and no scan is > required > > How do I achieve this ? Read this? http://hugo.vanderkooij.org/email/mailscanner.htm?lang=en#HOLD Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklL4A4ACgkQBvzDRVjxmYGJJwCfcbmVIM749RzATuZe8grDXAfi ILgAn1tZH7MFMvejEC3zLgqM4B8mSx7K =KBEy -----END PGP SIGNATURE----- From ssilva at sgvwater.com Fri Dec 19 18:41:06 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Dec 19 18:41:28 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> <1229691311.23267.72.camel@darkstar.netcore.co.in> Message-ID: on 12-19-2008 5:20 AM JC Putter spake the following: > Sorry > > http://pastebin.com/maf68d54 > > there the full raw message, > Here is my hits; Content analysis details: (12.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 1.5 RCVD_IN_UCE_PFSM_1 RBL: Received via a relay in UCE_PFSM_1 [78.107.55.51 listed in dnsbl-1.uceprotect.net] 3.0 RCVD_IN_BACKSCATTER RBL: Received via a relay in Backscatter.org [65.54.246.148 listed in ips.backscatterer.org] 1.5 RCVD_IN_UCE_PFSM_3 RBL: Received via a relay in UCE_PFSM_3 [78.107.55.51 listed in dnsbl-3.uceprotect.net] 1.5 RCVD_IN_UCE_PFSM_2 RBL: Received via a relay in UCE_PFSM_2 [78.107.55.51 listed in dnsbl-2.uceprotect.net] 2.0 LOCALPART_IN_SUBJECT Local part of To: address appears in Subject 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) [URIs: linkvark.com] -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0055] 0.0 HTML_MESSAGE BODY: HTML included in message 2.9 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) It could be that it hit higher now that it has been in the wild for a while. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081219/e83008f8/signature.bin From traced at xpear.de Fri Dec 19 18:43:37 2008 From: traced at xpear.de (traced) Date: Fri Dec 19 18:43:48 2008 Subject: Mailscanner filename and filetype rules Message-ID: <494BEB59.6070302@xpear.de> Hi, do you use the default settings shipped with mailscanner for filename- and type checking? I played around with them the last few days, and think that they are, hmm, lets call paranoid. My users are sending a lot of zipped files across the web, containing word ducuments, powerpoint presentations, and sometimes complete zipped folders, including some .lnk windows link files. Such mails never go through the gates, heres an example: Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes: MailScanner: Possible Eudora *.lnk security hole attack (leereStammdaten.lnk.lnk) MailScanner: Possible Eudora *.lnk security hole attack (Verkn?pfungmit.lnk) MailScanner: Possible Eudora *.lnk security hole attack (Verkn?pfungmitAufbauformulare.doc.lnk) MailScanner: No programs allowed (MouseHook.dll) MailScanner: Possible Eudora *.lnk security hole attack (Verkn?pfungmitVertrag.doc.lnk) MailScanner: Found possible filename hiding (170_HNR27Angeb.dot) How do you handle this? Should I give more trust to my virus scanners? I use Clam, and Avira Antivir on my gates. Thanks a lot, Bastian From alex at rtpty.com Fri Dec 19 20:28:30 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Dec 19 20:29:39 2008 Subject: Mailscanner filename and filetype rules In-Reply-To: <494BEB59.6070302@xpear.de> References: <494BEB59.6070302@xpear.de> Message-ID: <18113F82-3FF2-44B5-8CF4-EC626C4EFFB4@rtpty.com> Let's not. A carefully constructed file meeting your criteria for "safe" could get past all three. On Dec 19, 2008, at 1:43 PM, traced wrote: > Hi, > > do you use the default settings shipped with mailscanner for > filename- and type checking? I played around with them the last few > days, and think that they are, hmm, lets call paranoid. > > My users are sending a lot of zipped files across the web, > containing word ducuments, powerpoint presentations, and sometimes > complete zipped folders, including some .lnk windows link files. > Such mails never go through the gates, heres an example: > > Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes: > MailScanner: Possible Eudora *.lnk security hole attack > (leereStammdaten.lnk.lnk) > MailScanner: Possible Eudora *.lnk security hole attack (Verkn?pfu > ngmit.lnk) > MailScanner: Possible Eudora *.lnk security hole attack (Verkn?pfu > ngmitAufbauformulare.doc.lnk) > MailScanner: No programs allowed (MouseHook.dll) > MailScanner: Possible Eudora *.lnk security hole attack (Verkn?pfu > ngmitVertrag.doc.lnk) > MailScanner: Found possible filename hiding (170_HNR27Angeb.dot) > > How do you handle this? Should I give more trust to my virus > scanners? I use Clam, and Avira Antivir on my gates. > > Thanks a lot, > Bastian > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Fri Dec 19 22:19:36 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Dec 19 22:19:55 2008 Subject: Mailscanner filename and filetype rules In-Reply-To: <494BEB59.6070302@xpear.de> References: <494BEB59.6070302@xpear.de> Message-ID: on 12-19-2008 10:43 AM traced spake the following: > Hi, > > do you use the default settings shipped with mailscanner for filename- > and type checking? I played around with them the last few days, and > think that they are, hmm, lets call paranoid. > > My users are sending a lot of zipped files across the web, containing > word ducuments, powerpoint presentations, and sometimes complete zipped > folders, including some .lnk windows link files. Such mails never go > through the gates, heres an example: > What good does it do to send windows .lnk files? If I send you a link to c:\blabla.txt, you won't be able to open it anyway. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081219/676933fb/signature.bin From traced at xpear.de Fri Dec 19 22:30:17 2008 From: traced at xpear.de (traced) Date: Fri Dec 19 22:30:29 2008 Subject: Mailscanner filename and filetype rules In-Reply-To: References: <494BEB59.6070302@xpear.de> Message-ID: <494C2079.10808@xpear.de> Scott Silva schrieb: > on 12-19-2008 10:43 AM traced spake the following: >> Hi, >> >> do you use the default settings shipped with mailscanner for filename- >> and type checking? I played around with them the last few days, and >> think that they are, hmm, lets call paranoid. >> >> My users are sending a lot of zipped files across the web, containing >> word ducuments, powerpoint presentations, and sometimes complete zipped >> folders, including some .lnk windows link files. Such mails never go >> through the gates, heres an example: >> What good does it do to send windows .lnk files? > If I send you a link to c:\blabla.txt, you won't be able to open it anyway. > > They don?t even know that in the zip file are .lnk files,they just zip complete folders, containing access databases and word dokuments, and links to other dokument. I can?t tell them to sort them out, there are sitting "house-wives" on computers they hardly understand. You can?t even imagine how happy I was to made them understand how to zip a folder :-) From ssilva at sgvwater.com Fri Dec 19 22:41:36 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Dec 19 22:41:57 2008 Subject: Mailscanner filename and filetype rules In-Reply-To: <494C2079.10808@xpear.de> References: <494BEB59.6070302@xpear.de> <494C2079.10808@xpear.de> Message-ID: on 12-19-2008 2:30 PM traced spake the following: > Scott Silva schrieb: >> on 12-19-2008 10:43 AM traced spake the following: >>> Hi, >>> >>> do you use the default settings shipped with mailscanner for filename- >>> and type checking? I played around with them the last few days, and >>> think that they are, hmm, lets call paranoid. >>> >>> My users are sending a lot of zipped files across the web, containing >>> word ducuments, powerpoint presentations, and sometimes complete zipped >>> folders, including some .lnk windows link files. Such mails never go >>> through the gates, heres an example: >>> What good does it do to send windows .lnk files? >> If I send you a link to c:\blabla.txt, you won't be able to open it >> anyway. >> >> > > They don?t even know that in the zip file are .lnk files,they just zip > complete folders, containing access databases and word dokuments, and > links to other dokument. I can?t tell them to sort them out, there are > sitting "house-wives" on computers they hardly understand. You can?t > even imagine how happy I was to made them understand how to zip a > folder :-) OK... I have some of those also. Even though I added a half a page of helpful comments to the warning page, they still do it all the time. I just laugh at them quietly to myself. Just another way to break the monotony! How many times do you have to get a message that says "you can't do that" until you finally stop trying? But they usually slap themselves on the forehead and get it right the second time, and then forget completely their embarrassment in a few days and do it again. You just can't find comedy like that any more. It is like giving the three stooges computers and setting them loose! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081219/fdd1b7ac/signature.bin From jcputter at numata.co.za Sat Dec 20 09:47:41 2008 From: jcputter at numata.co.za (JC Putter) Date: Sat Dec 20 09:48:26 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> <1229691311.23267.72.camel@darkstar.netcore.co.in> Message-ID: How can i setup mailscanner to do those URI,DNS blacklist checks??? That is what i need, Thank you very much for the reply... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 19 December 2008 08:41 PM To: mailscanner@lists.mailscanner.info Subject: Re: Spam from hotmail,yahoo and live.com getting throught on 12-19-2008 5:20 AM JC Putter spake the following: > Sorry > > http://pastebin.com/maf68d54 > > there the full raw message, > Here is my hits; Content analysis details: (12.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 1.5 RCVD_IN_UCE_PFSM_1 RBL: Received via a relay in UCE_PFSM_1 [78.107.55.51 listed in dnsbl-1.uceprotect.net] 3.0 RCVD_IN_BACKSCATTER RBL: Received via a relay in Backscatter.org [65.54.246.148 listed in ips.backscatterer.org] 1.5 RCVD_IN_UCE_PFSM_3 RBL: Received via a relay in UCE_PFSM_3 [78.107.55.51 listed in dnsbl-3.uceprotect.net] 1.5 RCVD_IN_UCE_PFSM_2 RBL: Received via a relay in UCE_PFSM_2 [78.107.55.51 listed in dnsbl-2.uceprotect.net] 2.0 LOCALPART_IN_SUBJECT Local part of To: address appears in Subject 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) [URIs: linkvark.com] -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0055] 0.0 HTML_MESSAGE BODY: HTML included in message 2.9 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) It could be that it hit higher now that it has been in the wild for a while. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com This message has been scanned by Nexus Mail Gateway From MailScanner at ecs.soton.ac.uk Sat Dec 20 09:49:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Dec 20 09:49:55 2008 Subject: Mailscanner filename and filetype rules In-Reply-To: <494BEB59.6070302@xpear.de> References: <494BEB59.6070302@xpear.de> Message-ID: <494CBFA0.2030400@ecs.soton.ac.uk> On 19/12/08 18:43, traced wrote: > Hi, > > do you use the default settings shipped with mailscanner for filename- > and type checking? I played around with them the last few days, and > think that they are, hmm, lets call paranoid. > > My users are sending a lot of zipped files across the web, containing > word ducuments, powerpoint presentations, and sometimes complete > zipped folders, including some .lnk windows link files. Such mails > never go through the gates, heres an example: > > Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes: > MailScanner: Possible Eudora *.lnk security hole attack > (leereStammdaten.lnk.lnk) > MailScanner: Possible Eudora *.lnk security hole attack > (Verkn?pfungmit.lnk) > MailScanner: Possible Eudora *.lnk security hole attack > (Verkn?pfungmitAufbauformulare.doc.lnk) There is no point mailing links. People who don't understand the futility of mailing links still won't understand it if you let them mail links, as then they will get things in their email that just "don't work". > MailScanner: No programs allowed (MouseHook.dll) If you want to start letting them mail programs and random dll's around, that's your funeral. > MailScanner: Possible Eudora *.lnk security hole attack > (Verkn?pfungmitVertrag.doc.lnk) > MailScanner: Found possible filename hiding (170_HNR27Angeb.dot) That last one won't be reported as the full filename. It will have at least 1 more "extension". Hiding file extensions is the oldest trick in the book when it comes to getting people to click on malware. However, if you don't want to use the default rules, then don't. That's why they are in configuration files, so you can change them. These days you can probably remove the *.lnk filter, as it won't actually cause you much trouble. Just then all those housewives will call your tech support asking why the files they mail around don't work once they've been through your mail system. But that ain't my problem :-) I would advise you to be very cautious about removing the other filters, to be honest. They help keep your users safe. In tests made on brand new malware (i.e. stuff in circulation for only an hour or two) most AV scanners miss at least 20% of it, often a lot more. Don't rely on your AV scanners to catch it all, they won't. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From traced at xpear.de Sat Dec 20 10:46:18 2008 From: traced at xpear.de (traced) Date: Sat Dec 20 10:46:31 2008 Subject: Mailscanner filename and filetype rules In-Reply-To: <494CBFA0.2030400@ecs.soton.ac.uk> References: <494BEB59.6070302@xpear.de> <494CBFA0.2030400@ecs.soton.ac.uk> Message-ID: <494CCCFA.7030300@xpear.de> Julian Field schrieb: > > > On 19/12/08 18:43, traced wrote: >> Hi, >> >> do you use the default settings shipped with mailscanner for filename- >> and type checking? I played around with them the last few days, and >> think that they are, hmm, lets call paranoid. >> >> My users are sending a lot of zipped files across the web, containing >> word ducuments, powerpoint presentations, and sometimes complete >> zipped folders, including some .lnk windows link files. Such mails >> never go through the gates, heres an example: >> >> Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes: >> MailScanner: Possible Eudora *.lnk security hole attack >> (leereStammdaten.lnk.lnk) >> MailScanner: Possible Eudora *.lnk security hole attack >> (Verkn?pfungmit.lnk) >> MailScanner: Possible Eudora *.lnk security hole attack >> (Verkn?pfungmitAufbauformulare.doc.lnk) > There is no point mailing links. People who don't understand the > futility of mailing links still won't understand it if you let them mail > links, as then they will get things in their email that just "don't work". >> MailScanner: No programs allowed (MouseHook.dll) > If you want to start letting them mail programs and random dll's around, > that's your funeral. >> MailScanner: Possible Eudora *.lnk security hole attack >> (Verkn?pfungmitVertrag.doc.lnk) >> MailScanner: Found possible filename hiding (170_HNR27Angeb.dot) > That last one won't be reported as the full filename. It will have at > least 1 more "extension". Hiding file extensions is the oldest trick in > the book when it comes to getting people to click on malware. > > However, if you don't want to use the default rules, then don't. That's > why they are in configuration files, so you can change them. > > These days you can probably remove the *.lnk filter, as it won't > actually cause you much trouble. Just then all those housewives will > call your tech support asking why the files they mail around don't work > once they've been through your mail system. But that ain't my problem :-) > > I would advise you to be very cautious about removing the other filters, > to be honest. They help keep your users safe. > > In tests made on brand new malware (i.e. stuff in circulation for only > an hour or two) most AV scanners miss at least 20% of it, often a lot > more. Don't rely on your AV scanners to catch it all, they won't. > > Jules > Hi Jules, thank for your detailed answer. I think you are right :) The problem is that I am the techsupport, so they call me whatever happens... But I think it?s better to release such mails manually when they are quarantined. Thanks, Bastian From traced at xpear.de Sat Dec 20 10:47:55 2008 From: traced at xpear.de (traced) Date: Sat Dec 20 10:48:06 2008 Subject: Mailscanner filename and filetype rules In-Reply-To: References: <494BEB59.6070302@xpear.de> <494C2079.10808@xpear.de> Message-ID: <494CCD5B.9080008@xpear.de> Scott Silva schrieb: >> They don?t even know that in the zip file are .lnk files,they just zip >> complete folders, containing access databases and word dokuments, and >> links to other dokument. I can?t tell them to sort them out, there are >> sitting "house-wives" on computers they hardly understand. You can?t >> even imagine how happy I was to made them understand how to zip a >> folder :-) > OK... I have some of those also. Even though I added a half a page of helpful > comments to the warning page, they still do it all the time. I just laugh at > them quietly to myself. Just another way to break the monotony! > > How many times do you have to get a message that says "you can't do that" > until you finally stop trying? > > But they usually slap themselves on the forehead and get it right the second > time, and then forget completely their embarrassment in a few days and do it > again. You just can't find comedy like that any more. It is like giving the > three stooges computers and setting them loose! > > Hey, Scott, I?m very happy that I?m not the only one who has to work with such kind of people :) Sometimes they make me running in the woods crying out loud and begging for help, sometimes they make me just laugh :) Bastian From traced at xpear.de Sun Dec 21 21:48:44 2008 From: traced at xpear.de (traced) Date: Sun Dec 21 21:48:55 2008 Subject: DCC not working? Message-ID: <494EB9BC.9000906@xpear.de> Hi, I compiled DCC from sources on a mailscanner testbox, enabled it in the spamassassin prefs file, and spamassassin --lint (-D) doesnt show a a failure. But how do I know that DCC works? There are no header changes, and, I dont see anything changed since I installed it. Is there a good way to test? Or even to show the DCC headers? Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there are still no headers... Thank you, Bastian From glenn.steen at gmail.com Mon Dec 22 09:29:16 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Dec 22 09:29:26 2008 Subject: DCC not working? In-Reply-To: <494EB9BC.9000906@xpear.de> References: <494EB9BC.9000906@xpear.de> Message-ID: <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> 2008/12/21 traced : > Hi, > I compiled DCC from sources on a mailscanner testbox, enabled it in the > spamassassin prefs file, and spamassassin --lint (-D) doesnt show a > a failure. But how do I know that DCC works? There are no header > changes, and, I dont see anything changed since I installed it. > Did you make sure the LoadPlugin is uncommented in the *.pre files? Do you see a call to it when doing a "MailScanner --debug --debug-sa"? > Is there a good way to test? Or even to show the DCC headers? > Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there > are still no headers... Headers isn't the thing... You'd see it in the triggered rules... And in the debug run;) > > Thank you, > Bastian Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From traced at xpear.de Mon Dec 22 09:47:27 2008 From: traced at xpear.de (traced@xpear.de) Date: Mon Dec 22 09:47:36 2008 Subject: DCC not working? In-Reply-To: <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> Message-ID: <6630ac6b55060c033b96a6bafe7299f1@localhost> On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" wrote: > 2008/12/21 traced : >> Hi, >> I compiled DCC from sources on a mailscanner testbox, enabled it in the >> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >> a failure. But how do I know that DCC works? There are no header >> changes, and, I dont see anything changed since I installed it. >> > Did you make sure the LoadPlugin is uncommented in the *.pre files? > Do you see a call to it when doing a "MailScanner --debug --debug-sa"? > >> Is there a good way to test? Or even to show the DCC headers? >> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >> are still no headers... > Headers isn't the thing... You'd see it in the triggered rules... And > in the debug run;) > Yes, i uncommented it, looks like this now: loadplugin Mail::SpamAssassin::Plugin::DCC and here are some lint lines: [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [13376] dbg: dcc: local tests only, disabling DCC I think it should be running. So, is the only chance to see it working a "real spam" mail coming in? Regards, Bastian From glenn.steen at gmail.com Mon Dec 22 10:05:27 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Dec 22 10:05:37 2008 Subject: DCC not working? In-Reply-To: <6630ac6b55060c033b96a6bafe7299f1@localhost> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> Message-ID: <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> 2008/12/22 : > On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" > wrote: >> 2008/12/21 traced : >>> Hi, >>> I compiled DCC from sources on a mailscanner testbox, enabled it in the >>> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >>> a failure. But how do I know that DCC works? There are no header >>> changes, and, I dont see anything changed since I installed it. >>> >> Did you make sure the LoadPlugin is uncommented in the *.pre files? >> Do you see a call to it when doing a "MailScanner --debug --debug-sa"? >> >>> Is there a good way to test? Or even to show the DCC headers? >>> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >>> are still no headers... >> Headers isn't the thing... You'd see it in the triggered rules... And >> in the debug run;) >> > > Yes, i uncommented it, looks like this now: > loadplugin Mail::SpamAssassin::Plugin::DCC > > and here are some lint lines: > [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC > [13376] dbg: dcc: local tests only, disabling DCC > > I think it should be running. So, is the only chance to see it working > a "real spam" mail coming in? > > Regards, > Bastian A lint doesn't do network tests, and IIRC this is classed as such. So you need either run the test through MailScanners debug feature (which will run one batch through, very verbosly, then exit) or by doing "sendmail -t -D < /path/to/a/test/message/in/RFC822/format", Then you should see a call to the dcc application(s) later on in the debug output. You should also see DCC hits. If you just now uncommented it, you need restart MailScanner for it to take effect (so that SA get loaded). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From traced at xpear.de Mon Dec 22 10:19:59 2008 From: traced at xpear.de (traced@xpear.de) Date: Mon Dec 22 10:20:07 2008 Subject: DCC not working? In-Reply-To: <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> Message-ID: On Mon, 22 Dec 2008 11:05:27 +0100, "Glenn Steen" wrote: > 2008/12/22 : >> On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" >> wrote: >>> 2008/12/21 traced : >>>> Hi, >>>> I compiled DCC from sources on a mailscanner testbox, enabled it in the >>>> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >>>> a failure. But how do I know that DCC works? There are no header >>>> changes, and, I dont see anything changed since I installed it. >>>> >>> Did you make sure the LoadPlugin is uncommented in the *.pre files? >>> Do you see a call to it when doing a "MailScanner --debug --debug-sa"? >>> >>>> Is there a good way to test? Or even to show the DCC headers? >>>> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >>>> are still no headers... >>> Headers isn't the thing... You'd see it in the triggered rules... And >>> in the debug run;) >>> >> >> Yes, i uncommented it, looks like this now: >> loadplugin Mail::SpamAssassin::Plugin::DCC >> >> and here are some lint lines: >> [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC >> [13376] dbg: dcc: local tests only, disabling DCC >> >> I think it should be running. So, is the only chance to see it working >> a "real spam" mail coming in? >> >> Regards, >> Bastian > A lint doesn't do network tests, and IIRC this is classed as such. So > you need either run the test through MailScanners debug feature (which > will run one batch through, very verbosly, then exit) or by doing > "sendmail -t -D < /path/to/a/test/message/in/RFC822/format", Then you > should see a call to the dcc application(s) later on in the debug > output. > You should also see DCC hits. > If you just now uncommented it, you need restart MailScanner for it to > take effect (so that SA get loaded). > > Cheers OK, sorry sorry, I?ve routed some live mailtraffic over to the testbox, and I now can see DCC hits.... :-) In my test there were just not the right spams... Thanks! Bastian From glenn.steen at gmail.com Mon Dec 22 10:30:15 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Dec 22 10:30:26 2008 Subject: DCC not working? In-Reply-To: <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> Message-ID: <223f97700812220230h1197642et4427bfa3d4ccf83e@mail.gmail.com> 2008/12/22 Glenn Steen : > 2008/12/22 : >> On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" >> wrote: >>> 2008/12/21 traced : >>>> Hi, >>>> I compiled DCC from sources on a mailscanner testbox, enabled it in the >>>> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >>>> a failure. But how do I know that DCC works? There are no header >>>> changes, and, I dont see anything changed since I installed it. >>>> >>> Did you make sure the LoadPlugin is uncommented in the *.pre files? >>> Do you see a call to it when doing a "MailScanner --debug --debug-sa"? >>> >>>> Is there a good way to test? Or even to show the DCC headers? >>>> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >>>> are still no headers... >>> Headers isn't the thing... You'd see it in the triggered rules... And >>> in the debug run;) >>> >> >> Yes, i uncommented it, looks like this now: >> loadplugin Mail::SpamAssassin::Plugin::DCC >> >> and here are some lint lines: >> [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC >> [13376] dbg: dcc: local tests only, disabling DCC >> >> I think it should be running. So, is the only chance to see it working >> a "real spam" mail coming in? >> >> Regards, >> Bastian > A lint doesn't do network tests, and IIRC this is classed as such. So > you need either run the test through MailScanners debug feature (which > will run one batch through, very verbosly, then exit) or by doing > "sendmail -t -D < /path/to/a/test/message/in/RFC822/format", Then you Before any nit-picking .... sees this... It should (of course!) be "spamassassin ...", not "sendmail ...". Sigh. I need coffee... and a vacation...:-) > should see a call to the dcc application(s) later on in the debug > output. > You should also see DCC hits. > If you just now uncommented it, you need restart MailScanner for it to > take effect (so that SA get loaded). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Dec 22 10:32:06 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Dec 22 10:32:17 2008 Subject: DCC not working? In-Reply-To: References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> Message-ID: <223f97700812220232y22c96097gecc2710ce628c662@mail.gmail.com> 2008/12/22 : > On Mon, 22 Dec 2008 11:05:27 +0100, "Glenn Steen" > wrote: >> 2008/12/22 : >>> On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" > >>> wrote: >>>> 2008/12/21 traced : >>>>> Hi, >>>>> I compiled DCC from sources on a mailscanner testbox, enabled it in > the >>>>> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >>>>> a failure. But how do I know that DCC works? There are no header >>>>> changes, and, I dont see anything changed since I installed it. >>>>> >>>> Did you make sure the LoadPlugin is uncommented in the *.pre files? >>>> Do you see a call to it when doing a "MailScanner --debug --debug-sa"? >>>> >>>>> Is there a good way to test? Or even to show the DCC headers? >>>>> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >>>>> are still no headers... >>>> Headers isn't the thing... You'd see it in the triggered rules... And >>>> in the debug run;) >>>> >>> >>> Yes, i uncommented it, looks like this now: >>> loadplugin Mail::SpamAssassin::Plugin::DCC >>> >>> and here are some lint lines: >>> [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from > @INC >>> [13376] dbg: dcc: local tests only, disabling DCC >>> >>> I think it should be running. So, is the only chance to see it working >>> a "real spam" mail coming in? >>> >>> Regards, >>> Bastian >> A lint doesn't do network tests, and IIRC this is classed as such. So >> you need either run the test through MailScanners debug feature (which >> will run one batch through, very verbosly, then exit) or by doing >> "sendmail -t -D < /path/to/a/test/message/in/RFC822/format", Then you >> should see a call to the dcc application(s) later on in the debug >> output. >> You should also see DCC hits. >> If you just now uncommented it, you need restart MailScanner for it to >> take effect (so that SA get loaded). >> >> Cheers > > OK, sorry sorry, I?ve routed some live mailtraffic over to the testbox, > and I now can see DCC hits.... :-) In my test there were just not the > right spams... > > Thanks! > Bastian Ah good. A lot of info like this is in the wiki (both the MAQ and diverse other places... Use the Search, Luke:-)... You might enjoy a thorough read in there ... http://wiki.mailscanner.info Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From traced at xpear.de Mon Dec 22 10:38:05 2008 From: traced at xpear.de (traced@xpear.de) Date: Mon Dec 22 10:38:13 2008 Subject: DCC not working? In-Reply-To: <223f97700812220230h1197642et4427bfa3d4ccf83e@mail.gmail.com> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> <223f97700812220230h1197642et4427bfa3d4ccf83e@mail.gmail.com> Message-ID: <658a6cc539c09cf39e7fd3aa0777ee9c@localhost> On Mon, 22 Dec 2008 11:30:15 +0100, "Glenn Steen" wrote: > 2008/12/22 Glenn Steen : >> 2008/12/22 : >>> On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" >>> >>> wrote: >>>> 2008/12/21 traced : >>>>> Hi, >>>>> I compiled DCC from sources on a mailscanner testbox, enabled it in >>>>> the >>>>> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >>>>> a failure. But how do I know that DCC works? There are no header >>>>> changes, and, I dont see anything changed since I installed it. >>>>> >>>> Did you make sure the LoadPlugin is uncommented in the *.pre files? >>>> Do you see a call to it when doing a "MailScanner --debug --debug-sa"? >>>> >>>>> Is there a good way to test? Or even to show the DCC headers? >>>>> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >>>>> are still no headers... >>>> Headers isn't the thing... You'd see it in the triggered rules... And >>>> in the debug run;) >>>> >>> >>> Yes, i uncommented it, looks like this now: >>> loadplugin Mail::SpamAssassin::Plugin::DCC >>> >>> and here are some lint lines: >>> [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from >>> @INC >>> [13376] dbg: dcc: local tests only, disabling DCC >>> >>> I think it should be running. So, is the only chance to see it working >>> a "real spam" mail coming in? >>> >>> Regards, >>> Bastian >> A lint doesn't do network tests, and IIRC this is classed as such. So >> you need either run the test through MailScanners debug feature (which >> will run one batch through, very verbosly, then exit) or by doing >> "sendmail -t -D < /path/to/a/test/message/in/RFC822/format", Then you > Before any nit-picking .... sees this... It should (of course!) be > "spamassassin ...", not "sendmail ...". Sigh. I need coffee... and a > vacation...:-) > >> should see a call to the dcc application(s) later on in the debug >> output. >> You should also see DCC hits. >> If you just now uncommented it, you need restart MailScanner for it to >> take effect (so that SA get loaded). >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se coffee? maybe the best idea for this day ;) *running* From gibbard at chem.fsu.edu Mon Dec 22 14:42:00 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Mon Dec 22 14:42:28 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> Message-ID: <494FA738.2050806@chem.fsu.edu> Drew Marshall wrote: > On 18 Dec 2008, at 21:07, Hiram Gibbard wrote: > >> Yes. Thats the problem. I was originally using the ports (which I >> prefer), but since I'm using ClamAV, I was told (From someone on this >> list) to use the latest version of Mailscanner in order to avoid the >> issues I was previously having. I would hack a current mailscanner >> script, but I'm not that good at stuff like that. Do I have any other >> options? >> > > Why don't you hack the port? You will need to edit the Makefile to read > the right version number and edit the distinfo file to reflect the right > version (And change the checksums and file sizes) you should then be > able to make and install as normal (I don't think any of the > dependencies have changed so you should be fine). > > While this is not the elegant solution the JP would create, I have done > this a couple of times quite successfully. > > Drew > OK. I am trying to hack the port. Could you tell me why I would get the supplied errors when running make install in the mailscanner directory: WHAT I DID: changed PORTVERSION= 4.73.4 and left everything else the same. Downloaded MailScanner-install-4.73.4-2.tar.gz from mailscanner.info [root@mail1 /usr/ports/mail/mailscanner/files]# md5 MailScanner-install-4.73.4-2.tar.gz MD5 (MailScanner-install-4.73.4-2.tar.gz) = c7590a86e4084891ff2107441f9b5fdc pasted the following into the distinfo file" MD5 (MailScanner-install-4.73.4-2.tar.gz) = c7590a86e4084891ff2107441f9b5fdc also did ls -al on the download file: -rw-r--r-- 1 root 100 8399013 Dec 1 10:48 MailScanner-install-4.73.4-2.tar.gz pasted SIZE (MailScanner-install-4.73.4-2.tar.gz) = 8399013 into distfile. ran make install to get the following: [root@mail1 /usr/ports/mail/mailscanner]# make install ===> Vulnerability check disabled, database not found ===> Found saved configuration for MailScanner-4.73.4_3 => MailScanner-install-4.73.4-1.tar.gz is not in /usr/ports/mail/mailscanner/distinfo. => Either /usr/ports/mail/mailscanner/distinfo is out of date, or => MailScanner-install-4.73.4-1.tar.gz is spelled incorrectly. *** Error code 1 Stop in /usr/ports/mail/mailscanner. *** Error code 1 Stop in /usr/ports/mail/mailscanner. [root@mail1 /usr/ports/mail/mailscanner] why is it asking for MailScanner-install-4.73.4-1.tar.gz instead of MailScanner-install-4.73.4-2.tar.gz, which is what I put in there. Thanks > -- > In line with our policy, this message has been scanned for viruses and > dangerouscontent by Technology Tiger's Mail Launder system > > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > --This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at technologytiger.net Mon Dec 22 15:10:09 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Dec 22 15:10:27 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494FA738.2050806@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> <494FA738.2050806@chem.fsu.edu> Message-ID: <3E2167F7-A5F0-4EBE-A37D-8C90F98E0A0C@technologytiger.net> On 22 Dec 2008, at 14:42, Hiram Gibbard wrote: > > > Drew Marshall wrote: >> On 18 Dec 2008, at 21:07, Hiram Gibbard wrote: >>> Yes. Thats the problem. I was originally using the ports (which I >>> prefer), but since I'm using ClamAV, I was told (From someone on >>> this list) to use the latest version of Mailscanner in order to >>> avoid the issues I was previously having. I would hack a current >>> mailscanner script, but I'm not that good at stuff like that. Do I >>> have any other options? >>> >> Why don't you hack the port? You will need to edit the Makefile to >> read the right version number and edit the distinfo file to reflect >> the right version (And change the checksums and file sizes) you >> should then be able to make and install as normal (I don't think >> any of the dependencies have changed so you should be fine). >> While this is not the elegant solution the JP would create, I have >> done this a couple of times quite successfully. >> Drew > > > OK. I am trying to hack the port. Could you tell me why I would get > the supplied errors when running make install in the mailscanner > directory: > > WHAT I DID: > changed PORTVERSION= 4.73.4 and left everything else the same. > Downloaded MailScanner-install-4.73.4-2.tar.gz from mailscanner.info > > [root@mail1 /usr/ports/mail/mailscanner/files]# md5 MailScanner- > install-4.73.4-2.tar.gz > MD5 (MailScanner-install-4.73.4-2.tar.gz) = > c7590a86e4084891ff2107441f9b5fdc > > pasted the following into the distinfo file" > MD5 (MailScanner-install-4.73.4-2.tar.gz) = > c7590a86e4084891ff2107441f9b5fdc > > also did ls -al on the download file: > -rw-r--r-- 1 root 100 8399013 Dec 1 10:48 MailScanner- > install-4.73.4-2.tar.gz > > pasted SIZE (MailScanner-install-4.73.4-2.tar.gz) = 8399013 into > distfile. > > ran make install to get the following: > > > [root@mail1 /usr/ports/mail/mailscanner]# make install > ===> Vulnerability check disabled, database not found > ===> Found saved configuration for MailScanner-4.73.4_3 > => MailScanner-install-4.73.4-1.tar.gz is not in /usr/ports/mail/ > mailscanner/distinfo. > => Either /usr/ports/mail/mailscanner/distinfo is out of date, or > => MailScanner-install-4.73.4-1.tar.gz is spelled incorrectly. > *** Error code 1 > > Stop in /usr/ports/mail/mailscanner. > *** Error code 1 > > Stop in /usr/ports/mail/mailscanner. > [root@mail1 /usr/ports/mail/mailscanner] > > why is it asking for MailScanner-install-4.73.4-1.tar.gz instead of > MailScanner-install-4.73.4-2.tar.gz, which is what I put in there. > > Thanks Have a look in Makefile and change PORTVERSION from1 to 2 that should then work. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From gibbard at chem.fsu.edu Mon Dec 22 15:16:26 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Mon Dec 22 15:16:45 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <3E2167F7-A5F0-4EBE-A37D-8C90F98E0A0C@technologytiger.net> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> <494FA738.2050806@chem.fsu.edu> <3E2167F7-A5F0-4EBE-A37D-8C90F98E0A0C@technologytiger.net> Message-ID: <494FAF4A.7060200@chem.fsu.edu> same thing. i tried it with PORTREVISION= 1 with 2 and the original val was 3 and that all yielded the same results. Drew Marshall wrote: > On 22 Dec 2008, at 14:42, Hiram Gibbard wrote: > >> >> >> Drew Marshall wrote: >>> On 18 Dec 2008, at 21:07, Hiram Gibbard wrote: >>>> Yes. Thats the problem. I was originally using the ports (which I >>>> prefer), but since I'm using ClamAV, I was told (From someone on >>>> this list) to use the latest version of Mailscanner in order to >>>> avoid the issues I was previously having. I would hack a current >>>> mailscanner script, but I'm not that good at stuff like that. Do I >>>> have any other options? >>>> >>> Why don't you hack the port? You will need to edit the Makefile to >>> read the right version number and edit the distinfo file to reflect >>> the right version (And change the checksums and file sizes) you >>> should then be able to make and install as normal (I don't think any >>> of the dependencies have changed so you should be fine). >>> While this is not the elegant solution the JP would create, I have >>> done this a couple of times quite successfully. >>> Drew >> >> >> OK. I am trying to hack the port. Could you tell me why I would get >> the supplied errors when running make install in the mailscanner >> directory: >> >> WHAT I DID: >> changed PORTVERSION= 4.73.4 and left everything else the same. >> Downloaded MailScanner-install-4.73.4-2.tar.gz from mailscanner.info >> >> [root@mail1 /usr/ports/mail/mailscanner/files]# md5 >> MailScanner-install-4.73.4-2.tar.gz >> MD5 (MailScanner-install-4.73.4-2.tar.gz) = >> c7590a86e4084891ff2107441f9b5fdc >> >> pasted the following into the distinfo file" >> MD5 (MailScanner-install-4.73.4-2.tar.gz) = >> c7590a86e4084891ff2107441f9b5fdc >> >> also did ls -al on the download file: >> -rw-r--r-- 1 root 100 8399013 Dec 1 10:48 >> MailScanner-install-4.73.4-2.tar.gz >> >> pasted SIZE (MailScanner-install-4.73.4-2.tar.gz) = 8399013 into >> distfile. >> >> ran make install to get the following: >> >> >> [root@mail1 /usr/ports/mail/mailscanner]# make install >> ===> Vulnerability check disabled, database not found >> ===> Found saved configuration for MailScanner-4.73.4_3 >> => MailScanner-install-4.73.4-1.tar.gz is not in >> /usr/ports/mail/mailscanner/distinfo. >> => Either /usr/ports/mail/mailscanner/distinfo is out of date, or >> => MailScanner-install-4.73.4-1.tar.gz is spelled incorrectly. >> *** Error code 1 >> >> Stop in /usr/ports/mail/mailscanner. >> *** Error code 1 >> >> Stop in /usr/ports/mail/mailscanner. >> [root@mail1 /usr/ports/mail/mailscanner] >> >> why is it asking for MailScanner-install-4.73.4-1.tar.gz instead of >> MailScanner-install-4.73.4-2.tar.gz, which is what I put in there. >> >> Thanks > > Have a look in Makefile and change PORTVERSION from1 to 2 that should > then work. > > Drew > > -- > In line with our policy, this message has been scanned for viruses and > dangerouscontent by Technology Tiger's Mail Launder system > > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > --This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gibbard at chem.fsu.edu Mon Dec 22 15:19:27 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Mon Dec 22 15:19:57 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <3E2167F7-A5F0-4EBE-A37D-8C90F98E0A0C@technologytiger.net> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> <494FA738.2050806@chem.fsu.edu> <3E2167F7-A5F0-4EBE-A37D-8C90F98E0A0C@technologytiger.net> Message-ID: <494FAFFF.1030509@chem.fsu.edu> Drew Marshall wrote: > On 22 Dec 2008, at 14:42, Hiram Gibbard wrote: > >> >> >> Drew Marshall wrote: >>> On 18 Dec 2008, at 21:07, Hiram Gibbard wrote: >>>> Yes. Thats the problem. I was originally using the ports (which I >>>> prefer), but since I'm using ClamAV, I was told (From someone on >>>> this list) to use the latest version of Mailscanner in order to >>>> avoid the issues I was previously having. I would hack a current >>>> mailscanner script, but I'm not that good at stuff like that. Do I >>>> have any other options? >>>> >>> Why don't you hack the port? You will need to edit the Makefile to >>> read the right version number and edit the distinfo file to reflect >>> the right version (And change the checksums and file sizes) you >>> should then be able to make and install as normal (I don't think any >>> of the dependencies have changed so you should be fine). >>> While this is not the elegant solution the JP would create, I have >>> done this a couple of times quite successfully. >>> Drew >> >> >> OK. I am trying to hack the port. Could you tell me why I would get >> the supplied errors when running make install in the mailscanner >> directory: >> >> WHAT I DID: >> changed PORTVERSION= 4.73.4 and left everything else the same. >> Downloaded MailScanner-install-4.73.4-2.tar.gz from mailscanner.info >> >> [root@mail1 /usr/ports/mail/mailscanner/files]# md5 >> MailScanner-install-4.73.4-2.tar.gz >> MD5 (MailScanner-install-4.73.4-2.tar.gz) = >> c7590a86e4084891ff2107441f9b5fdc >> >> pasted the following into the distinfo file" >> MD5 (MailScanner-install-4.73.4-2.tar.gz) = >> c7590a86e4084891ff2107441f9b5fdc >> >> also did ls -al on the download file: >> -rw-r--r-- 1 root 100 8399013 Dec 1 10:48 >> MailScanner-install-4.73.4-2.tar.gz >> >> pasted SIZE (MailScanner-install-4.73.4-2.tar.gz) = 8399013 into >> distfile. >> >> ran make install to get the following: >> >> >> [root@mail1 /usr/ports/mail/mailscanner]# make install >> ===> Vulnerability check disabled, database not found >> ===> Found saved configuration for MailScanner-4.73.4_3 >> => MailScanner-install-4.73.4-1.tar.gz is not in >> /usr/ports/mail/mailscanner/distinfo. >> => Either /usr/ports/mail/mailscanner/distinfo is out of date, or >> => MailScanner-install-4.73.4-1.tar.gz is spelled incorrectly. >> *** Error code 1 >> >> Stop in /usr/ports/mail/mailscanner. >> *** Error code 1 >> >> Stop in /usr/ports/mail/mailscanner. >> [root@mail1 /usr/ports/mail/mailscanner] >> >> why is it asking for MailScanner-install-4.73.4-1.tar.gz instead of >> MailScanner-install-4.73.4-2.tar.gz, which is what I put in there. >> >> Thanks > > Have a look in Makefile and change PORTVERSION from1 to 2 that should > then work. > > Drew oops, sorry. i top posted last time, retry: Same thing. i tried it with PORTREVISION= 1 with 2 and the original val was 3 and that all yielded the same results. Hiram > > -- > In line with our policy, this message has been scanned for viruses and > dangerouscontent by Technology Tiger's Mail Launder system > > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > --This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at technologytiger.net Mon Dec 22 16:00:56 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Dec 22 16:01:11 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <494FAFFF.1030509@chem.fsu.edu> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> <494FA738.2050806@chem.fsu.edu> <3E2167F7-A5F0-4EBE-A37D-8C90F98E0A0C@technologytiger.net> <494FAFFF.1030509@chem.fsu.edu> Message-ID: On 22 Dec 2008, at 15:19, Hiram Gibbard wrote: > > oops, sorry. i top posted last time, retry: > > Same thing. i tried it with PORTREVISION= 1 with 2 and the > original val was 3 and that all yielded the same results. > > Hiram Oops, my bad (Told you I was not as good as JP!). Look in the Makefile and fine the PATCHLEVEL= line. Make this 2 (This will give you 4.73.4-2) and comment out the PORTVERSION line as there is not a second port version of this file (Which would give you a build of 4.74.4-2_2) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From gibbard at chem.fsu.edu Mon Dec 22 16:44:51 2008 From: gibbard at chem.fsu.edu (Hiram Gibbard) Date: Mon Dec 22 16:45:38 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> <494ABB8A.9070201@chem.fsu.edu> <60457609-9C01-4EC1-ADCF-3D048F452367@technologytiger.net> <494FA738.2050806@chem.fsu.edu> <3E2167F7-A5F0-4EBE-A37D-8C90F98E0A0C@technologytiger.net> <494FAFFF.1030509@chem.fsu.edu> Message-ID: <494FC403.9090902@chem.fsu.edu> Drew Marshall wrote: > On 22 Dec 2008, at 15:19, Hiram Gibbard wrote: > >> >> oops, sorry. i top posted last time, retry: >> >> Same thing. i tried it with PORTREVISION= 1 with 2 and the original >> val was 3 and that all yielded the same results. >> >> Hiram > > Oops, my bad (Told you I was not as good as JP!). > > Look in the Makefile and fine the PATCHLEVEL= line. Make this 2 (This > will give you 4.73.4-2) and comment out the PORTVERSION line as there is > not a second port version of this file (Which would give you a build of > 4.74.4-2_2) > > Drew This worked! Thanks you Drew. > > -- > In line with our policy, this message has been scanned for viruses and > dangerouscontent by Technology Tiger's Mail Launder system > > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > --This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- -------------------------------------------- Hiram Gibbard Florida State University Computer Support Department of Chemistry Phone: 850.644.3004 Fax: 850.644.8281 URL: http://www.chem.fsu.edu/~gibbard -------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From c.granisso at dnshosting.it Mon Dec 22 16:55:30 2008 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Mon Dec 22 16:55:33 2008 Subject: Timeout problem: "Disabled due to 20 consecutive" Message-ID: <200812221655.mBMGtMSQ009248@safir.blacknight.ie> Hello, I've problem mentioned in the object of this mail. Many mails are not checked due to this message received by SpamAssassin. We haven't modified MailScanner o SpamAssassin configuration. Is there a problem with some external blacklist timeout? ==================================================================== Spam Report: Score Matching Rule Description timeouts Disabled due to 20 consecutive ==================================================================== Thanks, Carlo From MailScanner at ecs.soton.ac.uk Mon Dec 22 17:18:08 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 22 17:18:27 2008 Subject: Timeout problem: "Disabled due to 20 consecutive" In-Reply-To: <200812221655.mBMGtMSQ009248@safir.blacknight.ie> References: <200812221655.mBMGtMSQ009248@safir.blacknight.ie> Message-ID: <494FCBD0.6070407@ecs.soton.ac.uk> Something is making your SpamAssassin time out. Get a message or two in your incoming queue, then MailScanner --debug --sa-debug and look to see where the long pauses in output are. That will tell you what is failing. On 22/12/08 16:55, Carlo Granisso wrote: > Hello, I've problem mentioned in the object of this mail. > Many mails are not checked due to this message received by SpamAssassin. > We haven't modified MailScanner o SpamAssassin configuration. > > Is there a problem with some external blacklist timeout? > > ==================================================================== > Spam Report: Score Matching Rule Description > timeouts Disabled due to 20 consecutive > ==================================================================== > > > Thanks, > > > Carlo > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Dec 22 19:37:12 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Dec 22 19:37:34 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> <1229691311.23267.72.camel@darkstar.netcore.co.in> Message-ID: on 12-20-2008 1:47 AM JC Putter spake the following: > How can i setup mailscanner to do those URI,DNS blacklist checks??? > > That is what i need, > > Thank you very much for the reply... > Here are some rules you can add to spam.assassin.prefs.conf. Some of them are quite old, but you can play with them; header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.') describe RCVD_IN_PSBL Received via a relay in PSBL tflags RCVD_IN_PSBL net score RCVD_IN_PSBL 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_1 eval:check_rbl('UCE_PFSM_1', 'dnsbl-1.uceprotect.net') describe RCVD_IN_UCE_PFSM_1 Received via a relay in UCE_PFSM_1 tflags RCVD_IN_UCE_PFSM_1 net score RCVD_IN_UCE_PFSM_1 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_2 eval:check_rbl('UCE_PFSM_2', 'dnsbl-2.uceprotect.net') describe RCVD_IN_UCE_PFSM_2 Received via a relay in UCE_PFSM_2 tflags RCVD_IN_UCE_PFSM_2 net score RCVD_IN_UCE_PFSM_2 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_3 eval:check_rbl('UCE_PFSM_3', 'dnsbl-3.uceprotect.net') describe RCVD_IN_UCE_PFSM_3 Received via a relay in UCE_PFSM_3 tflags RCVD_IN_UCE_PFSM_3 net score RCVD_IN_UCE_PFSM_3 0 2.50 0 2.50 header DNS_FROM_MPBULK_RHSBL eval:check_rbl_from_host('mprhs', 'bulk.rhs.mailpolice.com.') describe DNS_FROM_MPBULK_RHSBL From: sender listed in bulk.rhs.mailpolice.com tflags DNS_FROM_MPBULK_RHSBL net score DNS_FROM_MPBULK_RHSBL 2.0 urirhsbl URIBL_BULK_MPRHS bulk.rhs.mailpolice.com. A body URIBL_BULK_MPRHS eval:check_uridnsbl('URIBL_BULK_MPRHS') describe URIBL_BULK_MPRHS Contains a URL listed in the MailPolice bulk senders list tflags URIBL_BULK_MPRHS net score URIBL_BULK_MPRHS 2.0 urirhsbl URIBL_PORN_MPRHS porn.rhs.mailpolice.com. A body URIBL_PORN_MPRHS eval:check_uridnsbl('URIBL_PORN_MPRHS') describe URIBL_PORN_MPRHS Contains a URL listed in the MailPolice porn domains list tflags URIBL_PORN_MPRHS net score URIBL_PORN_MPRHS 2.0 urirhsbl URIBL_FRAUD_MPRHS fraud.rhs.mailpolice.com. A body URIBL_FRAUD_MPRHS eval:check_uridnsbl('URIBL_FRAUD_MPRHS') describe URIBL_FRAUD_MPRHS Contains a URL listed in the MailPolice fraud domains list tflags URIBL_FRAUD_MPRHS net score URIBL_FRAUD_MPRHS 2.0 header RCVD_IN_SPAMCANNIBAL eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.') describe RCVD_IN_SPAMCANNIBAL Received via a relay in SpamCannibal tflags RCVD_IN_SPAMCANNIBAL net score RCVD_IN_SPAMCANNIBAL 0 1.50 0 1.50 header RCVD_IN_MSRBL eval:check_rbl('msrbl', 'combined.rbl.msrbl.net.') describe RCVD_IN_MSRBL Received via a relay in MSRBL tflags RCVD_IN_MSRBL net score RCVD_IN_MSRBL 0 1.50 0 1.50 header RCVD_IN_BACKSCATTER eval:check_rbl('msrbl', 'ips.backscatterer.org.') describe RCVD_IN_BACKSCATTER Received via a relay in Backscatter.org tflags RCVD_IN_BACKSCATTER net score RCVD_IN_BACKSCATTER 0 1.50 0 1.50 #---added 8/1/2006 to combat image spam rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 2.0 #---added 01/03/2007 to add scores based on country header __RCVD_IN_NERDS eval:check_rbl('nerds','zz.countries.nerd.dk.') describe __RCVD_IN_NERDS Received from a spam country tflags __RCVD_IN_NERDS net header RCVD_IN_NERDS_CN eval:check_rbl_sub('nerds','127.0.0.156') describe RCVD_IN_NERDS_CN Received from China tflags RCVD_IN_NERDS_CN net score RCVD_IN_NERDS_CN 2.0 header RCVD_IN_NERDS_KR eval:check_rbl_sub('nerds','127.0.0.154') describe RCVD_IN_NERDS_KR Received from South Korea tflags RCVD_IN_NERDS_KR net score RCVD_IN_NERDS_KR 2.0 #added 11/27/2007 as a spam test #Many of the spams originating from hotmail addresses here have a #Reply-To: address in a yahoo domain. header __HC_FROM_HOTMAIL From =~ /\@hotmail\./ describe __HC_FROM_HOTMAIL email From hotmail user header __HC_REPLY_YAHOO Reply-To =~ /\@yahoo\./ describe __HC_REPLY_YAHOO Reply-To yahoo user meta HC_HOTMAIL_YAHOO ( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO) describe HC_HOTMAIL_YAHOO From hotmail, reply to Yahoo score HC_HOTMAIL_YAHOO 20 add_header all Relay-Country _RELAYCOUNTRY_ #Added 12/02/2008 hostkarma tests header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 3.5 header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 1.0 #Added 12/02/2008 hostkarma tests -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081222/f2981f68/signature.bin From ssilva at sgvwater.com Mon Dec 22 19:55:14 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Dec 22 19:55:40 2008 Subject: DCC not working? In-Reply-To: <223f97700812220232y22c96097gecc2710ce628c662@mail.gmail.com> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> <223f97700812220232y22c96097gecc2710ce628c662@mail.gmail.com> Message-ID: on 12-22-2008 2:32 AM Glenn Steen spake the following: > 2008/12/22 : >> On Mon, 22 Dec 2008 11:05:27 +0100, "Glenn Steen" >> wrote: >>> 2008/12/22 : >>>> On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" >> >>>> wrote: >>>>> 2008/12/21 traced : >>>>>> Hi, >>>>>> I compiled DCC from sources on a mailscanner testbox, enabled it in >> the >>>>>> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >>>>>> a failure. But how do I know that DCC works? There are no header >>>>>> changes, and, I dont see anything changed since I installed it. >>>>>> >>>>> Did you make sure the LoadPlugin is uncommented in the *.pre files? >>>>> Do you see a call to it when doing a "MailScanner --debug --debug-sa"? >>>>> >>>>>> Is there a good way to test? Or even to show the DCC headers? >>>>>> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >>>>>> are still no headers... >>>>> Headers isn't the thing... You'd see it in the triggered rules... And >>>>> in the debug run;) >>>>> >>>> Yes, i uncommented it, looks like this now: >>>> loadplugin Mail::SpamAssassin::Plugin::DCC >>>> >>>> and here are some lint lines: >>>> [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from >> @INC >>>> [13376] dbg: dcc: local tests only, disabling DCC >>>> >>>> I think it should be running. So, is the only chance to see it working >>>> a "real spam" mail coming in? >>>> >>>> Regards, >>>> Bastian >>> A lint doesn't do network tests, and IIRC this is classed as such. So >>> you need either run the test through MailScanners debug feature (which >>> will run one batch through, very verbosly, then exit) or by doing >>> "sendmail -t -D < /path/to/a/test/message/in/RFC822/format", Then you >>> should see a call to the dcc application(s) later on in the debug >>> output. >>> You should also see DCC hits. >>> If you just now uncommented it, you need restart MailScanner for it to >>> take effect (so that SA get loaded). >>> >>> Cheers >> OK, sorry sorry, I?ve routed some live mailtraffic over to the testbox, >> and I now can see DCC hits.... :-) In my test there were just not the >> right spams... >> >> Thanks! >> Bastian > Ah good. A lot of info like this is in the wiki (both the MAQ and > diverse other places... Use the Search, Luke:-)... You might enjoy a > thorough read in there ... http://wiki.mailscanner.info > Listen to Glenn. The filter is strong with this one! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081222/8b850818/signature.bin From jcputter at numata.co.za Tue Dec 23 06:52:18 2008 From: jcputter at numata.co.za (JC Putter) Date: Tue Dec 23 06:52:59 2008 Subject: Spam from hotmail,yahoo and live.com getting throught In-Reply-To: References: <1229687488.23267.54.camel@darkstar.netcore.co.in> <1229691311.23267.72.camel@darkstar.netcore.co.in> Message-ID: Thank you very much, really!!! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 22 December 2008 09:37 PM To: mailscanner@lists.mailscanner.info Subject: Re: Spam from hotmail,yahoo and live.com getting throught on 12-20-2008 1:47 AM JC Putter spake the following: > How can i setup mailscanner to do those URI,DNS blacklist checks??? > > That is what i need, > > Thank you very much for the reply... > Here are some rules you can add to spam.assassin.prefs.conf. Some of them are quite old, but you can play with them; header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.') describe RCVD_IN_PSBL Received via a relay in PSBL tflags RCVD_IN_PSBL net score RCVD_IN_PSBL 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_1 eval:check_rbl('UCE_PFSM_1', 'dnsbl-1.uceprotect.net') describe RCVD_IN_UCE_PFSM_1 Received via a relay in UCE_PFSM_1 tflags RCVD_IN_UCE_PFSM_1 net score RCVD_IN_UCE_PFSM_1 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_2 eval:check_rbl('UCE_PFSM_2', 'dnsbl-2.uceprotect.net') describe RCVD_IN_UCE_PFSM_2 Received via a relay in UCE_PFSM_2 tflags RCVD_IN_UCE_PFSM_2 net score RCVD_IN_UCE_PFSM_2 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_3 eval:check_rbl('UCE_PFSM_3', 'dnsbl-3.uceprotect.net') describe RCVD_IN_UCE_PFSM_3 Received via a relay in UCE_PFSM_3 tflags RCVD_IN_UCE_PFSM_3 net score RCVD_IN_UCE_PFSM_3 0 2.50 0 2.50 header DNS_FROM_MPBULK_RHSBL eval:check_rbl_from_host('mprhs', 'bulk.rhs.mailpolice.com.') describe DNS_FROM_MPBULK_RHSBL From: sender listed in bulk.rhs.mailpolice.com tflags DNS_FROM_MPBULK_RHSBL net score DNS_FROM_MPBULK_RHSBL 2.0 urirhsbl URIBL_BULK_MPRHS bulk.rhs.mailpolice.com. A body URIBL_BULK_MPRHS eval:check_uridnsbl('URIBL_BULK_MPRHS') describe URIBL_BULK_MPRHS Contains a URL listed in the MailPolice bulk senders list tflags URIBL_BULK_MPRHS net score URIBL_BULK_MPRHS 2.0 urirhsbl URIBL_PORN_MPRHS porn.rhs.mailpolice.com. A body URIBL_PORN_MPRHS eval:check_uridnsbl('URIBL_PORN_MPRHS') describe URIBL_PORN_MPRHS Contains a URL listed in the MailPolice porn domains list tflags URIBL_PORN_MPRHS net score URIBL_PORN_MPRHS 2.0 urirhsbl URIBL_FRAUD_MPRHS fraud.rhs.mailpolice.com. A body URIBL_FRAUD_MPRHS eval:check_uridnsbl('URIBL_FRAUD_MPRHS') describe URIBL_FRAUD_MPRHS Contains a URL listed in the MailPolice fraud domains list tflags URIBL_FRAUD_MPRHS net score URIBL_FRAUD_MPRHS 2.0 header RCVD_IN_SPAMCANNIBAL eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.') describe RCVD_IN_SPAMCANNIBAL Received via a relay in SpamCannibal tflags RCVD_IN_SPAMCANNIBAL net score RCVD_IN_SPAMCANNIBAL 0 1.50 0 1.50 header RCVD_IN_MSRBL eval:check_rbl('msrbl', 'combined.rbl.msrbl.net.') describe RCVD_IN_MSRBL Received via a relay in MSRBL tflags RCVD_IN_MSRBL net score RCVD_IN_MSRBL 0 1.50 0 1.50 header RCVD_IN_BACKSCATTER eval:check_rbl('msrbl', 'ips.backscatterer.org.') describe RCVD_IN_BACKSCATTER Received via a relay in Backscatter.org tflags RCVD_IN_BACKSCATTER net score RCVD_IN_BACKSCATTER 0 1.50 0 1.50 #---added 8/1/2006 to combat image spam rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 2.0 #---added 01/03/2007 to add scores based on country header __RCVD_IN_NERDS eval:check_rbl('nerds','zz.countries.nerd.dk.') describe __RCVD_IN_NERDS Received from a spam country tflags __RCVD_IN_NERDS net header RCVD_IN_NERDS_CN eval:check_rbl_sub('nerds','127.0.0.156') describe RCVD_IN_NERDS_CN Received from China tflags RCVD_IN_NERDS_CN net score RCVD_IN_NERDS_CN 2.0 header RCVD_IN_NERDS_KR eval:check_rbl_sub('nerds','127.0.0.154') describe RCVD_IN_NERDS_KR Received from South Korea tflags RCVD_IN_NERDS_KR net score RCVD_IN_NERDS_KR 2.0 #added 11/27/2007 as a spam test #Many of the spams originating from hotmail addresses here have a #Reply-To: address in a yahoo domain. header __HC_FROM_HOTMAIL From =~ /\@hotmail\./ describe __HC_FROM_HOTMAIL email From hotmail user header __HC_REPLY_YAHOO Reply-To =~ /\@yahoo\./ describe __HC_REPLY_YAHOO Reply-To yahoo user meta HC_HOTMAIL_YAHOO ( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO) describe HC_HOTMAIL_YAHOO From hotmail, reply to Yahoo score HC_HOTMAIL_YAHOO 20 add_header all Relay-Country _RELAYCOUNTRY_ #Added 12/02/2008 hostkarma tests header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 3.5 header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 1.0 #Added 12/02/2008 hostkarma tests -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! This message has been scanned by Nexus Mail Gateway From traced at xpear.de Tue Dec 23 08:48:25 2008 From: traced at xpear.de (traced) Date: Tue Dec 23 08:48:35 2008 Subject: DCC not working? In-Reply-To: References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> <223f97700812220232y22c96097gecc2710ce628c662@mail.gmail.com> Message-ID: <4950A5D9.7050306@xpear.de> Scott Silva schrieb: > on 12-22-2008 2:32 AM Glenn Steen spake the following: >> 2008/12/22 : >>> On Mon, 22 Dec 2008 11:05:27 +0100, "Glenn Steen" >>> wrote: >>>> 2008/12/22 : >>>>> On Mon, 22 Dec 2008 10:29:16 +0100, "Glenn Steen" >>> >>>>> wrote: >>>>>> 2008/12/21 traced : >>>>>>> Hi, >>>>>>> I compiled DCC from sources on a mailscanner testbox, enabled it in >>> the >>>>>>> spamassassin prefs file, and spamassassin --lint (-D) doesnt show a >>>>>>> a failure. But how do I know that DCC works? There are no header >>>>>>> changes, and, I dont see anything changed since I installed it. >>>>>>> >>>>>> Did you make sure the LoadPlugin is uncommented in the *.pre files? >>>>>> Do you see a call to it when doing a "MailScanner --debug --debug-sa"? >>>>>> >>>>>>> Is there a good way to test? Or even to show the DCC headers? >>>>>>> Adding "add_header all DCC _DCCB_: _DCCR_" made no change, there >>>>>>> are still no headers... >>>>>> Headers isn't the thing... You'd see it in the triggered rules... And >>>>>> in the debug run;) >>>>>> >>>>> Yes, i uncommented it, looks like this now: >>>>> loadplugin Mail::SpamAssassin::Plugin::DCC >>>>> >>>>> and here are some lint lines: >>>>> [13376] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from >>> @INC >>>>> [13376] dbg: dcc: local tests only, disabling DCC >>>>> >>>>> I think it should be running. So, is the only chance to see it working >>>>> a "real spam" mail coming in? >>>>> >>>>> Regards, >>>>> Bastian >>>> A lint doesn't do network tests, and IIRC this is classed as such. So >>>> you need either run the test through MailScanners debug feature (which >>>> will run one batch through, very verbosly, then exit) or by doing >>>> "sendmail -t -D < /path/to/a/test/message/in/RFC822/format", Then you >>>> should see a call to the dcc application(s) later on in the debug >>>> output. >>>> You should also see DCC hits. >>>> If you just now uncommented it, you need restart MailScanner for it to >>>> take effect (so that SA get loaded). >>>> >>>> Cheers >>> OK, sorry sorry, I?ve routed some live mailtraffic over to the testbox, >>> and I now can see DCC hits.... :-) In my test there were just not the >>> right spams... >>> >>> Thanks! >>> Bastian >> Ah good. A lot of info like this is in the wiki (both the MAQ and >> diverse other places... Use the Search, Luke:-)... You might enjoy a >> thorough read in there ... http://wiki.mailscanner.info >> > Listen to Glenn. The filter is strong with this one! > Hi Scott, whats do you mean with your answer above? Thanks, Bastian From jan-peter at koopmann.eu Tue Dec 23 13:16:03 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Dec 23 13:16:34 2008 Subject: Mailscanner.rc start up script file location In-Reply-To: <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> References: <494A76F5.9000506@chem.fsu.edu> <72cf361e0812181207x2dbd4195s882aace803fd0693@mail.gmail.com> Message-ID: > Yeah but the port's really 'old' (relatively) ----- JP hint hint, you > don't need Christmas day off ;-) It's Christmas??? That would explain the crowded cities. :-) I will see what I can do... Or better: When I can do it... :-) Regards, JP From mark at msapiro.net Tue Dec 23 15:20:11 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Dec 23 15:20:23 2008 Subject: DCC not working? In-Reply-To: <4950A5D9.7050306@xpear.de> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> <223f97700812220232y22c96097gecc2710ce628c662@mail.gmail.com> <4950A5D9.7050306@xpear.de> Message-ID: <20081223152011.GA1056@msapiro> On Tue, Dec 23, 2008 at 09:48:25AM +0100, traced wrote: > Scott Silva schrieb: > >on 12-22-2008 2:32 AM Glenn Steen spake the following: > >>Ah good. A lot of info like this is in the wiki (both the MAQ and > >>diverse other places... Use the Search, Luke:-)... You might enjoy a > >>thorough read in there ... http://wiki.mailscanner.info > >> > >Listen to Glenn. The filter is strong with this one! > > > > Hi Scott, > whats do you mean with your answer above? > > Thanks, > Bastian They are references to the Star Wars movies. Use the Search, Luke <- Use the Source, Luke <- Use the Force, Luke The filter (Force) is strong with this one -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From campbell at cnpapers.com Tue Dec 23 15:36:24 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Dec 23 15:36:38 2008 Subject: Spamassassin timeouts - Just an observation Message-ID: <49510578.6050801@cnpapers.com> The topic seems to come up quite often, and although the answers are usually pretty much the same, I never really see much of a "Solved" reply. I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to 4.71, and saw an immediate increase to around 100-300 timeouts. I ran all of the --debug and --debug-sa flavors of help I could think of. I reviewed the logs. I run a caching nameserver. And I zeroed out some RBL scores. I still have yet to find why this happens. I eventually upgraded to 4.72, and started using clamd. I still get the large numbers of timeouts. I would think that the fact that this doesn't happen with all of my large batches indicates I'm not using any dead RBLs. I'm still exploring the causes, but haven't had much luck. I find it odd that SA would really keep RBLs that have expired over time in their default files, so I really don't think it's that. I do all of my checking of RBLs in SA. I always do my configuration and language upgrades, and search for rpmnew and rpmsave files. This has happened on 3 different but very similar servers that I run. I'm not really asking for assistance here, but just wanted to let others who are seeing this problem to be aware that there is something unique triggering this. I'm fairly confident that it is not happening at all sites, but something here is causing it. It may not even be related to MS/SA, but totally something else. The most I could ask for is a small checklist of what to ensure I have set. Every time I try to use the debug procedures, the tests perform flawlessly with no errors. It is very sporadic. We receive those normal bursts of spam, but for the most part, the batches ares small. The average amount of email per day is usually around 10k emails, but I get the above stated 100-300 timeouts. I'm going to try and match batch numbers to timeouts and see if this will reveal anything. I only run 3 Children on a fairly hefty Dell PowerEdge, but I do use 30 messages per child. I don't think this is excessive thought. Hope everyone has a Happy Holiday. Steve Campbell From campbell at cnpapers.com Tue Dec 23 16:45:16 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Dec 23 16:45:34 2008 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <49510578.6050801@cnpapers.com> References: <49510578.6050801@cnpapers.com> Message-ID: <4951159C.2080806@cnpapers.com> BTW - I've been gone a few weeks, and was just reading my email from that time. I do not want to imply that NOBODY EVER ANSWERS QUESTION ON THIS LIST. My reference to the "Solved" line just meant there has never been a definitive resolution for me. The spamassassin timeout problem has been fixed for quite a few people it appears. I am guessing that sendmail configs, mimeDefang, and a lot of other variables could be causing this. Please don't misunderstand my prior post. I'm all for this mailing list, it's great. I just don't want to start another thread like the "NOBODY" one. steve Steve Campbell wrote: > The topic seems to come up quite often, and although the answers are > usually pretty much the same, I never really see much of a "Solved" > reply. > > I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to > 4.71, and saw an immediate increase to around 100-300 timeouts. I ran > all of the --debug and --debug-sa flavors of help I could think of. I > reviewed the logs. I run a caching nameserver. And I zeroed out some > RBL scores. I still have yet to find why this happens. I eventually > upgraded to 4.72, and started using clamd. I still get the large > numbers of timeouts. I would think that the fact that this doesn't > happen with all of my large batches indicates I'm not using any dead > RBLs. > > I'm still exploring the causes, but haven't had much luck. I find it > odd that SA would really keep RBLs that have expired over time in > their default files, so I really don't think it's that. I do all of my > checking of RBLs in SA. I always do my configuration and language > upgrades, and search for rpmnew and rpmsave files. This has happened > on 3 different but very similar servers that I run. > > I'm not really asking for assistance here, but just wanted to let > others who are seeing this problem to be aware that there is > something unique triggering this. I'm fairly confident that it is not > happening at all sites, but something here is causing it. It may not > even be related to MS/SA, but totally something else. > > The most I could ask for is a small checklist of what to ensure I have > set. Every time I try to use the debug procedures, the tests perform > flawlessly with no errors. It is very sporadic. We receive those > normal bursts of spam, but for the most part, the batches ares small. > The average amount of email per day is usually around 10k emails, but > I get the above stated 100-300 timeouts. I'm going to try and match > batch numbers to timeouts and see if this will reveal anything. I only > run 3 Children on a fairly hefty Dell PowerEdge, but I do use 30 > messages per child. I don't think this is excessive thought. > > Hope everyone has a Happy Holiday. > > Steve Campbell > From traced at xpear.de Tue Dec 23 18:44:39 2008 From: traced at xpear.de (traced) Date: Tue Dec 23 18:44:51 2008 Subject: DCC not working? In-Reply-To: <20081223152011.GA1056@msapiro> References: <494EB9BC.9000906@xpear.de> <223f97700812220129q369ad7c5u51f7bd09ed8a24ef@mail.gmail.com> <6630ac6b55060c033b96a6bafe7299f1@localhost> <223f97700812220205od3ff718kc2f283e99a1d014e@mail.gmail.com> <223f97700812220232y22c96097gecc2710ce628c662@mail.gmail.com> <4950A5D9.7050306@xpear.de> <20081223152011.GA1056@msapiro> Message-ID: <49513197.2060100@xpear.de> Mark Sapiro schrieb: > On Tue, Dec 23, 2008 at 09:48:25AM +0100, traced wrote: >> Scott Silva schrieb: >>> on 12-22-2008 2:32 AM Glenn Steen spake the following: > >>>> Ah good. A lot of info like this is in the wiki (both the MAQ and >>>> diverse other places... Use the Search, Luke:-)... You might enjoy a >>>> thorough read in there ... http://wiki.mailscanner.info >>>> >>> Listen to Glenn. The filter is strong with this one! >>> >> Hi Scott, >> whats do you mean with your answer above? >> >> Thanks, >> Bastian > > > They are references to the Star Wars movies. > > Use the Search, Luke <- Use the Source, Luke <- Use the Force, Luke > > The filter (Force) is strong with this one > Lol, I should go watching the movies once again ;) Bastian From maxsec at gmail.com Wed Dec 24 08:36:37 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Dec 24 08:36:47 2008 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <4951159C.2080806@cnpapers.com> References: <49510578.6050801@cnpapers.com> <4951159C.2080806@cnpapers.com> Message-ID: <72cf361e0812240036s2416f379p2ba539076a53a478@mail.gmail.com> 2008/12/23 Steve Campbell : > BTW - I've been gone a few weeks, and was just reading my email from that > time. I do not want to imply that NOBODY EVER ANSWERS QUESTION ON THIS LIST. > My reference to the "Solved" line just meant there has never been a > definitive resolution for me. The spamassassin timeout problem has been > fixed for quite a few people it appears. I am guessing that sendmail > configs, mimeDefang, and a lot of other variables could be causing this. > > Please don't misunderstand my prior post. I'm all for this mailing list, > it's great. I just don't want to start another thread like the "NOBODY" one. > > steve > > Steve Campbell wrote: >> >> The topic seems to come up quite often, and although the answers are >> usually pretty much the same, I never really see much of a "Solved" reply. >> >> I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to 4.71, >> and saw an immediate increase to around 100-300 timeouts. I ran all of the >> --debug and --debug-sa flavors of help I could think of. I reviewed the >> logs. I run a caching nameserver. And I zeroed out some RBL scores. I still >> have yet to find why this happens. I eventually upgraded to 4.72, and >> started using clamd. I still get the large numbers of timeouts. I would >> think that the fact that this doesn't happen with all of my large batches >> indicates I'm not using any dead RBLs. >> >> I'm still exploring the causes, but haven't had much luck. I find it odd >> that SA would really keep RBLs that have expired over time in their default >> files, so I really don't think it's that. I do all of my checking of RBLs in >> SA. I always do my configuration and language upgrades, and search for >> rpmnew and rpmsave files. This has happened on 3 different but very similar >> servers that I run. >> >> I'm not really asking for assistance here, but just wanted to let others >> who are seeing this problem to be aware that there is something unique >> triggering this. I'm fairly confident that it is not happening at all sites, >> but something here is causing it. It may not even be related to MS/SA, but >> totally something else. >> >> The most I could ask for is a small checklist of what to ensure I have >> set. Every time I try to use the debug procedures, the tests perform >> flawlessly with no errors. It is very sporadic. We receive those normal >> bursts of spam, but for the most part, the batches ares small. The average >> amount of email per day is usually around 10k emails, but I get the above >> stated 100-300 timeouts. I'm going to try and match batch numbers to >> timeouts and see if this will reveal anything. I only run 3 Children on a >> fairly hefty Dell PowerEdge, but I do use 30 messages per child. I don't >> think this is excessive thought. >> >> Hope everyone has a Happy Holiday. >> >> Steve Campbell >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Vast majority of these timeouts are down to the timeout being too low (I find the default of 75 way too low in most cases) and/or too many RBL's in SA (try turning most of them off and just running a couple). This seems to sort out 95% of the problems. -- Martin Hepworth Oxford, UK From traced at xpear.de Wed Dec 24 12:35:36 2008 From: traced at xpear.de (traced) Date: Wed Dec 24 12:35:49 2008 Subject: Merry Christmas... Message-ID: <49522C98.90108@xpear.de> ... and as less spam as possible :) Regards, Bastian From writetoashok at gmail.com Thu Dec 25 05:09:59 2008 From: writetoashok at gmail.com (Ashok Kumar) Date: Thu Dec 25 05:10:08 2008 Subject: Which version of Kaspersky to use with MailScanner Message-ID: Hello list, My doubt is regarding which version of Kaspersky to be used with MailScanner, whether it is Kaspersky Anti-Virus for Linux Workstation or Kaspersky Anti-Virus for Linux Mail Server. The MailScanner documentation at http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:kaspersky:install has mentioned about kav4workstation, which I suppose would be the workstation version. It says, for BSD, kav4mailservers can also be used. We are using CentOS 4.5 as mail server and plan to the use the Kaspersky purchased for the Proxy server also. Then i guess the workstation version is the right choice. Any comments are welcomed about which version is normally used in MailScanner by everyone. Thanks. -- regards, Ashok. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081225/3cb76595/attachment.html From traced at xpear.de Thu Dec 25 10:17:18 2008 From: traced at xpear.de (traced) Date: Thu Dec 25 10:17:30 2008 Subject: Which version of Kaspersky to use with MailScanner In-Reply-To: References: Message-ID: <49535DAE.2000201@xpear.de> Ashok Kumar schrieb: > Hello list, > > My doubt is regarding which version of Kaspersky to be used > with MailScanner, whether it is Kaspersky Anti-Virus for Linux > Workstation or Kaspersky Anti-Virus for Linux Mail Server. > > The MailScanner documentation at > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:kaspersky:install > > > has mentioned about kav4workstation, which I suppose would be the > workstation version. It says, for BSD, kav4mailservers can also be used. > We are using CentOS 4.5 as mail server and plan to the use the Kaspersky > purchased for the Proxy server also. Then i guess the workstation > version is the right choice. > > Any comments are welcomed about which version is normally used in > MailScanner by everyone. > > Thanks. > > -- > regards, > Ashok. > Hi, we used last year kav4workstation, worked like a charm, no problems with that, and, it?s the cheapest license we could get ;) Regards, Bastian From root at doctor.nl2k.ab.ca Fri Dec 26 12:45:02 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Fri Dec 26 12:46:53 2008 Subject: HTML spam using you own e-mail address Message-ID: <20081226124502.GA13679@doctor.nl2k.ab.ca> Does anyone know how to stop this spam? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve at fsl.com Fri Dec 26 12:55:37 2008 From: steve at fsl.com (Stephen Swaney) Date: Fri Dec 26 12:55:47 2008 Subject: HTML spam using you own e-mail address In-Reply-To: <20081226124502.GA13679@doctor.nl2k.ab.ca> References: <20081226124502.GA13679@doctor.nl2k.ab.ca> Message-ID: <4954D449.2040006@fsl.com> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Does anyone know how to stop this spam? > > Check the list archives and publish SPF records. Happy holidays, Steve Steve Swaney steve@fsl.com www.fsl.com From traced at xpear.de Fri Dec 26 12:56:00 2008 From: traced at xpear.de (traced) Date: Fri Dec 26 12:56:11 2008 Subject: HTML spam using you own e-mail address In-Reply-To: <20081226124502.GA13679@doctor.nl2k.ab.ca> References: <20081226124502.GA13679@doctor.nl2k.ab.ca> Message-ID: <4954D460.3010700@xpear.de> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem schrieb: > Does anyone know how to stop this spam? > Hmm... which spam do you want to stop? Regards, Bastian From hvdkooij at vanderkooij.org Fri Dec 26 13:43:44 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 26 13:43:54 2008 Subject: HTML spam using you own e-mail address In-Reply-To: <20081226124502.GA13679@doctor.nl2k.ab.ca> References: <20081226124502.GA13679@doctor.nl2k.ab.ca> Message-ID: <4954DF90.7080800@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Does anyone know how to stop this spam? Well. Given the almost utter lack of information that will be a bit tricky. Don't you think so? I guess the first thing it to instruct your MTA to stop accepting fake messages from outside sources. Surely this sort of email traffic should not arrive from the outside world. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklU340ACgkQBvzDRVjxmYGQRwCffOTnIEZZgOowwtL/nqTuyJx4 7/cAn1dOIVvonrKYdTi4CHMzGe+/wml2 =pbIu -----END PGP SIGNATURE----- From alex at rtpty.com Fri Dec 26 18:08:48 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Dec 26 18:09:01 2008 Subject: HTML spam using you own e-mail address In-Reply-To: <20081226124502.GA13679@doctor.nl2k.ab.ca> References: <20081226124502.GA13679@doctor.nl2k.ab.ca> Message-ID: On Dec 26, 2008, at 7:45 AM, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Does anyone know how to stop this spam? Unless you give more information and examples, I guess the answer is a definite yes, no and it depends. Some of the "tell your MTA to be less gullible about it using MTA tricks and SPF" suggestions are MTA-dependent, so you can help us narrow it down by detailing that. Other tools (such as rulesets by IP) can help at the MailScanner level. Let us know a bit more about your particular situation and I'm sure some of us will be able to help you (for example, I rarely - if ever - touch postfix, as it causes swapping ;-) and never had to set up qmail with MailScanner, so I can help a bit if sendmail's involved). Cheers, and Happy New Year! From campbell at cnpapers.com Fri Dec 26 18:26:26 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Dec 26 18:26:44 2008 Subject: HTML spam using you own e-mail address In-Reply-To: References: <20081226124502.GA13679@doctor.nl2k.ab.ca> Message-ID: <495521D2.4000905@cnpapers.com> FYI - the swapping in Postfix has now been fixed. It segfaults instead now. :-) You all have a very nice New Year celebration. Alex Neuman van der Hans wrote: > > On Dec 26, 2008, at 7:45 AM, Dave Shariff Yadallee - System > Administrator a.k.a. The Root of the Problem wrote: > >> Does anyone know how to stop this spam? > > Unless you give more information and examples, I guess the answer is a > definite yes, no and it depends. > > Some of the "tell your MTA to be less gullible about it using MTA > tricks and SPF" suggestions are MTA-dependent, so you can help us > narrow it down by detailing that. Other tools (such as rulesets by IP) > can help at the MailScanner level. Let us know a bit more about your > particular situation and I'm sure some of us will be able to help you > (for example, I rarely - if ever - touch postfix, as it causes > swapping ;-) and never had to set up qmail with MailScanner, so I can > help a bit if sendmail's involved). > > Cheers, and Happy New Year! > From hvdkooij at vanderkooij.org Fri Dec 26 23:07:36 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 26 23:07:48 2008 Subject: HTML spam using you own e-mail address In-Reply-To: <495521D2.4000905@cnpapers.com> References: <20081226124502.GA13679@doctor.nl2k.ab.ca> <495521D2.4000905@cnpapers.com> Message-ID: <495563B8.6020102@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Campbell wrote: > FYI - the swapping in Postfix has now been fixed. It segfaults instead > now. :-) But apparant only when it detects MailScanner on the same system. This Wietse is a bit like AT. (AT is a purist at the expense of workability at all costs. ;-) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklVY7YACgkQBvzDRVjxmYFrJACgtYJd4/h96gZ+qmv8YmHtNTmx rPgAn1TkAm2Wspcs0uRwqWh2qP+r0feW =P3cu -----END PGP SIGNATURE----- From root at doctor.nl2k.ab.ca Fri Dec 26 21:40:06 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Fri Dec 26 23:17:29 2008 Subject: FreeBSD Message-ID: <20081226214006.GA9251@doctor.nl2k.ab.ca> FreeBSD section needs updating in the Install.FreeBSD . http://www.soton.ac.uk fetch was going wrong. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From eli at orbsky.homelinux.org Sat Dec 27 05:27:07 2008 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Sat Dec 27 05:27:38 2008 Subject: Installation with Fedora 10 Message-ID: <200812270727.07811.eli@orbsky.homelinux.org> Hi Hope this gets to the right person. There is a problem installing Mailscanner in Fedora 10. Fedora 10 uses rpmmacro when to rebuild rpms. What this translates to is that a folder under the user's home folder that tries to build an package will have that package built under ~/rpmbuild This was done in order to avoid some security problem when building packages. (How building a package with root privileges is more dangerous than installing a package with root privileges is beyond me.) As such, all packages are built under ~/rpmbuild. The installation script can't find all the packages that are built because it doesn't seem to look in the correct folder. Since the Mailscannerinstallation script requires root privileges to install the workaround would be to provide a soft link to "/usr/src/redhat" So... issuing the command mv /usr/src/redhat /usr/src/redhat.bak just in case there are packages there that you want to keep and then ln -s /root/rpmbuild /usr/src/redhat would provide a temporary workaround until such time as the problem gets fixed. Eli -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Sat Dec 27 09:48:26 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Dec 27 09:48:35 2008 Subject: Installation with Fedora 10 In-Reply-To: <200812270727.07811.eli@orbsky.homelinux.org> References: <200812270727.07811.eli@orbsky.homelinux.org> Message-ID: <72cf361e0812270148s41ced1d4t27b6b2503423db6c@mail.gmail.com> 2008/12/27 Eli Wapniarski : > Hi > > Hope this gets to the right person. > > There is a problem installing Mailscanner in Fedora 10. Fedora 10 uses > rpmmacro when to rebuild rpms. What this translates to is that a folder under > the user's home folder that tries to build an package will have that package > built under > > ~/rpmbuild > > This was done in order to avoid some security problem when building packages. > (How building a package with root privileges is more dangerous than installing > a package with root privileges is beyond me.) As such, all packages are built > under ~/rpmbuild. The installation script can't find all the packages that are > built because it doesn't seem to look in the correct folder. > > > Since the Mailscannerinstallation script requires root privileges to install > the workaround would be to provide a soft link to "/usr/src/redhat" > > So... issuing the command > > mv /usr/src/redhat /usr/src/redhat.bak > > just in case there are packages there that you want to keep and then > > ln -s /root/rpmbuild /usr/src/redhat > > would provide a temporary workaround until such time as the problem gets > fixed. > > > Eli > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Good point, although putting a 'server' on Fedora is interesting unless you really want to be upgrading every 6 months. You'd be better off with Centos which is the 'free' version of RHES and is more stable as reguards upgrades/updates etc. -- Martin Hepworth Oxford, UK From hvdkooij at vanderkooij.org Sat Dec 27 13:41:37 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Dec 27 13:41:47 2008 Subject: Installation with Fedora 10 In-Reply-To: <200812270727.07811.eli@orbsky.homelinux.org> References: <200812270727.07811.eli@orbsky.homelinux.org> Message-ID: <49563091.9020500@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eli Wapniarski wrote: > There is a problem installing Mailscanner in Fedora 10. Fedora 10 uses > rpmmacro when to rebuild rpms. What this translates to is that a folder under > the user's home folder that tries to build an package will have that package > built under > > ~/rpmbuild How about adjusting the rpm macros for the root user to point back to /usr/src/redhat? And I share the sentiment that using Fedora for production servers makes no sense to me. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklWMI8ACgkQBvzDRVjxmYH1ZQCdEudCPvHmeImSDDn8DP6Xm94o R7gAoLKpPbjTZhW/hlITqHVR2vsBskeq =uzov -----END PGP SIGNATURE----- From ajcartmell at fonant.com Sat Dec 27 19:49:38 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Sat Dec 27 19:50:03 2008 Subject: Installation with Fedora 10 In-Reply-To: <49563091.9020500@vanderkooij.org> References: <200812270727.07811.eli@orbsky.homelinux.org> <49563091.9020500@vanderkooij.org> Message-ID: > And I share the sentiment that using Fedora for production servers makes > no sense to me. Each to his own! As you know, using Fedora for production servers makes perfect sense to me :) My systems require more recent packages of most things than are found in CentOS. The thing I upgrade most often is MailScanner, which works very nicely for production servers :) Note that RHEL and CentOS also release new point-release versions every six months or so, as more up-to-date stuff filters through from Fedora. Anyway, the choice of running old software for a long time with patches or upgrading to current stable versions with fewer patches will depend on what type of server you're running and what software requirements you have. Happy Christmas and a spam-reduced New Year to all MailScanner users! Anthony -- www.fonant.com - Quality web sites From ugob at lubik.ca Sun Dec 28 03:02:19 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Sun Dec 28 03:02:43 2008 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <49510578.6050801@cnpapers.com> References: <49510578.6050801@cnpapers.com> Message-ID: Steve Campbell wrote: > The topic seems to come up quite often, and although the answers are > usually pretty much the same, I never really see much of a "Solved" reply. > > I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to > 4.71, and saw an immediate increase to around 100-300 timeouts. I ran > all of the --debug and --debug-sa flavors of help I could think of. I > reviewed the logs. I run a caching nameserver. And I zeroed out some RBL > scores. I still have yet to find why this happens. I eventually upgraded > to 4.72, and started using clamd. I still get the large numbers of > timeouts. I would think that the fact that this doesn't happen with all > of my large batches indicates I'm not using any dead RBLs. > > I'm still exploring the causes, but haven't had much luck. I find it odd > that SA would really keep RBLs that have expired over time in their > default files, so I really don't think it's that. I do all of my > checking of RBLs in SA. I always do my configuration and language > upgrades, and search for rpmnew and rpmsave files. This has happened on > 3 different but very similar servers that I run. > > I'm not really asking for assistance here, but just wanted to let others > who are seeing this problem to be aware that there is something unique > triggering this. I'm fairly confident that it is not happening at all > sites, but something here is causing it. It may not even be related to > MS/SA, but totally something else. > > The most I could ask for is a small checklist of what to ensure I have > set. Every time I try to use the debug procedures, the tests perform > flawlessly with no errors. It is very sporadic. We receive those normal > bursts of spam, but for the most part, the batches ares small. The > average amount of email per day is usually around 10k emails, but I get > the above stated 100-300 timeouts. I'm going to try and match batch > numbers to timeouts and see if this will reveal anything. I only run 3 > Children on a fairly hefty Dell PowerEdge, but I do use 30 messages per > child. I don't think this is excessive thought. > > Hope everyone has a Happy Holiday. What is the machine? Did you check the optimization section of the MAQ page on the wiki? When running --debug --debug-sa, don't you find anything that is a bit slow? From gmcgreevy at pwr-sys.com Sun Dec 28 03:39:27 2008 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Sun Dec 28 03:44:25 2008 Subject: Allow Blackberry redirector messages Message-ID: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> I would like to allow the blackberry re-director messages to pass through without scanning but I am getting the following reply: No programs allowed (ETP.DAT) I am running the latest stable version can someone send some step by step instructions on how to do this Thank you, Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081227/a4f8926a/attachment.html From maillists at conactive.com Sun Dec 28 11:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Dec 28 11:31:31 2008 Subject: Allow Blackberry redirector messages In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> Message-ID: Greg J. McGreevy wrote on Sat, 27 Dec 2008 22:39:27 -0500: > can someone send some step by step instructions on how to do this These are already on this list. Just search it. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From gmcgreevy at pwr-sys.com Sun Dec 28 13:46:14 2008 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Sun Dec 28 13:51:12 2008 Subject: Allow Blackberry redirector messages References: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3BC@EXCHTEMP.biz.pwr-sys.com> yes I found this before I posted: I used MailScanner.cong Dangerous Content Scanning = %rules-dir%/content.scanning.rules ___ File: content.scanning.rules From: *.blackberry.net no I could not get this working. I found the above statement in the mailscanner.conf file (guess it is a typo in this reply) it only has a yes statement currently. I did not find the content.scanning.rules file anywhere so I asummend it had to be created. Tried all of this to no avail. Mailscanner service would not start. If I am in fact doing something wrong and someone leads me in the right direction (step by step). What are the consequences of using this statement. How I read it is don't scan anything from blackberry.net and do nothing else meaning ignore all other scanning for dangerous files. I would have figured this would be an add to the current rule not a new one. Thanks for your help, Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kai Schaetzl Sent: Sun 12/28/2008 6:31 AM To: mailscanner@lists.mailscanner.info Subject: Re: Allow Blackberry redirector messages Greg J. McGreevy wrote on Sat, 27 Dec 2008 22:39:27 -0500: > can someone send some step by step instructions on how to do this These are already on this list. Just search it. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081228/f3b1795f/attachment.html From MailScanner at ecs.soton.ac.uk Sun Dec 28 14:17:56 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Dec 28 14:18:17 2008 Subject: Allow Blackberry redirector messages In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3BC@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> <567221C09601934AA5CE9762FDA09A5001C3BC@EXCHTEMP.biz.pwr-sys.com> Message-ID: <49578A94.10306@ecs.soton.ac.uk> Just add this line to /etc/MailScanner/rules/content.scanning.rules FromOrTo: default yes Then "service MailScanner restart", or "service MailScanner reload" if MailScanner is already running. On 28/12/08 13:46, Greg J. McGreevy wrote: > yes I found this before I posted: > I used > > MailScanner.cong > > Dangerous Content Scanning = %rules-dir%/content.scanning.rules > > ___ > File: content.scanning.rules > > From: *.*blackberry*.net no > > I could not get this working. I found the above statement in the > mailscanner.conf file (guess it is a typo in this reply) it only has a > yes statement currently. I did not find the content.scanning.rules > file anywhere so I asummend it had to be created. Tried all of this to > no avail. Mailscanner service would not start. If I am in fact doing > something wrong and someone leads me in the right direction (step by > step). What are the consequences of using this statement. How I read > it is don't scan anything from blackberry.net and do nothing else > meaning ignore all other scanning for dangerous files. I would have > figured this would be an add to the current rule not a new one. > Thanks for your help, > Greg > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info on behalf of Kai > Schaetzl > *Sent:* Sun 12/28/2008 6:31 AM > *To:* mailscanner@lists.mailscanner.info > *Subject:* Re: Allow Blackberry redirector messages > > Greg J. McGreevy wrote on Sat, 27 Dec 2008 22:39:27 -0500: > > > can someone send some step by step instructions on how to do this > > These are already on this list. Just search it. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmcgreevy at pwr-sys.com Sun Dec 28 16:08:44 2008 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Sun Dec 28 16:13:42 2008 Subject: Allow Blackberry redirector messages References: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> <567221C09601934AA5CE9762FDA09A5001C3BC@EXCHTEMP.biz.pwr-sys.com> <49578A94.10306@ecs.soton.ac.uk> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3C0@EXCHTEMP.biz.pwr-sys.com> Sorry to seem ignorant or be a pest just so I am clear on what I need to do. As I would like to leave the current rule in place as it is a good practice. here are the steps I will take. 1) create new file called content.scanning.rules and place in the path /etc/Mailscanner/rules folder 2) file should read as below: File: content.scanning.rules FromOrTo: default yes From: *.*blackberry*.net no 3) edit Mailscanner.conf change the following line that currently states: Dangerous Content Scanning = yes to Dangerous Content Scanning = %rules-dir%/content.scanning.rules Thanks for you time Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field Sent: Sun 12/28/2008 9:17 AM To: MailScanner discussion Subject: Re: Allow Blackberry redirector messages Just add this line to /etc/MailScanner/rules/content.scanning.rules FromOrTo: default yes Then "service MailScanner restart", or "service MailScanner reload" if MailScanner is already running. On 28/12/08 13:46, Greg J. McGreevy wrote: > yes I found this before I posted: > I used > > MailScanner.cong > > Dangerous Content Scanning = %rules-dir%/content.scanning.rules > > ___ > File: content.scanning.rules > > From: *.*blackberry*.net no > > I could not get this working. I found the above statement in the > mailscanner.conf file (guess it is a typo in this reply) it only has a > yes statement currently. I did not find the content.scanning.rules > file anywhere so I asummend it had to be created. Tried all of this to > no avail. Mailscanner service would not start. If I am in fact doing > something wrong and someone leads me in the right direction (step by > step). What are the consequences of using this statement. How I read > it is don't scan anything from blackberry.net and do nothing else > meaning ignore all other scanning for dangerous files. I would have > figured this would be an add to the current rule not a new one. > Thanks for your help, > Greg > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info on behalf of Kai > Schaetzl > *Sent:* Sun 12/28/2008 6:31 AM > *To:* mailscanner@lists.mailscanner.info > *Subject:* Re: Allow Blackberry redirector messages > > Greg J. McGreevy wrote on Sat, 27 Dec 2008 22:39:27 -0500: > > > can someone send some step by step instructions on how to do this > > These are already on this list. Just search it. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7625 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081228/050ed0d2/attachment.bin From MailScanner at ecs.soton.ac.uk Sun Dec 28 17:05:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Dec 28 17:05:25 2008 Subject: Allow Blackberry redirector messages In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3C0@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> <567221C09601934AA5CE9762FDA09A5001C3BC@EXCHTEMP.biz.pwr-sys.com> <49578A94.10306@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3C0@EXCHTEMP.biz.pwr-sys.com> Message-ID: <4957B1BE.2020608@ecs.soton.ac.uk> On 28/12/08 16:08, Greg J. McGreevy wrote: > Sorry to seem ignorant or be a pest just so I am clear on what I need to do. As I would like to leave the current rule in place as it is a good practice. here are the steps I will take. > > 1) create new file called content.scanning.rules and place in the path /etc/Mailscanner/rules folder > > 2) file should read as below: > > File: content.scanning.rules > That line shouldn't be in the file, just the file should be whatever name you put in for it in MailScanner.conf. > FromOrTo: default yes > Correct. Despite what other people may say, it doesn't actually matter where in the file this line appears. But it makes more logical sense to put it at the end, as all the other lines are processed in the order first to last. > From: *.*blackberry*.net no > No, From: *@blackberry.net no and you might want to add this line as well From: *@*.blackberry.net no but you probably don't need that one, unless you have seen mail from subdomains of blackberry.net. > 3) edit Mailscanner.conf change the following line that currently states: > > Dangerous Content Scanning = yes > > to > > Dangerous Content Scanning = %rules-dir%/content.scanning.rules > Correct. Then, if MailScanner is already running, do service MailScanner reload or, if it is not running (or if you want to be *really* sure it's picked up all updates and changes) service MailScanner restart That makes MailScanner immediately take notice of the configuration change you have made, or else it won't pick it up for a few hours. > > > Thanks for you time > No problem. And to all you other guys here ---- you could have been a little more verbose, couldn't you? Bit mean not to tell him about the "default" line he needs in the file. Happy New Year! Jules. > Greg > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field > Sent: Sun 12/28/2008 9:17 AM > To: MailScanner discussion > Subject: Re: Allow Blackberry redirector messages > > > > Just add this line to /etc/MailScanner/rules/content.scanning.rules > > FromOrTo: default yes > > Then "service MailScanner restart", or "service MailScanner reload" if > MailScanner is already running. > > On 28/12/08 13:46, Greg J. McGreevy wrote: > >> yes I found this before I posted: >> I used >> >> MailScanner.cong >> >> Dangerous Content Scanning = %rules-dir%/content.scanning.rules >> >> ___ >> File: content.scanning.rules >> >> From: *.*blackberry*.net no >> >> I could not get this working. I found the above statement in the >> mailscanner.conf file (guess it is a typo in this reply) it only has a >> yes statement currently. I did not find the content.scanning.rules >> file anywhere so I asummend it had to be created. Tried all of this to >> no avail. Mailscanner service would not start. If I am in fact doing >> something wrong and someone leads me in the right direction (step by >> step). What are the consequences of using this statement. How I read >> it is don't scan anything from blackberry.net and do nothing else >> meaning ignore all other scanning for dangerous files. I would have >> figured this would be an add to the current rule not a new one. >> Thanks for your help, >> Greg >> >> ------------------------------------------------------------------------ >> *From:* mailscanner-bounces@lists.mailscanner.info on behalf of Kai >> Schaetzl >> *Sent:* Sun 12/28/2008 6:31 AM >> *To:* mailscanner@lists.mailscanner.info >> *Subject:* Re: Allow Blackberry redirector messages >> >> Greg J. McGreevy wrote on Sat, 27 Dec 2008 22:39:27 -0500: >> >> >>> can someone send some step by step instructions on how to do this >>> >> These are already on this list. Just search it. >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Sun Dec 28 20:05:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Dec 28 20:05:23 2008 Subject: Allow Blackberry redirector messages In-Reply-To: <4957B1BE.2020608@ecs.soton.ac.uk> References: <567221C09601934AA5CE9762FDA09A5001C3BB@EXCHTEMP.biz.pwr-sys.com> <567221C09601934AA5CE9762FDA09A5001C3BC@EXCHTEMP.biz.pwr-sys.com> <49578A94.10306@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3C0@EXCHTEMP.biz.pwr-sys.com> <4957B1BE.2020608@ecs.soton.ac.uk> Message-ID: <223f97700812281205h19c670cdhcbfa1b794caa7a00@mail.gmail.com> 2008/12/28 Julian Field : > > > On 28/12/08 16:08, Greg J. McGreevy wrote: >> >> Sorry to seem ignorant or be a pest just so I am clear on what I need to >> do. As I would like to leave the current rule in place as it is a good >> practice. here are the steps I will take. >> >> 1) create new file called content.scanning.rules and place in the path >> /etc/Mailscanner/rules folder >> >> 2) file should read as below: >> >> File: content.scanning.rules >> > > That line shouldn't be in the file, just the file should be whatever name > you put in for it in MailScanner.conf. >> >> FromOrTo: default yes >> > > Correct. Despite what other people may say, it doesn't actually matter where > in the file this line appears. But it makes more logical sense to put it at > the end, as all the other lines are processed in the order first to last. >> >> From: *.*blackberry*.net no >> > > No, > From: *@blackberry.net no > and you might want to add this line as well > From: *@*.blackberry.net no > but you probably don't need that one, unless you have seen mail from > subdomains of blackberry.net. IIRC (always a gamble between Xmas and New Years Eve....:-) this is usually the case... That they send from a "semi-local" subdomain, that is. I really would like to twist the thumbs on the one who put that all together... they have the ETP.DAT file in there as ascii armored text, still need the actual binary.... So what was the point of the ascii armot? Sigh. >> >> 3) edit Mailscanner.conf change the following line that currently states: >> >> Dangerous Content Scanning = yes >> >> to >> >> Dangerous Content Scanning = %rules-dir%/content.scanning.rules >> > > Correct. > Then, if MailScanner is already running, do > service MailScanner reload > or, if it is not running (or if you want to be *really* sure it's picked up > all updates and changes) > service MailScanner restart > That makes MailScanner immediately take notice of the configuration change > you have made, or else it won't pick it up for a few hours. >> >> >> Thanks for you time >> > > No problem. > > And to all you other guys here ---- you could have been a little more > verbose, couldn't you? Bit mean not to tell him about the "default" line he > needs in the file. Happy New Year! > > Jules. Was busy eating and drinking... Sorry...:-). >> >> Greg >> >> >> >> >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field >> Sent: Sun 12/28/2008 9:17 AM >> To: MailScanner discussion >> Subject: Re: Allow Blackberry redirector messages >> >> >> >> Just add this line to /etc/MailScanner/rules/content.scanning.rules >> >> FromOrTo: default yes >> >> Then "service MailScanner restart", or "service MailScanner reload" if >> MailScanner is already running. >> >> On 28/12/08 13:46, Greg J. McGreevy wrote: >> >>> >>> yes I found this before I posted: >>> I used >>> >>> MailScanner.cong >>> >>> Dangerous Content Scanning = %rules-dir%/content.scanning.rules >>> >>> ___ >>> File: content.scanning.rules >>> >>> From: *.*blackberry*.net no >>> >>> I could not get this working. I found the above statement in the >>> mailscanner.conf file (guess it is a typo in this reply) it only has a >>> yes statement currently. I did not find the content.scanning.rules >>> file anywhere so I asummend it had to be created. Tried all of this to >>> no avail. Mailscanner service would not start. If I am in fact doing >>> something wrong and someone leads me in the right direction (step by >>> step). What are the consequences of using this statement. How I read >>> it is don't scan anything from blackberry.net and do nothing else >>> meaning ignore all other scanning for dangerous files. I would have >>> figured this would be an add to the current rule not a new one. >>> Thanks for your help, >>> Greg >>> >>> ------------------------------------------------------------------------ >>> *From:* mailscanner-bounces@lists.mailscanner.info on behalf of Kai >>> Schaetzl >>> *Sent:* Sun 12/28/2008 6:31 AM >>> *To:* mailscanner@lists.mailscanner.info >>> *Subject:* Re: Allow Blackberry redirector messages >>> >>> Greg J. McGreevy wrote on Sat, 27 Dec 2008 22:39:27 -0500: >>> >>> >>>> >>>> can someone send some step by step instructions on how to do this >>>> >>> >>> These are already on this list. Just search it. >>> >>> Kai >>> >>> -- >>> Kai Sch?tzl, Berlin, Germany >>> Get your web at Conactive Internet Services: http://www.conactive.com >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Dec 28 23:07:16 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Dec 28 23:07:26 2008 Subject: HTML spam using you own e-mail address In-Reply-To: <495563B8.6020102@vanderkooij.org> References: <20081226124502.GA13679@doctor.nl2k.ab.ca> <495521D2.4000905@cnpapers.com> <495563B8.6020102@vanderkooij.org> Message-ID: <223f97700812281507i7409db3bw1503d5fa3d38dfc2@mail.gmail.com> 2008/12/27 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Steve Campbell wrote: >> FYI - the swapping in Postfix has now been fixed. It segfaults instead >> now. :-) > > But apparant only when it detects MailScanner on the same system. This > Wietse is a bit like AT. (AT is a purist at the expense of workability > at all costs. ;-) > I always enjoyed Andrews writings... apart from the ... row.... with LT:-). > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jonas at vrt.dk Mon Dec 29 09:24:35 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Mon Dec 29 09:24:47 2008 Subject: Which version of Kaspersky to use with MailScanner In-Reply-To: References: Message-ID: <007601c96997$440387b0$cc0a9710$@dk> I have used Kaspersky workstation version before, worked fine, although pretty cpu intensive. We now use f-secure, which contains both the f-secure engine/signatures as well as the kaspersky ditto. So you actually get 2 scanners in one product which is pretty cool. Just my 5cents From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ashok Kumar Sent: 25. december 2008 06:10 To: mailscanner@lists.mailscanner.info Subject: Which version of Kaspersky to use with MailScanner Hello list, My doubt is regarding which version of Kaspersky to be used with MailScanner, whether it is Kaspersky Anti-Virus for Linux Workstation or Kaspersky Anti-Virus for Linux Mail Server. The MailScanner documentation at http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:kaspersky: install has mentioned about kav4workstation, which I suppose would be the workstation version. It says, for BSD, kav4mailservers can also be used. We are using CentOS 4.5 as mail server and plan to the use the Kaspersky purchased for the Proxy server also. Then i guess the workstation version is the right choice. Any comments are welcomed about which version is normally used in MailScanner by everyone. Thanks. -- regards, Ashok. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081229/b420e8c7/attachment.html From R.Sterenborg at netsourcing.nl Mon Dec 29 09:39:08 2008 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Mon Dec 29 09:39:15 2008 Subject: Scanning for multiple organisations Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> Hi all, We're using PF with MS and SA to mark spam for multiple organisations. Different organisations tend to attract different kind of spam and a company for which we recently started to offer email services complained that at the moment they receive more spam than before. I'd like to have a separate SA Bayes for each organisation we accept email for. However, AFAICT that would require running multiple MS/SA processes using different configs that would eat a lot of resources. Is there another, more intelligent, way of doing this? Thanks, Rob From maxsec at gmail.com Mon Dec 29 09:45:25 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Dec 29 09:45:35 2008 Subject: Scanning for multiple organisations In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> References: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> Message-ID: <72cf361e0812290145m18a12399ra7193a027039dcae@mail.gmail.com> 2008/12/29 Rob Sterenborg : > Hi all, > > We're using PF with MS and SA to mark spam for multiple organisations. > Different organisations tend to attract different kind of spam and a > company for which we recently started to offer email services complained > that at the moment they receive more spam than before. > > I'd like to have a separate SA Bayes for each organisation we accept > email for. However, AFAICT that would require running multiple MS/SA > processes using different configs that would eat a lot of resources. Is > there another, more intelligent, way of doing this? > > > Thanks, > Rob > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I know several ISP's that use single MS/SA combinations and it works well. I'll look at why the spam is getting through, bad whitelists, not enough third party SA rules etc etc. Perhaps if you post the pastebin link for an example email (full headers etc), people can run it over their systems and see what rules hit vs what rules hit for your setup. -- Martin Hepworth Oxford, UK From steve.freegard at fsl.com Mon Dec 29 11:39:29 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Dec 29 11:39:42 2008 Subject: Scanning for multiple organisations In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> References: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> Message-ID: <4958B6F1.9010706@fsl.com> Rob Sterenborg wrote: > Hi all, > > We're using PF with MS and SA to mark spam for multiple organisations. > Different organisations tend to attract different kind of spam and a > company for which we recently started to offer email services complained > that at the moment they receive more spam than before. > > I'd like to have a separate SA Bayes for each organisation we accept > email for. However, AFAICT that would require running multiple MS/SA > processes using different configs that would eat a lot of resources. Is > there another, more intelligent, way of doing this? Not without writing some code to achieve it. Search the list archives for 'spamd support module' and you'll find some code I sent to the list that adds spamd support into MailScanner via the GenericSpamScanner interface. You'd need to extend that a bit to change which $spamd_user is being sent to spamd depending on who the message is being sent to (remember that you will need to handle messages to multiple different domains in a single message) - then you can run spamd with '-c -x --virtual-config-dir=/var/spamd/prefs/%u' and it will automatically create user_prefs and the bayes databases in /var/spamd/prefs/ for you. If you want to get fancy then you can use '-q' instead of '--virtual-config-dir' and that will allow all the preferences to be loaded from SQL instead (note that you can't mix both methods). If you decide to go this route, then please make sure that you contribute your changes back so that others may benefit. Kind regards, Steve. From root at doctor.nl2k.ab.ca Mon Dec 29 13:12:52 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Dec 29 13:15:53 2008 Subject: Some customized Spam Assassin level not getting picked up Message-ID: <20081229131252.GA18318@doctor.nl2k.ab.ca> Right, I have set BAYES_99 and BAYES_95 to 100.0 but SpamAssassin default values are being picked up. Huh??? Using the latest beta. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Mon Dec 29 13:31:09 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Dec 29 13:31:29 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <20081229131252.GA18318@doctor.nl2k.ab.ca> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> Message-ID: <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> 2008/12/29 Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem : > Right, I have set BAYES_99 and BAYES_95 > to 100.0 but SpamAssassin default values are being picked up. > > Huh??? > > Using the latest beta. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Dave how and where have you set this values? Should be done in /etc/mail/spamassassin/mailscanner.cf and set thus score BAYES_95 0 0 100.0 100.0 and of course restart MailScanner. -- Martin Hepworth Oxford, UK From root at doctor.nl2k.ab.ca Mon Dec 29 15:22:31 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Dec 29 15:24:32 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> Message-ID: <20081229152231.GA14741@doctor.nl2k.ab.ca> On Mon, Dec 29, 2008 at 01:31:09PM +0000, Martin Hepworth wrote: > 2008/12/29 Dave Shariff Yadallee - System Administrator a.k.a. The > Root of the Problem : > > Right, I have set BAYES_99 and BAYES_95 > > to 100.0 but SpamAssassin default values are being picked up. > > > > Huh??? > > > > Using the latest beta. > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > Dave > > how and where have you set this values? > > > Should be done in /etc/mail/spamassassin/mailscanner.cf > > and set thus > > score BAYES_95 0 0 100.0 100.0 > > and of course restart MailScanner. > May have to fix the rest, but thanks for the start. > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From R.Sterenborg at netsourcing.nl Mon Dec 29 15:57:35 2008 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Mon Dec 29 15:57:47 2008 Subject: Scanning for multiple organisations In-Reply-To: <4958B6F1.9010706@fsl.com> References: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> <4958B6F1.9010706@fsl.com> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D6@WISENT.dcyb.net> Martin Hepworth wrote: > I know several ISP's that use single MS/SA combinations and it works > well. I'll look at why the spam is getting through, bad whitelists, > not enough third party SA rules etc etc. Perhaps if you post the > pastebin link for an example email (full headers etc), people can run > it over their systems and see what rules hit vs what rules hit for > your setup. The thing is I got the complaint but so far no-one has ever proved to me that our solution was inadequate by sending me the offending emails, so I can't look into it. I am looking for a solution in case I need it. Steve Freegard wrote: > Not without writing some code to achieve it. Search the list > archives for 'spamd support module' and you'll find some code I sent > to the list that adds spamd support into MailScanner via the > GenericSpamScanner interface. > > You'd need to extend that a bit to change which $spamd_user is being > sent to spamd depending on who the message is being sent to (remember > that you will need to handle messages to multiple different domains > in a single message) - then you can run spamd with '-c -x > --virtual-config-dir=/var/spamd/prefs/%u' and it will automatically > create user_prefs and the bayes databases in /var/spamd/prefs/ > for you. If you want to get fancy then you can use '-q' instead of > '--virtual-config-dir' and that will allow all the preferences to be > loaded from SQL instead (note that you can't mix both methods). > > If you decide to go this route, then please make sure that you > contribute your changes back so that others may benefit. This looks interesting. I'll look into this in the near future and yes, if I'm able to get what I want (it's in Perl which is not quite my specialty, but I have a collegue who might be able to do it) then I'll post it back. Thanks! Rob From maillists at conactive.com Mon Dec 29 17:31:19 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Dec 29 17:31:33 2008 Subject: Scanning for multiple organisations In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D6@WISENT.dcyb.net> References: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> <4958B6F1.9010706@fsl.com> <74ACEB3E6A055643A89B8CEC74C7BF2405D957D6@WISENT.dcyb.net> Message-ID: Rob Sterenborg wrote on Mon, 29 Dec 2008 16:57:35 +0100: > The thing is I got the complaint but so far no-one has ever proved to me > that our solution was inadequate by sending me the offending emails, so > I can't look into it. Why not set up Mailwatch and have a glance on the mail traffic from your corner of the eye? Reveals very fast if there's obvious spam getting thru. Depending on what options you let them control they could also have misconfigured something themselves. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From drew.marshall at technologytiger.net Mon Dec 29 21:08:59 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Dec 29 21:09:16 2008 Subject: Scanning for multiple organisations In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D6@WISENT.dcyb.net> References: <74ACEB3E6A055643A89B8CEC74C7BF2405D957D4@WISENT.dcyb.net> <4958B6F1.9010706@fsl.com> <74ACEB3E6A055643A89B8CEC74C7BF2405D957D6@WISENT.dcyb.net> Message-ID: On 29 Dec 2008, at 15:57, Rob Sterenborg wrote: > Martin Hepworth wrote: > >> I know several ISP's that use single MS/SA combinations and it works >> well. I'll look at why the spam is getting through, bad whitelists, >> not enough third party SA rules etc etc. Perhaps if you post the >> pastebin link for an example email (full headers etc), people can run >> it over their systems and see what rules hit vs what rules hit for >> your setup. > > The thing is I got the complaint but so far no-one has ever proved > to me > that our solution was inadequate by sending me the offending emails, > so > I can't look into it. > I am looking for a solution in case I need it. I scan for multiple domains and a fairly large range of types of mail with only 1 bayes db without a problem. I would recommend providing a suitable method for users to train mail (A shared IMAP folder for example. There are some ideas in the wiki) > > > > Steve Freegard wrote: > >> Not without writing some code to achieve it. Search the list >> archives for 'spamd support module' and you'll find some code I sent >> to the list that adds spamd support into MailScanner via the >> GenericSpamScanner interface. >> >> You'd need to extend that a bit to change which $spamd_user is being >> sent to spamd depending on who the message is being sent to (remember >> that you will need to handle messages to multiple different domains >> in a single message) - then you can run spamd with '-c -x >> --virtual-config-dir=/var/spamd/prefs/%u' and it will automatically >> create user_prefs and the bayes databases in /var/spamd/prefs/ >> for you. If you want to get fancy then you can use '-q' instead of >> '--virtual-config-dir' and that will allow all the preferences to be >> loaded from SQL instead (note that you can't mix both methods). >> >> If you decide to go this route, then please make sure that you >> contribute your changes back so that others may benefit. > > This looks interesting. I'll look into this in the near future and > yes, > if I'm able to get what I want (it's in Perl which is not quite my > specialty, but I have a collegue who might be able to do it) then I'll > post it back. I would also suggest you search the archives for a series of post that Matt Hampton and I exchanged a few months ago about doing this. We had it running but from my point of view it was using more resources and hence slowing the box more than the native MS set up but it did do what you were looking at. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From root at doctor.nl2k.ab.ca Mon Dec 29 21:14:42 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Dec 29 21:15:20 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> Message-ID: <20081229211441.GA22310@doctor.nl2k.ab.ca> On Mon, Dec 29, 2008 at 01:31:09PM +0000, Martin Hepworth wrote: > 2008/12/29 Dave Shariff Yadallee - System Administrator a.k.a. The > Root of the Problem : > > Right, I have set BAYES_99 and BAYES_95 > > to 100.0 but SpamAssassin default values are being picked up. > > > > Huh??? > > > > Using the latest beta. > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > Dave > > how and where have you set this values? > > > Should be done in /etc/mail/spamassassin/mailscanner.cf > > and set thus > > score BAYES_95 0 0 100.0 100.0 > > and of course restart MailScanner. > Still Seeing the BAYES_95 and PAYES_99 as statndard and not modified. Frustrating! > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Dec 29 23:07:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Dec 29 23:07:12 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <20081229211441.GA22310@doctor.nl2k.ab.ca> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> <20081229211441.GA22310@doctor.nl2k.ab.ca> Message-ID: <49595816.4040800@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Still Seeing the BAYES_95 and PAYES_99 as statndard and not modified. B != P That might be an issue. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklZWBQACgkQBvzDRVjxmYG4+gCgtt96Rk69bVFMwzxEFqBVpVht EysAnjLagUEceNlg7MzMARXMcdep1kr+ =sPoA -----END PGP SIGNATURE----- From ssilva at sgvwater.com Mon Dec 29 23:29:32 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Dec 29 23:29:52 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <49595816.4040800@vanderkooij.org> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> <20081229211441.GA22310@doctor.nl2k.ab.ca> <49595816.4040800@vanderkooij.org> Message-ID: on 12-29-2008 3:07 PM Hugo van der Kooij spake the following: > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the > Problem wrote: > >> Still Seeing the BAYES_95 and PAYES_99 as statndard and not modified. > > B != P > > That might be an issue. > > Hugo. > > Grep all your /etc/mail/spamassassin files for BAYES and see if you have it set somewhere else at a different setting. Spamassassin will honor the LAST one it reads, even if it reads it multiple times. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081229/56c93cd6/signature.bin From maillists at conactive.com Mon Dec 29 23:31:20 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Dec 29 23:31:34 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <20081229211441.GA22310@doctor.nl2k.ab.ca> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> <20081229211441.GA22310@doctor.nl2k.ab.ca> Message-ID: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the wrote on Mon, 29 Dec 2008 14:14:42 -0700: > Still Seeing the BAYES_95 and PAYES_99 as statndard and not modified. You probably edited the wrong file. Just introduce an obvious bug in it and you'll see that. You have to reload MS. Apart from that doing this particular manipulation is pure nonsense. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Tue Dec 30 05:51:25 2008 From: traced at xpear.de (traced) Date: Tue Dec 30 05:51:35 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <20081229211441.GA22310@doctor.nl2k.ab.ca> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> <20081229211441.GA22310@doctor.nl2k.ab.ca> Message-ID: <4959B6DD.8020609@xpear.de> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem schrieb: > On Mon, Dec 29, 2008 at 01:31:09PM +0000, Martin Hepworth wrote: >> 2008/12/29 Dave Shariff Yadallee - System Administrator a.k.a. The >> Root of the Problem : >>> Right, I have set BAYES_99 and BAYES_95 >>> to 100.0 but SpamAssassin default values are being picked up. >>> >>> Huh??? >>> >>> Using the latest beta. >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> Dave >> >> how and where have you set this values? >> >> >> Should be done in /etc/mail/spamassassin/mailscanner.cf >> >> and set thus >> >> score BAYES_95 0 0 100.0 100.0 >> >> and of course restart MailScanner. >> > > Still Seeing the BAYES_95 and PAYES_99 as statndard and not modified. > > Frustrating! > >> -- >> Martin Hepworth >> Oxford, UK >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> > Hi, in my /etc/MailScanner/spam.assassin.prefs.conf I?ve got for example: score BAYES_50 3.0 score BAYES_95 5.0 score BAYES_99 5.5 and works without a problem. From glenn.steen at gmail.com Tue Dec 30 09:45:16 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 30 09:45:26 2008 Subject: Some customized Spam Assassin level not getting picked up In-Reply-To: <4959B6DD.8020609@xpear.de> References: <20081229131252.GA18318@doctor.nl2k.ab.ca> <72cf361e0812290531g8696702n73f6594e2c4b73f@mail.gmail.com> <20081229211441.GA22310@doctor.nl2k.ab.ca> <4959B6DD.8020609@xpear.de> Message-ID: <223f97700812300145va17e554j17cc210e6e3a2076@mail.gmail.com> 2008/12/30 traced : > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem > schrieb: >> >> On Mon, Dec 29, 2008 at 01:31:09PM +0000, Martin Hepworth wrote: >>> >>> 2008/12/29 Dave Shariff Yadallee - System Administrator a.k.a. The >>> Root of the Problem : >>>> >>>> Right, I have set BAYES_99 and BAYES_95 >>>> to 100.0 but SpamAssassin default values are being picked up. >>>> >>>> Huh??? >>>> >>>> Using the latest beta. >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> Dave >>> >>> how and where have you set this values? >>> >>> >>> Should be done in /etc/mail/spamassassin/mailscanner.cf >>> >>> and set thus >>> >>> score BAYES_95 0 0 100.0 100.0 >>> >>> and of course restart MailScanner. >>> >> >> Still Seeing the BAYES_95 and PAYES_99 as statndard and not modified. >> >> Frustrating! >> >>> >>> -- >>> Martin Hepworth >>> Oxford, UK >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >> > > Hi, > in my /etc/MailScanner/spam.assassin.prefs.conf I?ve got for example: > > score BAYES_50 3.0 > score BAYES_95 5.0 > score BAYES_99 5.5 > > and works without a problem. Your spam.assassin.prefs.conf file is referenced via the symlink /etc/mail/spamassassin/mailscanner.cf, so that is as expected. The problem Dave seem to be having is probably due to multiple settings of the score value, or the file never being read at all. The latter could be because of SA settings (wrong paths) in MailScanner.conf or missing the symlink. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rjette at mestek.com Tue Dec 30 21:10:07 2008 From: rjette at mestek.com (Raymond Jette) Date: Tue Dec 30 21:10:19 2008 Subject: Whitelist based on recipient Message-ID: <495A8E2F.2060908@mestek.com> Good afternoon, I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 mailboxes on an Exchange server that I want to receive all mail. I would like all mail sent to these addresses to bypass all checks at the MTA, MS, and SA. At the MTA I am using reject_non_fqdn_hostname smtpd_help_required = yes I also need to skip these checks if possible. I have searched the archives and the web but i'm still not sure where to start. Thanks for the help, Ray From kc5goi at gmail.com Tue Dec 30 21:48:57 2008 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Tue Dec 30 21:49:08 2008 Subject: Whitelist based on recipient In-Reply-To: <495A8E2F.2060908@mestek.com> References: <495A8E2F.2060908@mestek.com> Message-ID: Ray, I am not 100% sure how to get Postfix to do what you want but on MailScanner I believe you need to add an entry to your spam whitelist rule that reads: FromTo:email@address.comyes You should be able to put your 9 addresses in there and they will be skipped for scanning at least for spam content. I do not recommend doing a wildcard then your domain but you could do that. Make sure the entries are before the default action. On Postfix, good luck seems like I have seen a similar request but darned if I remember where. Guy On Tue, Dec 30, 2008 at 3:10 PM, Raymond Jette wrote: > Good afternoon, > > I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 > mailboxes on an Exchange server that I want to receive all mail. I would > like all mail sent to these addresses to bypass all checks at the MTA, MS, > and SA. At the MTA I am using > reject_non_fqdn_hostname > smtpd_help_required = yes > > I also need to skip these checks if possible. > > I have searched the archives and the web but i'm still not sure where to > start. > > Thanks for the help, > Ray > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- 73 Guy Story KC5GOI kc5goi@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081230/85e8551e/attachment.html From prandal at herefordshire.gov.uk Tue Dec 30 22:43:52 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Dec 30 22:44:13 2008 Subject: Error in mcafee-autoupdate in latest betas Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CF7D@HC-MBX02.herefordshire.gov.uk> Folks, there's a mistake in the mcafee-autoupdate script in the latest betas which stops autoupdating of mcafee virus patterns from working. Trivial patch below: # diff -Naur mcafee-autoupdate.old mcafee-autoupdate --- mcafee-autoupdate.old 2008-12-30 22:40:31.000000000 +0000 +++ mcafee-autoupdate 2008-12-30 22:39:36.000000000 +0000 @@ -57,7 +57,7 @@ ;; -*) OPTS=$arg ;; - lock*) LOCKFILE=$arg + *lock) LOCKFILE=$arg ;; /*) PREFIX=$arg ;; Cheers, Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081230/8773d734/attachment.html From rjette at vzw.blackberry.net Tue Dec 30 22:53:13 2008 From: rjette at vzw.blackberry.net (rjette@vzw.blackberry.net) Date: Tue Dec 30 22:59:39 2008 Subject: Whitelist based on recipient In-Reply-To: References: <495A8E2F.2060908@mestek.com> Message-ID: <1435282922-1230677965-cardhu_decombobulator_blackberry.rim.net-969533403-@bxe122.bisx.prod.on.blackberry> Thanks for the reply. When I get back to the office I will attempt this. I'll continue looking for a solution for Postfix. Ray Sent from my Verizon Wireless BlackBerry -----Original Message----- From: "Guy Story KC5GOI" Date: Tue, 30 Dec 2008 15:48:57 To: MailScanner discussion Subject: Re: Whitelist based on recipient -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Tue Dec 30 23:03:01 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 30 23:03:10 2008 Subject: Whitelist based on recipient In-Reply-To: References: <495A8E2F.2060908@mestek.com> Message-ID: <223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com> 2008/12/30 Guy Story KC5GOI : > Ray, I am not 100% sure how to get Postfix to do what you want but on > MailScanner I believe you need to add an entry to your spam whitelist rule > that reads: > > FromTo:email@address.comyes > > You should be able to put your 9 addresses in there and they will be skipped > for scanning at least for spam content. I do not recommend doing a wildcard > then your domain but you could do that. Make sure the entries are before > the default action. > There's at least two reasons why this is a bad idea: 1. It will not do what Raymond is after,it'll just skip some of all the checks, not all of them. to achieve the effect sought after, Raymond will have to implement a ruleset on the Scan Message setting instead. Pretty much like for the spam whitelist, but ... est kept separate. 2. Recipient/sender (envelope) addresses are extremely simpleto forge, and most spam do so on a regular basis... So bypassing all checks will (eventually) fill those mailboxes with more or less dangerous cr*p, Perhaps not the brightest of ideas. If one is to do this, one better have some fairly good protection in place on the exchange host. The risks should not be taken lightly... the ramifications may affect all recipients.... and then some:/. > On Postfix, good luck seems like I have seen a similar request but darned if > I remember where. > As specified, it simply cannot be done. The smtpd_helo_required "take effect" way before you have any sender/recipient information to act upon. The other one could perhaps be avoided by way of an access map, but ... to what avail? If it were me, I'd try convince the recipients of the ... less than briliant... path this is. Do they have any valid reasons for wanting to be "skipped"? > Guy > > On Tue, Dec 30, 2008 at 3:10 PM, Raymond Jette wrote: >> >> Good afternoon, >> >> I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 >> mailboxes on an Exchange server that I want to receive all mail. I would >> like all mail sent to these addresses to bypass all checks at the MTA, MS, >> and SA. At the MTA I am using >> reject_non_fqdn_hostname >> smtpd_help_required = yes >> >> I also need to skip these checks if possible. >> >> I have searched the archives and the web but i'm still not sure where to >> start. >> >> Thanks for the help, >> Ray Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Wed Dec 31 00:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 31 00:31:34 2008 Subject: Whitelist based on recipient In-Reply-To: <223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com> References: <495A8E2F.2060908@mestek.com> <223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com> Message-ID: Glenn Steen wrote on Wed, 31 Dec 2008 00:03:01 +0100: > 2. Recipient/sender (envelope) addresses are extremely simpleto forge, > and most spam do so on a regular basis... So bypassing all checks will > (eventually) fill those mailboxes with more or less dangerous cr*p, Maybe that's just what he wants (spamtraps ....) ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Dec 31 00:31:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 31 00:31:34 2008 Subject: Whitelist based on recipient In-Reply-To: References: <495A8E2F.2060908@mestek.com> Message-ID: Guy Story KC5GOI wrote on Tue, 30 Dec 2008 15:48:57 -0600: > I believe you need to add an entry to your spam whitelist rule > that reads: > > FromTo:email@address.comyes Near, but not exactly. The spam whitelist doesn't exempt it from all checks and he wanted it only for the recipient. So: Add to scan.messages.rules: To: email@address.com no Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From rjette at vzw.blackberry.net Wed Dec 31 00:56:52 2008 From: rjette at vzw.blackberry.net (rjette@vzw.blackberry.net) Date: Wed Dec 31 00:59:00 2008 Subject: Whitelist based on recipient In-Reply-To: <223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com> References: <495A8E2F.2060908@mestek.com><223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com> Message-ID: <1562524237-1230685130-cardhu_decombobulator_blackberry.rim.net-1394409722-@bxe122.bisx.prod.on.blackberry> Thanks for the reply. I know that it is not a good idea but I be leave it is my only option. I am migrating from an old mail system to Postfix. We have some program's that are sales reps use that were developed in house. These programs are used by companies across the country and cannot be changed. They use are MTA to send mail from there addresses to ours. There are hundreds of installations. I will look into using a ruleset on the scan message setting. Back to the archives. I'm not familiar with MS rulesets. Does anyone have any links on the subject? Thanks, Ray Sent from my Verizon Wireless BlackBerry -----Original Message----- From: "Glenn Steen" Date: Wed, 31 Dec 2008 00:03:01 To: MailScanner discussion Subject: Re: Whitelist based on recipient 2008/12/30 Guy Story KC5GOI : > Ray, I am not 100% sure how to get Postfix to do what you want but on > MailScanner I believe you need to add an entry to your spam whitelist rule > that reads: > > FromTo:email@address.comyes > > You should be able to put your 9 addresses in there and they will be skipped > for scanning at least for spam content. I do not recommend doing a wildcard > then your domain but you could do that. Make sure the entries are before > the default action. > There's at least two reasons why this is a bad idea: 1. It will not do what Raymond is after,it'll just skip some of all the checks, not all of them. to achieve the effect sought after, Raymond will have to implement a ruleset on the Scan Message setting instead. Pretty much like for the spam whitelist, but ... est kept separate. 2. Recipient/sender (envelope) addresses are extremely simpleto forge, and most spam do so on a regular basis... So bypassing all checks will (eventually) fill those mailboxes with more or less dangerous cr*p, Perhaps not the brightest of ideas. If one is to do this, one better have some fairly good protection in place on the exchange host. The risks should not be taken lightly... the ramifications may affect all recipients.... and then some:/. > On Postfix, good luck seems like I have seen a similar request but darned if > I remember where. > As specified, it simply cannot be done. The smtpd_helo_required "take effect" way before you have any sender/recipient information to act upon. The other one could perhaps be avoided by way of an access map, but ... to what avail? If it were me, I'd try convince the recipients of the ... less than briliant... path this is. Do they have any valid reasons for wanting to be "skipped"? > Guy > > On Tue, Dec 30, 2008 at 3:10 PM, Raymond Jette wrote: >> >> Good afternoon, >> >> I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 >> mailboxes on an Exchange server that I want to receive all mail. I would >> like all mail sent to these addresses to bypass all checks at the MTA, MS, >> and SA. At the MTA I am using >> reject_non_fqdn_hostname >> smtpd_help_required = yes >> >> I also need to skip these checks if possible. >> >> I have searched the archives and the web but i'm still not sure where to >> start. >> >> Thanks for the help, >> Ray Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Wed Dec 31 06:36:00 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Dec 31 06:36:11 2008 Subject: Whitelist based on recipient In-Reply-To: <495A8E2F.2060908@mestek.com> References: <495A8E2F.2060908@mestek.com> Message-ID: <495B12D0.9050902@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raymond Jette wrote: > Good afternoon, > > I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 > mailboxes on an Exchange server that I want to receive all mail. I would > like all mail sent to these addresses to bypass all checks at the MTA, > MS, and SA. At the MTA I am using > reject_non_fqdn_hostname > smtpd_help_required = yes > > I also need to skip these checks if possible. > > I have searched the archives and the web but i'm still not sure where to > start. Didn you find: http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD That should do pretty much what you want. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklbEs0ACgkQBvzDRVjxmYFAuQCaA88MHGg2qCw5EkN1IVgYcwfE XuQAn06lX9ZyZ56OAvr4nCTop9ZzF1nX =Crod -----END PGP SIGNATURE----- From glenn.steen at gmail.com Wed Dec 31 11:52:11 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 31 11:52:21 2008 Subject: Whitelist based on recipient In-Reply-To: References: <495A8E2F.2060908@mestek.com> <223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com> Message-ID: <223f97700812310352s5c39584ak43cc3f32dbecd517@mail.gmail.com> 2008/12/31 Kai Schaetzl : > Glenn Steen wrote on Wed, 31 Dec 2008 00:03:01 +0100: > >> 2. Recipient/sender (envelope) addresses are extremely simpleto forge, >> and most spam do so on a regular basis... So bypassing all checks will >> (eventually) fill those mailboxes with more or less dangerous cr*p, > > Maybe that's just what he wants (spamtraps ....) ;-) > > > Kai > Even so, one should think tis through carefully;-). And as it turns out... that's not really "it". Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Dec 31 11:55:11 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 31 11:55:21 2008 Subject: Whitelist based on recipient In-Reply-To: <1562524237-1230685130-cardhu_decombobulator_blackberry.rim.net-1394409722-@bxe122.bisx.prod.on.blackberry> References: <495A8E2F.2060908@mestek.com> <223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com> <1562524237-1230685130-cardhu_decombobulator_blackberry.rim.net-1394409722-@bxe122.bisx.prod.on.blackberry> Message-ID: <223f97700812310355t6d682ef1w83bb4318187cad55@mail.gmail.com> 2008/12/31 : > Thanks for the reply. I know that it is not a good idea but I be leave it is my only option. > > I am migrating from an old mail system to Postfix. We have some program's that are sales reps use that were developed in house. These programs are used by companies across the country and cannot be changed. They use are MTA to send mail from there addresses to ours. There are hundreds of installations. > > I will look into using a ruleset on the scan message setting. > > Back to the archives. I'm not familiar with MS rulesets. Does anyone have any links on the subject? > There's a few good things in: - The wiki (look under documentation.....) - The example files in the rules directory (perhaps /etc/MailScanner/rules ...) - The Book (yes, it is actually worth buying... Not only to support Jules;-) > Thanks, > Ray > > Sent from my Verizon Wireless BlackBerry > ... > -----Original Message----- > From: "Glenn Steen" > > Date: Wed, 31 Dec 2008 00:03:01 > To: MailScanner discussion > Subject: Re: Whitelist based on recipient > > > 2008/12/30 Guy Story KC5GOI : >> Ray, I am not 100% sure how to get Postfix to do what you want but on >> MailScanner I believe you need to add an entry to your spam whitelist rule >> that reads: >> >> FromTo:email@address.comyes >> >> You should be able to put your 9 addresses in there and they will be skipped >> for scanning at least for spam content. I do not recommend doing a wildcard >> then your domain but you could do that. Make sure the entries are before >> the default action. >> > There's at least two reasons why this is a bad idea: > 1. It will not do what Raymond is after,it'll just skip some of all > the checks, not all of them. to achieve the effect sought after, > Raymond will have to implement a ruleset on the Scan Message setting > instead. Pretty much like for the spam whitelist, but ... est kept > separate. > 2. Recipient/sender (envelope) addresses are extremely simpleto forge, > and most spam do so on a regular basis... So bypassing all checks will > (eventually) fill those mailboxes with more or less dangerous cr*p, > Perhaps not the brightest of ideas. If one is to do this, one better > have some fairly good protection in place on the exchange host. > > The risks should not be taken lightly... the ramifications may affect > all recipients.... and then some:/. > >> On Postfix, good luck seems like I have seen a similar request but darned if >> I remember where. >> > As specified, it simply cannot be done. The smtpd_helo_required "take > effect" way before you have any sender/recipient information to act > upon. The other one could perhaps be avoided by way of an access map, > but ... to what avail? > If it were me, I'd try convince the recipients of the ... less than > briliant... path this is. > Do they have any valid reasons for wanting to be "skipped"? > >> Guy >> >> On Tue, Dec 30, 2008 at 3:10 PM, Raymond Jette wrote: >>> >>> Good afternoon, >>> >>> I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 >>> mailboxes on an Exchange server that I want to receive all mail. I would >>> like all mail sent to these addresses to bypass all checks at the MTA, MS, >>> and SA. At the MTA I am using >>> reject_non_fqdn_hostname >>> smtpd_help_required = yes >>> >>> I also need to skip these checks if possible. >>> >>> I have searched the archives and the web but i'm still not sure where to >>> start. >>> >>> Thanks for the help, >>> Ray > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Dec 31 11:59:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 31 12:00:01 2008 Subject: Whitelist based on recipient In-Reply-To: <495B12D0.9050902@vanderkooij.org> References: <495A8E2F.2060908@mestek.com> <495B12D0.9050902@vanderkooij.org> Message-ID: <223f97700812310359s3612ed8fhc06c2aa2d4054f66@mail.gmail.com> 2008/12/31 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Raymond Jette wrote: >> Good afternoon, >> >> I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 >> mailboxes on an Exchange server that I want to receive all mail. I would >> like all mail sent to these addresses to bypass all checks at the MTA, >> MS, and SA. At the MTA I am using >> reject_non_fqdn_hostname >> smtpd_help_required = yes >> >> I also need to skip these checks if possible. >> >> I have searched the archives and the web but i'm still not sure where to >> start. > > Didn you find: http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD > > That should do pretty much what you want. > Yes... for some... The strict helo thing isn't that "easily" handled though;-) And if the "cr*pplication" doesn't present a semi-valid helo (or non at all) ... Raymond will need look at getting an update out there:-). Of course, one could try do some selective transport tricks... Hm... Will think on this while celebrating the new years.... Quality of thinking _not_ assured:-):-) > Hugo. > Cheers & Happy (Healthy!) New Year to you all! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rjette at vzw.blackberry.net Wed Dec 31 15:25:06 2008 From: rjette at vzw.blackberry.net (rjette@vzw.blackberry.net) Date: Wed Dec 31 15:28:07 2008 Subject: Whitelist based on recipient In-Reply-To: <495B12D0.9050902@vanderkooij.org> References: <495A8E2F.2060908@mestek.com><495B12D0.9050902@vanderkooij.org> Message-ID: <1784293523-1230737086-cardhu_decombobulator_blackberry.rim.net-1297650686-@bxe122.bisx.prod.on.blackberry> Thanks for the link. I'll take a look now. -----Original Message----- From: Hugo van der Kooij Date: Wed, 31 Dec 2008 07:36:00 To: MailScanner discussion Subject: Re: Whitelist based on recipient -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raymond Jette wrote: > Good afternoon, > > I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 > mailboxes on an Exchange server that I want to receive all mail. I would > like all mail sent to these addresses to bypass all checks at the MTA, > MS, and SA. At the MTA I am using > reject_non_fqdn_hostname > smtpd_help_required = yes > > I also need to skip these checks if possible. > > I have searched the archives and the web but i'm still not sure where to > start. Didn you find: http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD That should do pretty much what you want. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklbEs0ACgkQBvzDRVjxmYFAuQCaA88MHGg2qCw5EkN1IVgYcwfE XuQAn06lX9ZyZ56OAvr4nCTop9ZzF1nX =Crod -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From kc5goi at gmail.com Wed Dec 31 15:33:00 2008 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Wed Dec 31 15:33:11 2008 Subject: Whitelist based on recipient In-Reply-To: <223f97700812310359s3612ed8fhc06c2aa2d4054f66@mail.gmail.com> References: <495A8E2F.2060908@mestek.com> <495B12D0.9050902@vanderkooij.org> <223f97700812310359s3612ed8fhc06c2aa2d4054f66@mail.gmail.com> Message-ID: Glenn and Kai, I am not real keen on skipping the checks either. I have a small spam white list but we had to do it for certain senders to us. We have vendors that seem to always get tagged. I have Postfix doing checks for evilness (body, header and mime header) and I agree that the spam white list is not stopping all checks. I agree that the spam white list rule only bypasses the spam check, not the AV. Everything gets AV scanned, I do not waver on that aspect. I agree with Glenn Steen on Postfix. I might have seen a question similar to yours but not an way to do it. I did not ask this earlier, I did not want to pry but I too am curious why you would like to have those 9 get all the email sent to them. It goes into more detail than I will put here and it is in the wiki but you can put entries in rules for specific addresses that can run different checks. You basically add an entry for a specific email address that points to a different rule. You can disable the checks in those rules. For example, I block WMA files for all but a few employees. You can bypass the filename, file type, spam checks etc but that defeats the purpose of running Mailscanner. -- 73 Guy Story KC5GOI kc5goi@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081231/711e4bb7/attachment.html From rjette at vzw.blackberry.net Wed Dec 31 19:11:56 2008 From: rjette at vzw.blackberry.net (rjette@vzw.blackberry.net) Date: Wed Dec 31 19:11:47 2008 Subject: Whitelist based on recipient In-Reply-To: <223f97700812310355t6d682ef1w83bb4318187cad55@mail.gmail.com> References: <495A8E2F.2060908@mestek.com><223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com><1562524237-1230685130-cardhu_decombobulator_blackberry.rim.net-1394409722-@bxe122.bisx.prod.on.blackberry><223f97700812310355t6d682ef1w83bb4318187cad55@mail.gmail.com> Message-ID: <733589094-1230750696-cardhu_decombobulator_blackberry.rim.net-1907630464-@bxe122.bisx.prod.on.blackberry> I have the book on order. Thanks -----Original Message----- From: "Glenn Steen" Date: Wed, 31 Dec 2008 12:55:11 To: MailScanner discussion Subject: Re: Whitelist based on recipient 2008/12/31 : > Thanks for the reply. I know that it is not a good idea but I be leave it is my only option. > > I am migrating from an old mail system to Postfix. We have some program's that are sales reps use that were developed in house. These programs are used by companies across the country and cannot be changed. They use are MTA to send mail from there addresses to ours. There are hundreds of installations. > > I will look into using a ruleset on the scan message setting. > > Back to the archives. I'm not familiar with MS rulesets. Does anyone have any links on the subject? > There's a few good things in: - The wiki (look under documentation.....) - The example files in the rules directory (perhaps /etc/MailScanner/rules ...) - The Book (yes, it is actually worth buying... Not only to support Jules;-) > Thanks, > Ray > > Sent from my Verizon Wireless BlackBerry > ... > -----Original Message----- > From: "Glenn Steen" > > Date: Wed, 31 Dec 2008 00:03:01 > To: MailScanner discussion > Subject: Re: Whitelist based on recipient > > > 2008/12/30 Guy Story KC5GOI : >> Ray, I am not 100% sure how to get Postfix to do what you want but on >> MailScanner I believe you need to add an entry to your spam whitelist rule >> that reads: >> >> FromTo:email@address.comyes >> >> You should be able to put your 9 addresses in there and they will be skipped >> for scanning at least for spam content. I do not recommend doing a wildcard >> then your domain but you could do that. Make sure the entries are before >> the default action. >> > There's at least two reasons why this is a bad idea: > 1. It will not do what Raymond is after,it'll just skip some of all > the checks, not all of them. to achieve the effect sought after, > Raymond will have to implement a ruleset on the Scan Message setting > instead. Pretty much like for the spam whitelist, but ... est kept > separate. > 2. Recipient/sender (envelope) addresses are extremely simpleto forge, > and most spam do so on a regular basis... So bypassing all checks will > (eventually) fill those mailboxes with more or less dangerous cr*p, > Perhaps not the brightest of ideas. If one is to do this, one better > have some fairly good protection in place on the exchange host. > > The risks should not be taken lightly... the ramifications may affect > all recipients.... and then some:/. > >> On Postfix, good luck seems like I have seen a similar request but darned if >> I remember where. >> > As specified, it simply cannot be done. The smtpd_helo_required "take > effect" way before you have any sender/recipient information to act > upon. The other one could perhaps be avoided by way of an access map, > but ... to what avail? > If it were me, I'd try convince the recipients of the ... less than > briliant... path this is. > Do they have any valid reasons for wanting to be "skipped"? > >> Guy >> >> On Tue, Dec 30, 2008 at 3:10 PM, Raymond Jette wrote: >>> >>> Good afternoon, >>> >>> I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 >>> mailboxes on an Exchange server that I want to receive all mail. I would >>> like all mail sent to these addresses to bypass all checks at the MTA, MS, >>> and SA. At the MTA I am using >>> reject_non_fqdn_hostname >>> smtpd_help_required = yes >>> >>> I also need to skip these checks if possible. >>> >>> I have searched the archives and the web but i'm still not sure where to >>> start. >>> >>> Thanks for the help, >>> Ray > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Dec 31 20:10:34 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Dec 31 20:11:03 2008 Subject: Whitelist based on recipient In-Reply-To: <733589094-1230750696-cardhu_decombobulator_blackberry.rim.net-1907630464-@bxe122.bisx.prod.on.blackberry> References: <495A8E2F.2060908@mestek.com><223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com><1562524237-1230685130-cardhu_decombobulator_blackberry.rim.net-1394409722-@bxe122.bisx.prod.on.blackberry><223f97700812310355t6d682ef1w83bb4318187cad55@mail.gmail.com> <733589094-1230750696-cardhu_decombobulator_blackberry.rim.net-1907630464-@bxe122.bisx.prod.on.blackberry> Message-ID: <495BD1BA.6020009@ecs.soton.ac.uk> Please tell me you ordered it through the MailScanner website (i.e. through CafePress or Lulu). Anything else will take ages, cost you more, and cause me a lot of grief. Thanks! :-) Jules. On 31/12/08 19:11, rjette@vzw.blackberry.net wrote: > I have the book on order. Thanks > -----Original Message----- > From: "Glenn Steen" > > Date: Wed, 31 Dec 2008 12:55:11 > To: MailScanner discussion > Subject: Re: Whitelist based on recipient > > > 2008/12/31: > >> Thanks for the reply. I know that it is not a good idea but I be leave it is my only option. >> >> I am migrating from an old mail system to Postfix. We have some program's that are sales reps use that were developed in house. These programs are used by companies across the country and cannot be changed. They use are MTA to send mail from there addresses to ours. There are hundreds of installations. >> >> I will look into using a ruleset on the scan message setting. >> >> Back to the archives. I'm not familiar with MS rulesets. Does anyone have any links on the subject? >> >> > There's a few good things in: > - The wiki (look under documentation.....) > - The example files in the rules directory (perhaps /etc/MailScanner/rules ...) > - The Book (yes, it is actually worth buying... Not only to support Jules;-) > > >> Thanks, >> Ray >> >> Sent from my Verizon Wireless BlackBerry >> >> > ... > >> -----Original Message----- >> From: "Glenn Steen" >> >> Date: Wed, 31 Dec 2008 00:03:01 >> To: MailScanner discussion >> Subject: Re: Whitelist based on recipient >> >> >> 2008/12/30 Guy Story KC5GOI: >> >>> Ray, I am not 100% sure how to get Postfix to do what you want but on >>> MailScanner I believe you need to add an entry to your spam whitelist rule >>> that reads: >>> >>> FromTo:email@address.comyes >>> >>> You should be able to put your 9 addresses in there and they will be skipped >>> for scanning at least for spam content. I do not recommend doing a wildcard >>> then your domain but you could do that. Make sure the entries are before >>> the default action. >>> >>> >> There's at least two reasons why this is a bad idea: >> 1. It will not do what Raymond is after,it'll just skip some of all >> the checks, not all of them. to achieve the effect sought after, >> Raymond will have to implement a ruleset on the Scan Message setting >> instead. Pretty much like for the spam whitelist, but ... est kept >> separate. >> 2. Recipient/sender (envelope) addresses are extremely simpleto forge, >> and most spam do so on a regular basis... So bypassing all checks will >> (eventually) fill those mailboxes with more or less dangerous cr*p, >> Perhaps not the brightest of ideas. If one is to do this, one better >> have some fairly good protection in place on the exchange host. >> >> The risks should not be taken lightly... the ramifications may affect >> all recipients.... and then some:/. >> >> >>> On Postfix, good luck seems like I have seen a similar request but darned if >>> I remember where. >>> >>> >> As specified, it simply cannot be done. The smtpd_helo_required "take >> effect" way before you have any sender/recipient information to act >> upon. The other one could perhaps be avoided by way of an access map, >> but ... to what avail? >> If it were me, I'd try convince the recipients of the ... less than >> briliant... path this is. >> Do they have any valid reasons for wanting to be "skipped"? >> >> >>> Guy >>> >>> On Tue, Dec 30, 2008 at 3:10 PM, Raymond Jette wrote: >>> >>>> Good afternoon, >>>> >>>> I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 >>>> mailboxes on an Exchange server that I want to receive all mail. I would >>>> like all mail sent to these addresses to bypass all checks at the MTA, MS, >>>> and SA. At the MTA I am using >>>> reject_non_fqdn_hostname >>>> smtpd_help_required = yes >>>> >>>> I also need to skip these checks if possible. >>>> >>>> I have searched the archives and the web but i'm still not sure where to >>>> start. >>>> >>>> Thanks for the help, >>>> Ray >>>> >> Cheers >> -- >> -- Glenn >> email: glenn< dot> steen< at> gmail< dot> com >> work: glenn< dot> steen< at> ap1< dot> se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > > > -- > -- Glenn > email: glenn< dot> steen< at> gmail< dot> com > work: glenn< dot> steen< at> ap1< dot> se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rjette at vzw.blackberry.net Wed Dec 31 21:33:49 2008 From: rjette at vzw.blackberry.net (rjette@vzw.blackberry.net) Date: Wed Dec 31 21:43:28 2008 Subject: Whitelist based on recipient In-Reply-To: <495BD1BA.6020009@ecs.soton.ac.uk> References: <495A8E2F.2060908@mestek.com><223f97700812301503n6f48c568ld1637893536eee42@mail.gmail.com><1562524237-1230685130-cardhu_decombobulator_blackberry.rim.net-1394409722-@bxe122.bisx.prod.on.blackberry><223f97700812310355t6d682ef1w83bb4318187cad55@mail.gmail.com><733589094-1230750696-cardhu_decombobulator_blackberry.rim.net-1907630464-@bxe122.bisx.prod.on.blackberry><495BD1BA.6020009@ecs.soton.ac.uk> Message-ID: <2033800429-1230759799-cardhu_decombobulator_blackberry.rim.net-908575140-@bxe122.bisx.prod.on.blackberry> CafePress. Happy new years everyone. -----Original Message----- From: Julian Field Date: Wed, 31 Dec 2008 20:10:34 To: MailScanner discussion Subject: Re: Whitelist based on recipient Please tell me you ordered it through the MailScanner website (i.e. through CafePress or Lulu). Anything else will take ages, cost you more, and cause me a lot of grief. Thanks! :-) Jules. On 31/12/08 19:11, rjette@vzw.blackberry.net wrote: > I have the book on order. Thanks > -----Original Message----- > From: "Glenn Steen" > > Date: Wed, 31 Dec 2008 12:55:11 > To: MailScanner discussion > Subject: Re: Whitelist based on recipient > > > 2008/12/31: > >> Thanks for the reply. I know that it is not a good idea but I be leave it is my only option. >> >> I am migrating from an old mail system to Postfix. We have some program's that are sales reps use that were developed in house. These programs are used by companies across the country and cannot be changed. They use are MTA to send mail from there addresses to ours. There are hundreds of installations. >> >> I will look into using a ruleset on the scan message setting. >> >> Back to the archives. I'm not familiar with MS rulesets. Does anyone have any links on the subject? >> >> > There's a few good things in: > - The wiki (look under documentation.....) > - The example files in the rules directory (perhaps /etc/MailScanner/rules ...) > - The Book (yes, it is actually worth buying... Not only to support Jules;-) > > >> Thanks, >> Ray >> >> Sent from my Verizon Wireless BlackBerry >> >> > ... > >> -----Original Message----- >> From: "Glenn Steen" >> >> Date: Wed, 31 Dec 2008 00:03:01 >> To: MailScanner discussion >> Subject: Re: Whitelist based on recipient >> >> >> 2008/12/30 Guy Story KC5GOI: >> >>> Ray, I am not 100% sure how to get Postfix to do what you want but on >>> MailScanner I believe you need to add an entry to your spam whitelist rule >>> that reads: >>> >>> FromTo:email@address.comyes >>> >>> You should be able to put your 9 addresses in there and they will be skipped >>> for scanning at least for spam content. I do not recommend doing a wildcard >>> then your domain but you could do that. Make sure the entries are before >>> the default action. >>> >>> >> There's at least two reasons why this is a bad idea: >> 1. It will not do what Raymond is after,it'll just skip some of all >> the checks, not all of them. to achieve the effect sought after, >> Raymond will have to implement a ruleset on the Scan Message setting >> instead. Pretty much like for the spam whitelist, but ... est kept >> separate. >> 2. Recipient/sender (envelope) addresses are extremely simpleto forge, >> and most spam do so on a regular basis... So bypassing all checks will >> (eventually) fill those mailboxes with more or less dangerous cr*p, >> Perhaps not the brightest of ideas. If one is to do this, one better >> have some fairly good protection in place on the exchange host. >> >> The risks should not be taken lightly... the ramifications may affect >> all recipients.... and then some:/. >> >> >>> On Postfix, good luck seems like I have seen a similar request but darned if >>> I remember where. >>> >>> >> As specified, it simply cannot be done. The smtpd_helo_required "take >> effect" way before you have any sender/recipient information to act >> upon. The other one could perhaps be avoided by way of an access map, >> but ... to what avail? >> If it were me, I'd try convince the recipients of the ... less than >> briliant... path this is. >> Do they have any valid reasons for wanting to be "skipped"? >> >> >>> Guy >>> >>> On Tue, Dec 30, 2008 at 3:10 PM, Raymond Jette wrote: >>> >>>> Good afternoon, >>>> >>>> I am running Postfix, Mailscanner, and Spamassassin on my MTA. I have 9 >>>> mailboxes on an Exchange server that I want to receive all mail. I would >>>> like all mail sent to these addresses to bypass all checks at the MTA, MS, >>>> and SA. At the MTA I am using >>>> reject_non_fqdn_hostname >>>> smtpd_help_required = yes >>>> >>>> I also need to skip these checks if possible. >>>> >>>> I have searched the archives and the web but i'm still not sure where to >>>> start. >>>> >>>> Thanks for the help, >>>> Ray >>>> >> Cheers >> -- >> -- Glenn >> email: glenn< dot> steen< at> gmail< dot> com >> work: glenn< dot> steen< at> ap1< dot> se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > > > -- > -- Glenn > email: glenn< dot> steen< at> gmail< dot> com > work: glenn< dot> steen< at> ap1< dot> se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Dec 31 22:54:48 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Dec 31 22:55:00 2008 Subject: OT: Happy New Year Message-ID: Just a quick note to wish everyone a Happy (and spam free) New Year, especially Jules. Your hard work and giving spirit has certainly made the past year much nicer for all of us... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From MailScanner at ecs.soton.ac.uk Wed Dec 31 23:24:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Dec 31 23:24:27 2008 Subject: Anti-phishing -- was Re: OT: Happy New Year In-Reply-To: References: Message-ID: <495BFF17.5060705@ecs.soton.ac.uk> On 31/12/08 22:54, Kevin Miller wrote: > Just a quick note to wish everyone a Happy (and spam free) New Year, > especially Jules. Your hard work and giving spirit has certainly made > the past year much nicer for all of us... > Many thanks! You might be interested I've been doing a bit of work with the Google-hosted project "anti-phishing-email-reply" which you can find here: http://code.google.com/p/anti-phishing-email-reply/ My aim was to create a trap for all those nasty spear-phishing attacks and those endless "Temporary job offer" spams that some of you will get. I have created a little script (which is pretty obvious, source code is given below) which just generates a list of addresses based on what's in their file. I add that to my own list of known troublesome addresses, which can have "*" wildcards in them, so you can do things like michael loucas * @ gmail . com (extra spaces added to stop my stuff picking up that address and killing this message). I then generate a bunch of SpamAssassin rules from that which detect any of these few thousand addresses appearing anywhere in a message, with lots of safeguards to protect against false alarms. It also compacts them into only a hundred or two rules, instead of having 1 SpamAssassin rule for each address! I then use SpamAssassin Rule Actions to do this: SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward postmaster@ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_" This lot fires whenever any of my SpamAssassin rules fires. It 1) Adds a header "X-ECS-Mail-Access:" containing the list of original recipient addresses, 2) Stores a copy of the message 3) Stops delivery to the original recipients 4) Sends a copy to postmaster, where I have a Sieve rule firing on the presence of the "X-ECS-Mail-Access:" header to store it in a folder without cluttering up postmaster's inbox. My script, that builds all the SpamAssassin rules, works from a YP/NIS map called "mail.access" which contains each email address from the google list and my list in the first word of a line, looking like this bad@domain.com REJECT nasty@false.bank.com REJECT I sort it so that the regular expressions created are more optimal for Perl, so it can apply them faster to each message. My script that builds all the SpamAssassin rules is attached. My script that reads the google list and creates the YP/NIS map from it is simply this: #!/bin/sh echo Fetching phishing addresses... rm -f /tmp/$$.blocks /usr/local/bin/wget -O /tmp/$$.blocks http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses >/dev/null 2>&1 echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses if [ -f /tmp/$$.blocks ]; then sed -e 's/^#.*$//' < /tmp/$$.blocks | \ cut -d, -f1 | \ sort | \ uniq | \ grep -v '^$' | \ awk '{ printf("%s\tREJECT\n",$1); }' > /opt/yp/etc/mail.access.anti-phishing rm -f /tmp/$$.blocks cd /opt/yp; ./ypmake; fi The "ypcat -k mail.access" command at the start of Build.Phishing.Rules basically reads my list in addition to the contents of the file /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so you can easily convert it to just use a temporary file and do all of this lot on the same server. If you aren't using YP/NIS then you obviously won't need the "ypmake" command either. I hope this is of some use to some of you. It traps "Temporary job offer" spams and spear-phishing attacks very well indeed. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: Build.Phishing.Rules.gz Type: application/gzip Size: 974 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081231/134e436d/Build.Phishing.Rules.bin