From pascal.maes at elec.ucl.ac.be Fri Feb 1 08:00:09 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Feb 1 08:00:29 2008 Subject: "Is Definitely Spam" rule not working ? Message-ID: Hello, In MailScanner.conf, we have # Spam Blacklist: # Make this point to a ruleset, and anything in that ruleset whose value # is "yes" will *always* be marked as spam. # This value can be over-ridden by the "Is Definitely Not Spam" setting. # This can also be the filename of a ruleset. Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no In spam_blacklist.rules, we have : From: 66.63.168. yes FromOrTo: default no As this rule could be over-ridden, I check that Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules the file spam_whitelist.rules doesn't contain anything about that domain or IP or the recipient Then, I wonder why the following mail was not tagged as SPAM Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be > for (ORCPT email_address); Thu, 31 Jan 2008 20:21:28 +0100 (CET) Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id hk8fra01g741; Thu, 31 Jan 2008 14:19:07 -0500 Date: Thu, 31 Jan 2008 14:18:49 -0500 Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) From: Travel Offers X-SGSI-MailScanner: Found to be clean X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) X-SGSI-Spam-Score: sss X-SGSI-From: travel-offers@mytravfolks.com X-SGSI-Spam-Status: No -- Pascal From MailScanner at ecs.soton.ac.uk Fri Feb 1 11:38:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 1 11:39:01 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: Message-ID: <47A304B8.30803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pascal Maes wrote: > Hello, > > > In MailScanner.conf, we have > > # Spam Blacklist: > # Make this point to a ruleset, and anything in that ruleset whose value > # is "yes" will *always* be marked as spam. > # This value can be over-ridden by the "Is Definitely Not Spam" setting. > # This can also be the filename of a ruleset. > Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no > > > In spam_blacklist.rules, we have : > > From: 66.63.168. yes > > FromOrTo: default no > > > > As this rule could be over-ridden, I check that > > Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > > the file spam_whitelist.rules doesn't contain anything about that > domain or IP or the recipient > > > Then, I wonder why the following mail was not tagged as SPAM > > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server > 6.3-4.01 (built > Aug 3 2007; 32bit)) with ESMTP id > <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> > for (ORCPT email_address); Thu, > 31 Jan 2008 20:21:28 +0100 (CET) > Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for > ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) > Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; Thu, > 31 Jan 2008 20:21:38 +0100 (CET) > Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id > hk8fra01g741; Thu, > 31 Jan 2008 14:19:07 -0500 > Date: Thu, 31 Jan 2008 14:18:49 -0500 > Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) > From: Travel Offers > X-SGSI-MailScanner: Found to be clean > X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, > requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) Because it scored 3.5 where the required score is 5. > > X-SGSI-Spam-Score: sss > X-SGSI-From: travel-offers@mytravfolks.com > X-SGSI-Spam-Status: No > > -- > Pascal > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHowS5EfZZRxQVtlQRAoS1AJ9Uf6apK8lK0B6Q1+pwhQ9kVL+dsQCfXavR Q7U9lOocb7AVJhAMmjEqVVA= =mfBj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 1 11:39:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 1 11:40:12 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: Message-ID: <47A30504.5010408@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, ignore my last comment. Not sure on this one. Have you tested the ruleset with the command-line? Run "MailScanner --help" to start with. Pascal Maes wrote: > Hello, > > > In MailScanner.conf, we have > > # Spam Blacklist: > # Make this point to a ruleset, and anything in that ruleset whose value > # is "yes" will *always* be marked as spam. > # This value can be over-ridden by the "Is Definitely Not Spam" setting. > # This can also be the filename of a ruleset. > Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no > > > In spam_blacklist.rules, we have : > > From: 66.63.168. yes > > FromOrTo: default no > > > > As this rule could be over-ridden, I check that > > Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > > the file spam_whitelist.rules doesn't contain anything about that > domain or IP or the recipient > > > Then, I wonder why the following mail was not tagged as SPAM > > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server > 6.3-4.01 (built > Aug 3 2007; 32bit)) with ESMTP id > <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> > for (ORCPT email_address); Thu, > 31 Jan 2008 20:21:28 +0100 (CET) > Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for > ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) > Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; Thu, > 31 Jan 2008 20:21:38 +0100 (CET) > Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id > hk8fra01g741; Thu, > 31 Jan 2008 14:19:07 -0500 > Date: Thu, 31 Jan 2008 14:18:49 -0500 > Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) > From: Travel Offers > X-SGSI-MailScanner: Found to be clean > X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, > requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) > X-SGSI-Spam-Score: sss > X-SGSI-From: travel-offers@mytravfolks.com > X-SGSI-Spam-Status: No > > -- > Pascal > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHowUFEfZZRxQVtlQRAu+rAJ4oZWaoo/87oTfx5edWwsLLsDvXdQCfZiUt ts3Q7kQejs5GYKgWtJa+P4w= =K2v9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Fri Feb 1 11:56:59 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Feb 1 11:57:13 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A304B8.30803@ecs.soton.ac.uk> References: <47A304B8.30803@ecs.soton.ac.uk> Message-ID: Le 01-f?vr.-08 ? 12:38, Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Pascal Maes wrote: >> Hello, >> >> >> In MailScanner.conf, we have >> >> # Spam Blacklist: >> # Make this point to a ruleset, and anything in that ruleset whose >> value >> # is "yes" will *always* be marked as spam. >> # This value can be over-ridden by the "Is Definitely Not Spam" >> setting. >> # This can also be the filename of a ruleset. >> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >> >> >> In spam_blacklist.rules, we have : >> >> From: 66.63.168. yes >> >> FromOrTo: default no >> >> >> >> As this rule could be over-ridden, I check that >> >> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >> >> the file spam_whitelist.rules doesn't contain anything about that >> domain or IP or the recipient >> >> >> Then, I wonder why the following mail was not tagged as SPAM >> >> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >> 6.3-4.01 (built >> Aug 3 2007; 32bit)) with ESMTP id >> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >> for (ORCPT email_address); Thu, >> 31 Jan 2008 20:21:28 +0100 (CET) >> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >> [127.0.0.1]) >> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >> ; Thu, >> 31 Jan 2008 20:21:38 +0100 (CET) >> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >> hk8fra01g741; Thu, >> 31 Jan 2008 14:19:07 -0500 >> Date: Thu, 31 Jan 2008 14:18:49 -0500 >> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >> From: Travel Offers >> X-SGSI-MailScanner: Found to be clean >> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) > Because it scored 3.5 where the required score is 5. >> >> X-SGSI-Spam-Score: sss >> X-SGSI-From: travel-offers@mytravfolks.com >> X-SGSI-Spam-Status: No >> >> -- >> Pascal >> >> >> > > Jules > yes but as we have the header Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) which matches the rule in spam_blacklist.rules From: 66.63.168. yes The message should have been tagged Spam -- Pascal From pascal.maes at elec.ucl.ac.be Fri Feb 1 13:12:26 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Feb 1 13:12:53 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A30504.5010408@ecs.soton.ac.uk> References: <47A30504.5010408@ecs.soton.ac.uk> Message-ID: Le 01-f?vr.-08 ? 12:39, Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry, ignore my last comment. > Not sure on this one. Have you tested the ruleset with the command- > line? > Run "MailScanner --help" to start with. > /opt/MailScanner/bin/MailScanner --value="Is Definitely Spam" -- ip=66.63.168.38 /opt/MailScanner/etc/MailScanner.conf Looked up internal option name "spamblacklist" With sender = Client IP = 66.63.168.38 Virus = Result is "1" 0=No 1=Yes -- Pascal From Stefan.Fournier at gmx.de Fri Feb 1 16:19:26 2008 From: Stefan.Fournier at gmx.de (Stefan Fournier) Date: Fri Feb 1 16:19:34 2008 Subject: filter on empty from, <>, postmaster Message-ID: <20080201161926.286950@gmx.net> Hi, I wonder if there's apossibilty to create a ruleset that matches on the postmaster address Mail From: <> I want all that mails to have in a different outqueuedir. I tried all type of things with "<>", "", //, ... with no success We have MailScanner-4.56.8 on ubuntu 6.06 Any hints? Thanks, Stefan -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From ssilva at sgvwater.com Fri Feb 1 19:33:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 1 19:34:18 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <47A304B8.30803@ecs.soton.ac.uk> Message-ID: on 2/1/2008 3:56 AM Pascal Maes spake the following: > > Le 01-f?vr.-08 ? 12:38, Julian Field a ?crit : > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Pascal Maes wrote: >>> Hello, >>> >>> >>> In MailScanner.conf, we have >>> >>> # Spam Blacklist: >>> # Make this point to a ruleset, and anything in that ruleset whose value >>> # is "yes" will *always* be marked as spam. >>> # This value can be over-ridden by the "Is Definitely Not Spam" setting. >>> # This can also be the filename of a ruleset. >>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>> >>> >>> In spam_blacklist.rules, we have : >>> >>> From: 66.63.168. yes >>> >>> FromOrTo: default no >>> >>> >>> >>> As this rule could be over-ridden, I check that >>> >>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>> >>> the file spam_whitelist.rules doesn't contain anything about that >>> domain or IP or the recipient >>> >>> >>> Then, I wonder why the following mail was not tagged as SPAM >>> >>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>> 6.3-4.01 (built >>> Aug 3 2007; 32bit)) with ESMTP id >>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>> for (ORCPT email_address); Thu, >>> 31 Jan 2008 20:21:28 +0100 (CET) >>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) >>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; >>> Thu, >>> 31 Jan 2008 20:21:38 +0100 (CET) >>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>> hk8fra01g741; Thu, >>> 31 Jan 2008 14:19:07 -0500 >>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>> From: Travel Offers >>> X-SGSI-MailScanner: Found to be clean >>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >> Because it scored 3.5 where the required score is 5. >>> >>> X-SGSI-Spam-Score: sss >>> X-SGSI-From: travel-offers@mytravfolks.com >>> X-SGSI-Spam-Status: No >>> >>> -- >>> Pascal >>> >>> >>> >> >> Jules >> > > yes but as we have the header > > Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > > which matches the rule in spam_blacklist.rules > > From: 66.63.168. yes > > The message should have been tagged Spam > > > -- > Pascal > > > Do those rules check all received headers, or just the last one received from? Julian would know for sure. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080201/4e532a36/signature.bin From hvdkooij at vanderkooij.org Sat Feb 2 10:15:12 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Feb 2 10:15:43 2008 Subject: OT? SPAM network top 100 of 2008-02-02 Message-ID: <47A442B0.6080901@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Another top 100 of spam sending networks due to popular requests. If you want a fresh view daily I suggest you request a trial license of Trend Micro's Email Reputation Services. Even with an expired acount you ~ will be able to check out their top 100. So you do not have to spend a dime on Trend Micro. And getting a new trial license each month is not that hard. Just a monthly webform to fill in. Hugo. Rank This Week Rank Last Week ASN ISP Name Spam Volume(24hrs) Botnet Activity 001 001 9121 TTNET TTnet Autonomous System 4.10B -29.5 002 002 3269 ASN-IBSNAZ TELECOM ITALIA 2.50B -25.1 003 003 19262 VZGNI-TRANSIT - Verizon Internet Services Inc. 2.74B 4.1 004 004 5617 TPNET Polish Telecom's commercial IP network 1.39B -33.7 005 005 6147 Telefonica del Peru S.A.A. 1.13B 21.7 006 006 15557 LDCOMNET NEUF CEGETEL (formerly LDCOM NETWORKS) 974.6M -28.4 007 007 7738 Telecomunicacoes da Bahia S.A. 938.1M 2.9 008 008 4766 KIXS-AS-KR Korea Telecom 852.0M 1.9 009 010 22927 Telefonica de Argentina 785.8M 7.2 010 011 1267 ASN-INFOSTRADA Infostrada S.p.A. 738.1M -26.4 011 012 2856 BT-UK-AS BTnet UK Regional network 696.9M -36.7 012 018 27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP 599.1M 0.9 013 016 8167 TELESC - Telecomunicacoes de Santa Catarina SA 641.7M 5.3 014 013 3352 TELEFONICA-DATA-ESPANA Internet Access Network of TDE 450.0M -24.8 015 014 9498 BBIL-AP BHARTI BT INTERNET LTD. 467.3M 9.4 016 017 8359 COMSTAR COMSTAR-Direct Moscow region network 482.1M -26.4 017 026 6739 ONO-AS Cableuropa - ONO 484.1M -19.1 018 030 4134 CHINANET-BACKBONE No.31,Jin-rong Street 394.3M 0.7 019 027 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 265.2M -1.8 020 022 5462 CABLEINET Telewest Broadband 482.1M -35.6 021 031 12876 AS12876 Telecom Italia France 416.9M -31.2 022 032 9318 HANARO-AS Hanaro Telecom Inc. 346.6M 2.0 023 025 7418 Terra Networks Chile S.A. 367.8M 18.8 024 034 28573 NET Servicos de Comunicao S.A. 375.0M 4.5 025 023 9829 BSNL-NIB National Internet Backbone 355.3M 9.1 026 019 3215 AS3215 France Telecom - Orange 231.4M -19.2 027 041 4788 TMNET-AS-AP TM Net, Internet Service Provider 319.1M 5.9 028 036 6713 IAM-AS 334.8M -33.7 029 038 16338 AUNA_TELECOM-AS Cableuropa - ONO 301.4M -19.4 030 037 8612 TISCALI-IT Tiscali Italia SpA. 300.9M -23.6 031 043 13184 HANSENET HanseNet Telekommunikation GmbH 334.4M -26.0 032 039 7132 SBIS-AS - AT&T Internet Services 342.0M 7.1 033 042 8151 Uninet S.A. de C.V. 308.4M 8.9 034 062 12322 PROXAD AS for Proxad/Free ISP 187.8M -18.6 035 047 19429 ETB - Colombia 209.8M 10.2 036 053 8228 CEGETEL-AS CEGETEL ENTREPRISES 214.1M -27.6 037 056 11351 RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC 223.1M 0.9 038 055 12479 UNI2-AS Uni2 Autonomous System 199.6M -25.7 039 051 4755 VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System 211.1M 2.5 040 060 7643 VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 193.3M 1.0 041 058 11426 SCRR-11426 - Road Runner HoldCo LLC 220.8M 1.2 042 063 12271 SCRR-12271 - Road Runner HoldCo LLC 228.1M 13.0 043 061 3462 HINET Data Communication Business Group 143.0M 2.1 044 057 8997 ASN-SPBNIT SPBNIT-RU Autonomous System 187.0M -26.1 045 067 9299 IPG-AS-AP Philippine Long Distance Telephone Company 190.2M 4.2 046 076 8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone 146.7M -9.2 047 071 9143 ATHOME-BENELUX-BV AtHome Benelux BV provides broadband ISP services 164.8M -32.7 048 069 12741 INTERNETIA-AS Netia SA 163.1M -29.3 049 064 3816 COLOMBIA TELECOMUNICACIONES S.A. ESP 151.5M 15.5 050 075 6849 UKRTELNET JSC UKRTELECOM, 163.8M -24.6 051 074 4813 BACKBONE-GUANGDONG-AP China Telecom(Group) 108.9M -1.1 052 077 11427 SCRR-11427 - Road Runner HoldCo LLC 167.1M 9.7 053 068 17858 KRNIC-ASBLOCK-AP KRNIC 18.4M -1.5 054 052 5384 EMIRATES-INTERNET Emirates Internet 75.8M -12.5 055 078 9141 AS9141 UPC Poland 120.3M -32.0 056 087 6678 AS-NOOS NOOS Autonomous System 123.1M -22.1 057 079 13285 OPALTELECOM-AS Opal Telecom 130.4M -32.1 058 085 4589 EASYNET Easynet Group Plc 131.0M -30.4 059 089 4713 OCN NTT Communications Corporation 129.4M -5.0 060 103 3243 TELEPAC PT.Com - Comunicacoes Interactivas, S.A. 121.1M -13.5 061 090 22291 CHARTER-LA - Charter Communications 122.8M 16.1 062 083 6332 Telefonos del Noroeste S.A. de C.V. 121.8M 25.6 063 092 5391 T-HT T-Com Croatia Internet network 127.6M -33.7 064 093 13343 SCRR-13343 - Road Runner HoldCo LLC 139.9M 12.5 065 105 9116 GOLDENLINES-ASN Golden Lines Main Autonomous System 112.6M -8.8 066 106 8584 BARAK Netvision 013 Barak - Barak Network 98.6M -9.4 067 114 12715 JAZZNET Jazz Telecom S.A. 86.6M -14.8 068 102 6855 SK SLOVAK TELECOM, AS6855 114.3M -35.3 069 095 6478 ATT-INTERNET3 - AT&T WorldNet Services 10.8M 3.6 070 099 12338 EUSKALTEL Euskaltel Autonomous System 95.5M -22.8 071 111 33287 DNEO-OSP4 - Comcast Cable Communications, Inc. 120.5M 3.3 072 112 6746 ASTRAL ASTRAL Telecom SA, Romania 107.7M -29.4 073 108 1221 ASN-TELSTRA Telstra Pty Ltd 95.5M -3.6 074 113 12542 TVCABO Autonomous System 90.9M -10.3 075 104 5713 SAIX-NET 105.8M -4.8 076 115 5486 SMILE-ASN Euronet Digital Communications, (1992) LTD, Israel 82.5M -6.2 077 157 12695 DINET-AS Digital Network JSC 150.7M -19.3 078 118 6799 OTENET-GR OTEnet S.A. Multiprotocol Backbone & ISP 95.4M - -28.2 079 101 6458 Telgua 90.5M 6.6 080 117 5668 AS-5668 - CenturyTel Internet Holdings, Inc. 106.7M 6.5 081 131 18881 Global Village Telecom 92.7M 5.0 082 029 9737 TOTNET-TH-AS-AP Telephone Organization of Thailand 5.0M 0.3 083 125 8764 TEOLTAB TEO LT AB Autonomous System 87.2M -25.2 084 164 6327 SHAW - Shaw Communications Inc. 63.4M 32.0 085 150 12874 FASTWEB Fastweb Autonomous System 69.8M -25.5 086 129 8881 VERSATEL Versatel Deutschland 75.6M -25.5 087 119 33491 DNEO-OSP7 - Comcast Cable Communications, Inc. 7.8M 2.7 088 121 5466 EIRCOM Eircom 79.6M -17.1 089 140 12357 COMUNITEL Comunitel Global Autonomous System 59.8M -27.4 090 141 1257 TELE2 63.3M -39.9 091 127 8696 INVITEL INVITEL Telecommunications 75.9M -23.1 092 154 36727 INSIGHT-COMMUNICATIONS-CORP-AS1 - INSIGHT COMMUNICATIONS COMPANY, L.P. 103.0M 7.7 093 133 3216 SOVAM-AS Golden Telecom, Moscow, Russia 65.6M -2.9 094 134 3292 TDC TDC Data Networks 75.8M -35.2 095 167 24326 TTT-AS-AP Maxnet, Internet Service Provider, Bangkok 116.3M 0.1 096 126 21826 Internet Cable Plus C. A. 71.3M 4.3 097 135 19444 CHARTER-STL - CHARTER COMMUNICATIONS 66.0M 5.9 098 128 8866 BTC-AS Bulgarian Telecommunication Company Plc. 71.0M -12.6 099 124 22773 CCINET-2 - Cox Communications Inc. 71.6M 20.2 100 136 7552 VIETEL-AS-AP Vietel Corporation 59.7M 4.1 - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpEKuBvzDRVjxmYERAocgAKCF7TU1owmxJ8bWvqMVy2W+QMn0pgCfaH5N ftBL75Wvelv27bligbefb68= =/k9d -----END PGP SIGNATURE----- From subscribe at kringstad.net Sat Feb 2 10:16:50 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 10:17:11 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <47A1EE26.9020802@sequestered.net> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> Message-ID: Hi, I have a problem when I start MailScanner on Ubuntu 6.06 LTS. **** ERROR: You must upgrade your perl IO module to at least **** ERROR: version 1.2301 or MailScanner will not work! Does anyone know which package that I need to upgrade? Regards, Trond From glenn.steen at gmail.com Sat Feb 2 10:25:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 2 10:25:42 2008 Subject: filter on empty from, <>, postmaster In-Reply-To: <20080201161926.286950@gmx.net> References: <20080201161926.286950@gmx.net> Message-ID: <223f97700802020225h1ac0f986pb782ae392e05bb81@mail.gmail.com> On 01/02/2008, Stefan Fournier wrote: > Hi, > > I wonder if there's apossibilty to create a ruleset that matches > on the postmaster address Mail From: <> > I want all that mails to have in a different outqueuedir. > I tried all type of things with "<>", "", //, ... with no success > > We have MailScanner-4.56.8 on ubuntu 6.06 > > Any hints? > > Thanks, > Stefan Um, did you try matching the empty field like in /^$/ .... or something similar (on the From: field, presumably)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Feb 2 10:28:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 2 10:28:55 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <47A442B0.6080901@vanderkooij.org> References: <47A442B0.6080901@vanderkooij.org> Message-ID: <223f97700802020228q386a5993k699300cfabbe8eb6@mail.gmail.com> On 02/02/2008, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Another top 100 of spam sending networks due to popular requests. > > If you want a fresh view daily I suggest you request a trial license of > Trend Micro's Email Reputation Services. Even with an expired acount you > ~ will be able to check out their top 100. So you do not have to spend a > dime on Trend Micro. And getting a new trial license each month is not > that hard. Just a monthly webform to fill in. > > Hugo. > > Rank This Week Rank Last Week ASN ISP Name Spam Volume(24hrs) Botnet > Activity > 001 001 9121 TTNET TTnet Autonomous System 4.10B -29.5 > 002 002 3269 ASN-IBSNAZ TELECOM ITALIA 2.50B -25.1 > 003 003 19262 VZGNI-TRANSIT - Verizon Internet Services Inc. 2.74B 4.1 > 004 004 5617 TPNET Polish Telecom's commercial IP network 1.39B -33.7 > 005 005 6147 Telefonica del Peru S.A.A. 1.13B 21.7 > 006 006 15557 LDCOMNET NEUF CEGETEL (formerly LDCOM NETWORKS) 974.6M -28.4 > 007 007 7738 Telecomunicacoes da Bahia S.A. 938.1M 2.9 > 008 008 4766 KIXS-AS-KR Korea Telecom 852.0M 1.9 > 009 010 22927 Telefonica de Argentina 785.8M 7.2 > 010 011 1267 ASN-INFOSTRADA Infostrada S.p.A. 738.1M -26.4 > 011 012 2856 BT-UK-AS BTnet UK Regional network 696.9M -36.7 > 012 018 27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP 599.1M 0.9 > 013 016 8167 TELESC - Telecomunicacoes de Santa Catarina SA 641.7M 5.3 > 014 013 3352 TELEFONICA-DATA-ESPANA Internet Access Network of TDE > 450.0M -24.8 > 015 014 9498 BBIL-AP BHARTI BT INTERNET LTD. 467.3M 9.4 > 016 017 8359 COMSTAR COMSTAR-Direct Moscow region network 482.1M -26.4 > 017 026 6739 ONO-AS Cableuropa - ONO 484.1M -19.1 > 018 030 4134 CHINANET-BACKBONE No.31,Jin-rong Street 394.3M 0.7 > 019 027 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 265.2M -1.8 > 020 022 5462 CABLEINET Telewest Broadband 482.1M -35.6 > 021 031 12876 AS12876 Telecom Italia France 416.9M -31.2 > 022 032 9318 HANARO-AS Hanaro Telecom Inc. 346.6M 2.0 > 023 025 7418 Terra Networks Chile S.A. 367.8M 18.8 > 024 034 28573 NET Servicos de Comunicao S.A. 375.0M 4.5 > 025 023 9829 BSNL-NIB National Internet Backbone 355.3M 9.1 > 026 019 3215 AS3215 France Telecom - Orange 231.4M -19.2 > 027 041 4788 TMNET-AS-AP TM Net, Internet Service Provider 319.1M 5.9 > 028 036 6713 IAM-AS 334.8M -33.7 > 029 038 16338 AUNA_TELECOM-AS Cableuropa - ONO 301.4M -19.4 > 030 037 8612 TISCALI-IT Tiscali Italia SpA. 300.9M -23.6 > 031 043 13184 HANSENET HanseNet Telekommunikation GmbH 334.4M -26.0 > 032 039 7132 SBIS-AS - AT&T Internet Services 342.0M 7.1 > 033 042 8151 Uninet S.A. de C.V. 308.4M 8.9 > 034 062 12322 PROXAD AS for Proxad/Free ISP 187.8M -18.6 > 035 047 19429 ETB - Colombia 209.8M 10.2 > 036 053 8228 CEGETEL-AS CEGETEL ENTREPRISES 214.1M -27.6 > 037 056 11351 RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC 223.1M 0.9 > 038 055 12479 UNI2-AS Uni2 Autonomous System 199.6M -25.7 > 039 051 4755 VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System > 211.1M 2.5 > 040 060 7643 VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) > 193.3M 1.0 > 041 058 11426 SCRR-11426 - Road Runner HoldCo LLC 220.8M 1.2 > 042 063 12271 SCRR-12271 - Road Runner HoldCo LLC 228.1M 13.0 > 043 061 3462 HINET Data Communication Business Group 143.0M 2.1 > 044 057 8997 ASN-SPBNIT SPBNIT-RU Autonomous System 187.0M -26.1 > 045 067 9299 IPG-AS-AP Philippine Long Distance Telephone Company > 190.2M 4.2 > 046 076 8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone 146.7M -9.2 > 047 071 9143 ATHOME-BENELUX-BV AtHome Benelux BV provides broadband ISP > services 164.8M -32.7 > 048 069 12741 INTERNETIA-AS Netia SA 163.1M -29.3 > 049 064 3816 COLOMBIA TELECOMUNICACIONES S.A. ESP 151.5M 15.5 > 050 075 6849 UKRTELNET JSC UKRTELECOM, 163.8M -24.6 > 051 074 4813 BACKBONE-GUANGDONG-AP China Telecom(Group) 108.9M -1.1 > 052 077 11427 SCRR-11427 - Road Runner HoldCo LLC 167.1M 9.7 > 053 068 17858 KRNIC-ASBLOCK-AP KRNIC 18.4M -1.5 > 054 052 5384 EMIRATES-INTERNET Emirates Internet 75.8M -12.5 > 055 078 9141 AS9141 UPC Poland 120.3M -32.0 > 056 087 6678 AS-NOOS NOOS Autonomous System 123.1M -22.1 > 057 079 13285 OPALTELECOM-AS Opal Telecom 130.4M -32.1 > 058 085 4589 EASYNET Easynet Group Plc 131.0M -30.4 > 059 089 4713 OCN NTT Communications Corporation 129.4M -5.0 > 060 103 3243 TELEPAC PT.Com - Comunicacoes Interactivas, S.A. 121.1M -13.5 > 061 090 22291 CHARTER-LA - Charter Communications 122.8M 16.1 > 062 083 6332 Telefonos del Noroeste S.A. de C.V. 121.8M 25.6 > 063 092 5391 T-HT T-Com Croatia Internet network 127.6M -33.7 > 064 093 13343 SCRR-13343 - Road Runner HoldCo LLC 139.9M 12.5 > 065 105 9116 GOLDENLINES-ASN Golden Lines Main Autonomous System > 112.6M -8.8 > 066 106 8584 BARAK Netvision 013 Barak - Barak Network 98.6M -9.4 > 067 114 12715 JAZZNET Jazz Telecom S.A. 86.6M -14.8 > 068 102 6855 SK SLOVAK TELECOM, AS6855 114.3M -35.3 > 069 095 6478 ATT-INTERNET3 - AT&T WorldNet Services 10.8M 3.6 > 070 099 12338 EUSKALTEL Euskaltel Autonomous System 95.5M -22.8 > 071 111 33287 DNEO-OSP4 - Comcast Cable Communications, Inc. 120.5M 3.3 > 072 112 6746 ASTRAL ASTRAL Telecom SA, Romania 107.7M -29.4 > 073 108 1221 ASN-TELSTRA Telstra Pty Ltd 95.5M -3.6 > 074 113 12542 TVCABO Autonomous System 90.9M -10.3 > 075 104 5713 SAIX-NET 105.8M -4.8 > 076 115 5486 SMILE-ASN Euronet Digital Communications, (1992) LTD, > Israel 82.5M -6.2 > 077 157 12695 DINET-AS Digital Network JSC 150.7M -19.3 > 078 118 6799 OTENET-GR OTEnet S.A. Multiprotocol Backbone & ISP 95.4M > - -28.2 > 079 101 6458 Telgua 90.5M 6.6 > 080 117 5668 AS-5668 - CenturyTel Internet Holdings, Inc. 106.7M 6.5 > 081 131 18881 Global Village Telecom 92.7M 5.0 > 082 029 9737 TOTNET-TH-AS-AP Telephone Organization of Thailand 5.0M 0.3 > 083 125 8764 TEOLTAB TEO LT AB Autonomous System 87.2M -25.2 > 084 164 6327 SHAW - Shaw Communications Inc. 63.4M 32.0 > 085 150 12874 FASTWEB Fastweb Autonomous System 69.8M -25.5 > 086 129 8881 VERSATEL Versatel Deutschland 75.6M -25.5 > 087 119 33491 DNEO-OSP7 - Comcast Cable Communications, Inc. 7.8M 2.7 > 088 121 5466 EIRCOM Eircom 79.6M -17.1 > 089 140 12357 COMUNITEL Comunitel Global Autonomous System 59.8M -27.4 > 090 141 1257 TELE2 63.3M -39.9 > 091 127 8696 INVITEL INVITEL Telecommunications 75.9M -23.1 > 092 154 36727 INSIGHT-COMMUNICATIONS-CORP-AS1 - INSIGHT COMMUNICATIONS > COMPANY, L.P. 103.0M 7.7 > 093 133 3216 SOVAM-AS Golden Telecom, Moscow, Russia 65.6M -2.9 > 094 134 3292 TDC TDC Data Networks 75.8M -35.2 > 095 167 24326 TTT-AS-AP Maxnet, Internet Service Provider, Bangkok > 116.3M 0.1 > 096 126 21826 Internet Cable Plus C. A. 71.3M 4.3 > 097 135 19444 CHARTER-STL - CHARTER COMMUNICATIONS 66.0M 5.9 > 098 128 8866 BTC-AS Bulgarian Telecommunication Company Plc. 71.0M -12.6 > 099 124 22773 CCINET-2 - Cox Communications Inc. 71.6M 20.2 > 100 136 7552 VIETEL-AS-AP Vietel Corporation 59.7M 4.1 > > Hasn't those ....... (fill in your own sentiment:) at Trend ruined all their credibility? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sat Feb 2 10:35:00 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Feb 2 10:35:29 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> Message-ID: <47A44754.3000504@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 subscribe wrote: | Hi, | I have a problem when I start MailScanner on Ubuntu 6.06 LTS. | | **** ERROR: You must upgrade your perl IO module to at least | **** ERROR: version 1.2301 or MailScanner will not work! | | Does anyone know which package that I need to upgrade? Look at what you got installed now. I think you should be able to detect the name if you search the list of installed packages. I also noticed some remarks that the IO module is part or perl itself but I think it is unlikely that ubuntu is shipped with a stone-age version of perl. Not being an ubuntu user myself I can not provide you with an exact name. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpEdSBvzDRVjxmYERAt8mAJwNleVRpxrrQzEytYrFsiD7PogoXQCfWP/h 8Ua+uk9+hwJ3lJxEzIWMWFg= =A/MJ -----END PGP SIGNATURE----- From subscribe at kringstad.net Sat Feb 2 10:52:24 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 10:52:38 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <47A44754.3000504@vanderkooij.org> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> Message-ID: I think it is libio-zlib-perl, but I can't find newer ones at Ubuntu. root@worf:~# dpkg -l| grep perl| egrep io ii libarchive-zip-perl 1.16-1 Module for manipulation of ZIP archives ii libcompress-zlib-perl 1.41-1 Perl module for creation and manipulation of ii libhtml-parser-perl 3.48-1 A collection of modules that parse HTML text ii libio-stringy-perl 2.110-1 Perl5 modules for IO from scalars and arrays ii libio-zlib-perl 1.04-1 IO:: style interface to Compress::Zlib ii liblocale-gettext-perl 1.05-1 Using libc functions for internationalizatio ii libnet-ip-perl 1.24-1 Perl extension for manipulating IPv4/IPv6 ad ii libplrpc-perl 0.2017-1 Perl extensions for writing PlRPC servers an ii libsnmp-session-perl 1.08-1 Perl support for accessing SNMP-aware device ii libsocket6-perl 0.17-1 Perl extensions for IPv6 ii libtext-wrapi18n-perl 0.06-4 internationalized substitute of Text::Wrap ii libtimedate-perl 1.1600-5 Time and date functions for Perl ii perl 5.8.7-10ubuntu1.1 Larry Wall's Practical Extraction and Report ii perl-doc 5.8.7-10ubuntu1.1 Perl documentation Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 2. februar 2008 11:35 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 subscribe wrote: | Hi, | I have a problem when I start MailScanner on Ubuntu 6.06 LTS. | | **** ERROR: You must upgrade your perl IO module to at least | **** ERROR: version 1.2301 or MailScanner will not work! | | Does anyone know which package that I need to upgrade? Look at what you got installed now. I think you should be able to detect the name if you search the list of installed packages. I also noticed some remarks that the IO module is part or perl itself but I think it is unlikely that ubuntu is shipped with a stone-age version of perl. Not being an ubuntu user myself I can not provide you with an exact name. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpEdSBvzDRVjxmYERAt8mAJwNleVRpxrrQzEytYrFsiD7PogoXQCfWP/h 8Ua+uk9+hwJ3lJxEzIWMWFg= =A/MJ -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From shuttlebox at gmail.com Sat Feb 2 11:00:16 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Feb 2 11:00:25 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <47A44754.3000504@vanderkooij.org> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> Message-ID: <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> On Feb 2, 2008 11:35 AM, Hugo van der Kooij wrote: > Look at what you got installed now. I think you should be able to detect > the name if you search the list of installed packages. I also noticed > some remarks that the IO module is part or perl itself but I think it is > unlikely that ubuntu is shipped with a stone-age version of perl. IO is included in core Perl but not even the brand new 5.10 includes 1.2301. -- /peter From subscribe at kringstad.net Sat Feb 2 11:19:15 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 11:19:24 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> Message-ID: How should I install it then? Or is it a bug in MailScanner? Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: 2. februar 2008 12:00 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 On Feb 2, 2008 11:35 AM, Hugo van der Kooij wrote: > Look at what you got installed now. I think you should be able to detect > the name if you search the list of installed packages. I also noticed > some remarks that the IO module is part or perl itself but I think it is > unlikely that ubuntu is shipped with a stone-age version of perl. IO is included in core Perl but not even the brand new 5.10 includes 1.2301. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From shuttlebox at gmail.com Sat Feb 2 11:28:04 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Feb 2 11:28:13 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> Message-ID: <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> On Feb 2, 2008 12:19 PM, subscribe wrote: > How should I install it then? Or is it a bug in MailScanner? How did you install MailScanner? Did you use the tar dist? It should contain IO 1.2301. -- /peter From subscribe at kringstad.net Sat Feb 2 12:48:29 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 12:48:39 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> Message-ID: I used the tar.gz, but damn I might just install it again then :) I upgraded the packages on my Ubuntu server, that might have written over the one who came with MailScanner. Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: 2. februar 2008 12:28 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 On Feb 2, 2008 12:19 PM, subscribe wrote: > How should I install it then? Or is it a bug in MailScanner? How did you install MailScanner? Did you use the tar dist? It should contain IO 1.2301. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From info at applyingsystems.com Sat Feb 2 12:57:59 2008 From: info at applyingsystems.com (Philip Doran) Date: Sat Feb 2 13:00:25 2008 Subject: Logwatch not including blacklisted emails in mailscanner report section Message-ID: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> I am having a problem with blacklisted emails not showing up on the mailscanner logwatch report., whitelisted emails are showing up. The blacklisted emails are showing up in the mail log (all default locations) just not the report. Anyone have this problem? -v output: This is MailScanner version 4.65.3 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.86 Math::BigInt 3.07 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.07 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.815 DB_File 1.13 DBD::SQLite 1.56 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS missing Inline missing IO::String 1.04 IO::Zlib missing IP::Country missing Mail::ClamAV 3.002003 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query 0.19 Math::BigRat missing Module::Build missing Net::CIDR::Lite 0.61 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML ---- -lint output Checking version numbers... Version number in MailScanner.conf (4.65.3) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-TAMB-MailScanner-From Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /etc/MailScanner/rules/spam.whitelist.rules config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /etc/MailScanner/rules/spam.blacklist.rules SpamAssassin reported an error. MailScanner.conf says "Virus Scanners = f-prot" Found these virus scanners installed: f-prot =========================================================================== =========================================================================== Virus Scanner test reports: F-Prot said "./1/eicar.com Infection: EICAR_Test_File" If any of your virus scanners (f-prot) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. From subscribe at kringstad.net Sat Feb 2 13:11:10 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 13:11:23 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> Message-ID: It worked. Thx! Regards, Trond -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of subscribe Sent: 2. februar 2008 13:48 To: MailScanner discussion Subject: RE: Perl IO Modules on Ubuntu 6.06 I used the tar.gz, but damn I might just install it again then :) I upgraded the packages on my Ubuntu server, that might have written over the one who came with MailScanner. Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: 2. februar 2008 12:28 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 On Feb 2, 2008 12:19 PM, subscribe wrote: > How should I install it then? Or is it a bug in MailScanner? How did you install MailScanner? Did you use the tar dist? It should contain IO 1.2301. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sat Feb 2 14:13:54 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Feb 2 14:14:32 2008 Subject: Logwatch not including blacklisted emails in mailscanner report section In-Reply-To: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> References: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> Message-ID: <47A47AA2.7010207@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philip Doran wrote: | I am having a problem with blacklisted emails not showing up on the | mailscanner logwatch report., whitelisted emails are showing up. The | blacklisted emails are showing up in the mail log (all default locations) | just not the report. Anyone have this problem? Sounds more like a logwatch issue. I suggest you raise this issue on the ~ logwatch mailinglist. But do not forget to include MS and logwatch version info as well as the distro and most importantly: Samples of lines that get detected and lines that don't get detected. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpHqhBvzDRVjxmYERAm2TAKCvbzT4U6eyY6sh+I9HmurNr2QcaQCgm+va V8stdg8O4/fJ74UrBwqOCdE= =MfVG -----END PGP SIGNATURE----- From ssilva at sgvwater.com Sat Feb 2 18:08:25 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 2 18:08:49 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <47A442B0.6080901@vanderkooij.org> References: <47A442B0.6080901@vanderkooij.org> Message-ID: on 2/2/2008 2:15 AM Hugo van der Kooij spake the following: > Another top 100 of spam sending networks due to popular requests. > > If you want a fresh view daily I suggest you request a trial license of > Trend Micro's Email Reputation Services. Even with an expired acount you > ~ will be able to check out their top 100. So you do not have to spend a > dime on Trend Micro. And getting a new trial license each month is not > that hard. Just a monthly webform to fill in. > I'd be afraid they would sue me! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080202/c93776b7/signature.bin From uxbod at splatnix.net Sat Feb 2 18:39:22 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sat Feb 2 18:39:51 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: Message-ID: <15333103.01201977562595.JavaMail.root@office.splatnix.net> LOL :) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Scott Silva" wrote: > on 2/2/2008 2:15 AM Hugo van der Kooij spake the following: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmane at tippingmar.com Sun Feb 3 00:17:01 2008 From: gmane at tippingmar.com (Mark Nienberg) Date: Sun Feb 3 00:17:20 2008 Subject: Logwatch not including blacklisted emails in mailscanner report section In-Reply-To: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> References: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> Message-ID: Philip Doran wrote: > -lint output > > Checking version numbers... > Version number in MailScanner.conf (4.65.3) is correct. > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-TAMB-MailScanner-From > > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.blacklist.rules > SpamAssassin reported an error. Are you sure your white/black lists are really working? You should fix the errors noted. Are you confusing MailScanner's white/black lists with spamassassin's? I don't think there should be references to /etc/MailScanner/rules in mailscanner.cf (which is a link to spam.assassin.prefs.conf). They should be in MailScanner.conf. Does this help? Mark From gcle at smcaus.com.au Mon Feb 4 02:49:08 2008 From: gcle at smcaus.com.au (Gerard Cleary) Date: Mon Feb 4 02:49:34 2008 Subject: MailScanner cannot analyse tif files Message-ID: <200802041349.08195.gcle@smcaus.com.au> Hi there, Our company has started receiving tif files from our parent company in Japan. Unfortunately, MailScanner cannot analyse them and it produces a message: ?MailScanner: Could not analyze message?. When I bypass MailScanner, the file gets delivered and when I run the ?file? command I get the following output: [gcle@msf ~]$ file XAM00011.tif XAM00011.tif: TIFF image data, little-endian [gcle@msf ~]$ file -i XAM00011.tif XAM00011.tif: image/tiff I have tried to get tif files bypassed by MailScanner using the following line in filename.rules.conf: (without the diamond brackets of course and with the whitespace between fields all TABs) and a matching line in filetype.rules.conf: (same provisos as above). Getting desperate, I put an entry into allow.filenames.rules: and an entry into allow.filetypes.rules: (again, with the same provisos as above). I still get the ?couldn't analyze? message so I then asked for a sample of the tif file from our technical department who use these files in their work. When I received it I ran the ?file? command as usual and I got the following results: [gcle@msf ~]$ file XAL00471.tif XAL00471.tif: TIFF image data, big-endian [gcle@msf ~]$ file -i XAL00471.tif XAL00471.tif: image/tiff It seems that once the file has been through the technical department, it is turned into a ?big-endian? file and MailScanner has no problem with it at all. (Our parent company in Japan use AS400 mainframes.) I am using MailScanner 4.65.3 on Centos Release 4.4 and Sendmail 8.14.0. I have tried having the MailScanner configuration ?TNEF Expander? saying ?internal? and then saying ?/usr/bin/tnef? (with an accompanying maxsize setting many times greater than these tif files) but there is no change in the resulting message. I have checked the archives for "endian" entries but the four entries that come up have "endian" as a minor detail. I had thought that the ?endian? bit format would be transparent to users because the operating systems were meant to ?deal? with it but maybe I'm badly mistaken. Does anybody know what the problem really is please and how I can get around it in MailScanner? I can provide the two named files above if anybody thought that might be useful. In the meantime, I have turned off all MailScanner checking of any eMail from our parent company but this is not our preferred option. Gerard. -- Gerard Cleary Systems Administrator SMC Pneumatics (Australia) P/L Ph: +61 2 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From Stefan.Fournier at gmx.de Mon Feb 4 08:37:48 2008 From: Stefan.Fournier at gmx.de (Stefan Fournier) Date: Mon Feb 4 08:38:01 2008 Subject: filter on empty from, <>, postmaster Message-ID: <20080204083748.145850@gmx.net> > Um, did you try matching the empty field like in >/^$/ > .... or something similar (on the From: field, presumably)? Right, this works! Stupid of me to not having tried that one. Thanks, Stefan -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail From martinh at solidstatelogic.com Mon Feb 4 09:00:06 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Feb 4 09:00:19 2008 Subject: MailScanner cannot analyse tif files In-Reply-To: <200802041349.08195.gcle@smcaus.com.au> Message-ID: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> Hi This is normally an antivirus issue, and the error comes from that. What AV you using? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gerard Cleary > Sent: 04 February 2008 02:49 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner cannot analyse tif files > > Hi there, > > Our company has started receiving tif files from our parent company in > Japan. > Unfortunately, MailScanner cannot analyse them and it produces a message: > "MailScanner: Could not analyze message". > > When I bypass MailScanner, the file gets delivered and when I run the > "file" > command I get the following output: > [gcle@msf ~]$ file XAM00011.tif > XAM00011.tif: TIFF image data, little-endian > [gcle@msf ~]$ file -i XAM00011.tif > XAM00011.tif: image/tiff > > I have tried to get tif files bypassed by MailScanner using the following > line > in filename.rules.conf: (without the > diamond > brackets of course and with the whitespace between fields all TABs) and a > matching line in filetype.rules.conf: (same > provisos as above). > > Getting desperate, I put an entry into allow.filenames.rules: \.tif> and an entry into allow.filetypes.rules: > (again, > with the same provisos as above). > > I still get the "couldn't analyze" message so I then asked for a sample of > the > tif file from our technical department who use these files in their work. > > When I received it I ran the "file" command as usual and I got the > following > results: > [gcle@msf ~]$ file XAL00471.tif > XAL00471.tif: TIFF image data, big-endian > [gcle@msf ~]$ file -i XAL00471.tif > XAL00471.tif: image/tiff > > It seems that once the file has been through the technical department, it > is > turned into a "big-endian" file and MailScanner has no problem with it at > all. (Our parent company in Japan use AS400 mainframes.) > > I am using MailScanner 4.65.3 on Centos Release 4.4 and Sendmail 8.14.0. > > I have tried having the MailScanner configuration "TNEF Expander" > saying "internal" and then saying "/usr/bin/tnef" (with an accompanying > maxsize setting many times greater than these tif files) but there is no > change in the resulting message. > > I have checked the archives for "endian" entries but the four entries that > come up have "endian" as a minor detail. > > I had thought that the "endian" bit format would be transparent to users > because the operating systems were meant to "deal" with it but maybe I'm > badly mistaken. > > Does anybody know what the problem really is please and how I can get > around > it in MailScanner? I can provide the two named files above if anybody > thought that might be useful. > > In the meantime, I have turned off all MailScanner checking of any eMail > from > our parent company but this is not our preferred option. > > Gerard. > -- > Gerard Cleary > Systems Administrator > SMC Pneumatics (Australia) P/L > Ph: +61 2 9354 8222 > > -- > This email message and any related attachments are confidential and should > only be read by those persons to whom they were addressed. They may > contain > copyright, personal or legally privileged information. If you are not the > intended recipient of this email, any use of this information is strictly > prohibited and it must be deleted from your system. Views expressed in > this > message are the views of the sender and are not necessarily views of SMC > Corporation, or it's subsidiaries, except where the message expressly > states > otherwise. > Any advice contained herein should be treated as preliminary advice only > and > subject to formal written confirmation. Although this email and any > attachments are believed to be free of any virus or any other defect which > may > cause damage or loss, it is the responsibility of the recipient to ensure > that > they are virus-free. SMC accepts no liability for any loss or damage that > may > occur as a result of the transmission of this email or its attachments to > the > recipient. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From m.anderlini at database.it Mon Feb 4 11:04:47 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Feb 4 11:23:33 2008 Subject: How to understand spamassasin speed In-Reply-To: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> References: <200802041349.08195.gcle@smcaus.com.au> <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> Message-ID: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Hello everybody, Is there any way to test the speed of single spamassassin test so to know which is slowing my system ? I've done spamassassin -D --lint 2>/tmp/speed.txt but there is now way to understand how may time each process takes long ? Thanks for your help and sorry for my worst English Best regards Marcello -- Messaggio verificato dal servizio antivirus di Database Informatica From MailScanner at ecs.soton.ac.uk Mon Feb 4 12:01:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 12:02:16 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <47A304B8.30803@ecs.soton.ac.uk> Message-ID: <47A6FEAF.5050306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > * PGP Signed by an unknown key > > on 2/1/2008 3:56 AM Pascal Maes spake the following: >> >> Le 01-f?vr.-08 ? 12:38, Julian Field a ?crit : >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Pascal Maes wrote: >>>> Hello, >>>> >>>> >>>> In MailScanner.conf, we have >>>> >>>> # Spam Blacklist: >>>> # Make this point to a ruleset, and anything in that ruleset whose >>>> value >>>> # is "yes" will *always* be marked as spam. >>>> # This value can be over-ridden by the "Is Definitely Not Spam" >>>> setting. >>>> # This can also be the filename of a ruleset. >>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>>> >>>> >>>> In spam_blacklist.rules, we have : >>>> >>>> From: 66.63.168. yes >>>> >>>> FromOrTo: default no >>>> >>>> >>>> >>>> As this rule could be over-ridden, I check that >>>> >>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>> >>>> the file spam_whitelist.rules doesn't contain anything about that >>>> domain or IP or the recipient >>>> >>>> >>>> Then, I wonder why the following mail was not tagged as SPAM >>>> >>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>>> 6.3-4.01 (built >>>> Aug 3 2007; 32bit)) with ESMTP id >>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>>> for (ORCPT email_address); Thu, >>>> 31 Jan 2008 20:21:28 +0100 (CET) >>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >>>> [127.0.0.1]) >>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >>>> ; Thu, >>>> 31 Jan 2008 20:21:38 +0100 (CET) >>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>>> hk8fra01g741; Thu, >>>> 31 Jan 2008 14:19:07 -0500 >>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>>> From: Travel Offers >>>> X-SGSI-MailScanner: Found to be clean >>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >>> Because it scored 3.5 where the required score is 5. >>>> >>>> X-SGSI-Spam-Score: sss >>>> X-SGSI-From: travel-offers@mytravfolks.com >>>> X-SGSI-Spam-Status: No >>>> >>>> -- >>>> Pascal >>>> >>>> >>>> >>> >>> Jules >>> >> >> yes but as we have the header >> >> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >> >> which matches the rule in spam_blacklist.rules >> >> From: 66.63.168. yes >> >> The message should have been tagged Spam >> >> >> -- >> Pascal >> >> >> > Do those rules check all received headers, or just the last one > received from? > Julian would know for sure. > They just check the last one, the IP address of the SMTP client that sent the message to your server. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: UTF-8 wj8DBQFHpv6wEfZZRxQVtlQRAvWfAJ9VCrnu7thMsekTo9u7ManoZFevyQCeOJb2 tC67pwyIz36t5X+1+sEuP+o= =jl6X -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Mon Feb 4 13:11:33 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Feb 4 13:12:07 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <47A442B0.6080901@vanderkooij.org> Message-ID: <027801c8672f$76d65160$0202fea9@support01> Thanks for the list - is it available as a MailScanner blacklist so I can just drop it in place and live a quiet life??? NK From hofu12 at physik.tu-darmstadt.de Mon Feb 4 13:29:23 2008 From: hofu12 at physik.tu-darmstadt.de (Joachim Holzfuss) Date: Mon Feb 4 13:29:45 2008 Subject: rules: IP Address in To: expression reports Config Error Message-ID: Hi, I was under the impression from reading the examples and README files located in the rules directory that I can setup a highscore spam policy based on a receiving mailserver specified like To: IP.AD.DR.ESS delete This works for From: but not for To: or FromOrTo: Instead I get in the logs: Config Error: Cannot match against destination IP address when resolving configuration option "highscorespamactions.rule" Is this intended or not yet needed by someone else? Greetings Joachim From shuttlebox at gmail.com Mon Feb 4 13:38:40 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Feb 4 13:38:50 2008 Subject: rules: IP Address in To: expression reports Config Error In-Reply-To: References: Message-ID: <625385e30802040538p2d6d0d99p412752db3a3e615f@mail.gmail.com> On Feb 4, 2008 2:29 PM, Joachim Holzfuss wrote: > Hi, > > I was under the impression from reading the examples and README files > located in the rules directory > that I can setup a highscore spam policy based > on a receiving mailserver specified like > > To: IP.AD.DR.ESS delete > > This works for From: but not for To: or FromOrTo: > Instead I get in the logs: > Config Error: Cannot match against destination IP address > when resolving configuration option "highscorespamactions.rule" > > Is this intended or not yet needed by someone else? The destination is not yet known, it's worked out by your MTA after MailScanner releases control over the mail. -- /peter From MailScanner at ecs.soton.ac.uk Mon Feb 4 13:40:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 13:40:41 2008 Subject: rules: IP Address in To: expression reports Config Error In-Reply-To: References: Message-ID: <47A715C0.3000108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joachim Holzfuss wrote: > Hi, > > I was under the impression from reading the examples and README files > located in the rules directory > that I can setup a highscore spam policy based > on a receiving mailserver specified like > > To: IP.AD.DR.ESS delete > > This works for From: but not for To: or FromOrTo: > Instead I get in the logs: > Config Error: Cannot match against destination IP address > when resolving configuration option "highscorespamactions.rule" > > Is this intended or not yet needed by someone else? > It's intended. You don't know the IP address you are delivering a message to until you have delivered it. So you can't test against the delivery IP address. > Greetings > Joachim > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHpxXAEfZZRxQVtlQRArcnAKDcr+mha1tkRmBUGzi8zHgN3ihtPACfSiPp F8zWbfKY2/yMsXUNxZ7uAd8= =5qtz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Feb 4 14:16:27 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 4 14:16:38 2008 Subject: How to understand spamassasin speed In-Reply-To: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> References: <200802041349.08195.gcle@smcaus.com.au> <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Message-ID: <223f97700802040616j59598419p2a267b1a1f814ead@mail.gmail.com> On 04/02/2008, Marcello Anderlini wrote: > Hello everybody, > Is there any way to test the speed of single spamassassin test so to know > which is slowing my system ? > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there is now way to > understand how may time each process takes long ? > > Thanks for your help and sorry for my worst English > > Best regards > > Marcello > Two things, one simple, one a little less simple: 1) Don't redirect the debug info to a file, just let it scroll by. When it pauses, you'll likely see what it has done (which isn't the cause) and will (with a little luck and speed on ... redirecting stderr to stdout isn't bad either) see what took so long to perform ionce it "unclogs";). 2) Install and use MailWatch. On the Tools page you have a link "SpamAssassin lint (Test)" which will colorize and time each line of the output... Unfortunately, this will likely not test the most obvious culprits... Network related tests... To test these, one cannot just do a simple lint anymore, one has to provide a test message like in spamassassin -D -t < /path/to/message file ... It shouldn't be hard to make MailWatch do that though:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From donald.dawson at bakerbotts.com Mon Feb 4 15:26:57 2008 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Feb 4 15:27:10 2008 Subject: How to understand spamassasin speed In-Reply-To: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Marcello Anderlini > Sent: Monday, February 04, 2008 5:05 AM > To: 'MailScanner discussion' > Subject: How to understand spamassasin speed > > > Hello everybody, > Is there any way to test the speed of single spamassassin > test so to know > which is slowing my system ? > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > is now way to > understand how may time each process takes long ? > > Thanks for your help and sorry for my worst English > > Best regards > > Marcello > One of our new mail servers had been blocked by spamhaus and that was causing additional delays. I added the following to the spamassassin prefs file on our MX server and the processing time per message improved by 3 seconds. Someone with more experience in this mail list can verify if this is correct, or too extensive in dropping RBL lookups. # 11/22/07 DLD - from ms listsever - stops spamhaus lookups score __RCVD_IN_ZEN 0.0 score RCVD_IN_SBL 0.0 score RCVD_IN_XBL 0.0 score RCVD_IN_PBL 0.0 score URIBL_SBL 0.0 # 11/26/07 DLD Timeouts using ms debug score URIBL_RHS_DOB 0.0 score DNS_FROM_DOB 0.0 I ran: # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", strftime("%T"), $0}' | tee /tmp/mstest.log This will run MailScanner in debug mode showing all of the rule lookups and checks to RBLs. The time stamp will help show what part of the process takes more time. from the mailscanner output: 17:57:41 [557] dbg: async: escaping: lost or timed out requests or responses 17:57:41 [557] dbg: async: aborting after 6.184 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:9.135.130.12 17:57:41 [557] dbg: async: aborting after 6.184 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:8.135.130.12 17:57:41 [557] dbg: async: aborting after 7.286 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:42.195.169.12 17:57:41 [557] dbg: async: aborting after 7.287 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:202.77.202.74 17:57:41 [557] dbg: async: aborting after 9.813 s, deadline shrunk: DNSBL-A, dns:A:195.136.130.12.zen.spamhaus.org. 17:57:41 [557] dbg: async: aborted 5 remaining lookups also: 09:21:31 [22541] dbg: check: subtests=__BOTNET_NOTRUST,__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__ MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_ WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID 09:21:31 [22541] dbg: bayes: untie-ing 09:21:39 [22668] dbg: dns: name server: 63.241.249.10, LocalAddr: 0.0.0.0 8 seconds for a bayes process Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 From glenn.steen at gmail.com Mon Feb 4 16:02:58 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 4 16:03:10 2008 Subject: How to understand spamassasin speed In-Reply-To: References: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Message-ID: <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> On 04/02/2008, donald.dawson@bakerbotts.com wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Marcello Anderlini > > Sent: Monday, February 04, 2008 5:05 AM > > To: 'MailScanner discussion' > > Subject: How to understand spamassasin speed > > > > > > Hello everybody, > > Is there any way to test the speed of single spamassassin > > test so to know > > which is slowing my system ? > > > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > > is now way to > > understand how may time each process takes long ? > > > > Thanks for your help and sorry for my worst English > > > > Best regards > > > > Marcello > > > One of our new mail servers had been blocked by spamhaus and that was > causing additional delays. > > I added the following to the spamassassin prefs file on our MX server > and the processing time per message improved by 3 seconds. Someone with > more experience in this mail list can verify if this is correct, or too > extensive in dropping RBL lookups. > > # 11/22/07 DLD - from ms listsever - stops spamhaus lookups > score __RCVD_IN_ZEN 0.0 > score RCVD_IN_SBL 0.0 > score RCVD_IN_XBL 0.0 > score RCVD_IN_PBL 0.0 > score URIBL_SBL 0.0 > > # 11/26/07 DLD Timeouts using ms debug > score URIBL_RHS_DOB 0.0 > score DNS_FROM_DOB 0.0 > > I ran: > > # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", > strftime("%T"), $0}' | tee /tmp/mstest.log > Granularity of seconds is a bit limited.... Use strftime("&t:%N") for subsecond timings. Granted, seconds will likely be enough to see any blatant problems. Also, since we're debugging SA, it'd be better to just use spamassassin -D -t < /path/to/message file | awk '{printf"%s %s\n",strftime("%T:%N"), $0}' | tee /tmp/mstest.log ... IMO:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Feb 4 16:07:25 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 4 16:07:36 2008 Subject: How to understand spamassasin speed In-Reply-To: <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> References: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> Message-ID: <223f97700802040807ga6b7e80p5f34b03d5736aba0@mail.gmail.com> On 04/02/2008, Glenn Steen wrote: > On 04/02/2008, donald.dawson@bakerbotts.com > wrote: > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > > Of Marcello Anderlini > > > Sent: Monday, February 04, 2008 5:05 AM > > > To: 'MailScanner discussion' > > > Subject: How to understand spamassasin speed > > > > > > > > > Hello everybody, > > > Is there any way to test the speed of single spamassassin > > > test so to know > > > which is slowing my system ? > > > > > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > > > is now way to > > > understand how may time each process takes long ? > > > > > > Thanks for your help and sorry for my worst English > > > > > > Best regards > > > > > > Marcello > > > > > One of our new mail servers had been blocked by spamhaus and that was > > causing additional delays. > > > > I added the following to the spamassassin prefs file on our MX server > > and the processing time per message improved by 3 seconds. Someone with > > more experience in this mail list can verify if this is correct, or too > > extensive in dropping RBL lookups. > > > > # 11/22/07 DLD - from ms listsever - stops spamhaus lookups > > score __RCVD_IN_ZEN 0.0 > > score RCVD_IN_SBL 0.0 > > score RCVD_IN_XBL 0.0 > > score RCVD_IN_PBL 0.0 > > score URIBL_SBL 0.0 > > > > # 11/26/07 DLD Timeouts using ms debug > > score URIBL_RHS_DOB 0.0 > > score DNS_FROM_DOB 0.0 > > > > I ran: > > > > # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", > > strftime("%T"), $0}' | tee /tmp/mstest.log > > > Granularity of seconds is a bit limited.... Use strftime("&t:%N") for > subsecond timings. > Granted, seconds will likely be enough to see any blatant problems. > Also, since we're debugging SA, it'd be better to just use > spamassassin -D -t < /path/to/message file | awk '{printf"%s > %s\n",strftime("%T:%N"), $0}' | tee /tmp/mstest.log > ... IMO:) What a crock of BS... Please disregard.... I'm obviously still not recovered from last weeks illness. Sigh. Sorry. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From J.Ede at birchenallhowden.co.uk Mon Feb 4 16:18:11 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Feb 4 16:19:20 2008 Subject: How to understand spamassasin speed In-Reply-To: <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> References: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> , <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760CE7581D68@server02.bhl.local> Information about running the debug with time stamps would probably be quite useful in the Wiki as its something quite handy to know. Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen [glenn.steen@gmail.com] Sent: 04 February 2008 16:02 To: MailScanner discussion Subject: Re: How to understand spamassasin speed On 04/02/2008, donald.dawson@bakerbotts.com wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Marcello Anderlini > > Sent: Monday, February 04, 2008 5:05 AM > > To: 'MailScanner discussion' > > Subject: How to understand spamassasin speed > > > > > > Hello everybody, > > Is there any way to test the speed of single spamassassin > > test so to know > > which is slowing my system ? > > > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > > is now way to > > understand how may time each process takes long ? > > > > Thanks for your help and sorry for my worst English > > > > Best regards > > > > Marcello > > > One of our new mail servers had been blocked by spamhaus and that was > causing additional delays. > > I added the following to the spamassassin prefs file on our MX server > and the processing time per message improved by 3 seconds. Someone with > more experience in this mail list can verify if this is correct, or too > extensive in dropping RBL lookups. > > # 11/22/07 DLD - from ms listsever - stops spamhaus lookups > score __RCVD_IN_ZEN 0.0 > score RCVD_IN_SBL 0.0 > score RCVD_IN_XBL 0.0 > score RCVD_IN_PBL 0.0 > score URIBL_SBL 0.0 > > # 11/26/07 DLD Timeouts using ms debug > score URIBL_RHS_DOB 0.0 > score DNS_FROM_DOB 0.0 > > I ran: > > # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", > strftime("%T"), $0}' | tee /tmp/mstest.log > Granularity of seconds is a bit limited.... Use strftime("&t:%N") for subsecond timings. Granted, seconds will likely be enough to see any blatant problems. Also, since we're debugging SA, it'd be better to just use spamassassin -D -t < /path/to/message file | awk '{printf"%s %s\n",strftime("%T:%N"), $0}' | tee /tmp/mstest.log ... IMO:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Feb 4 16:36:22 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 4 16:36:52 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A6FEAF.5050306@ecs.soton.ac.uk> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> Message-ID: on 2/4/2008 4:01 AM Julian Field spake the following: > > > Scott Silva wrote: >> * PGP Signed by an unknown key > >> on 2/1/2008 3:56 AM Pascal Maes spake the following: >>> Le 01-f??vr.-08 ? 12:38, Julian Field a ??crit : >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> Pascal Maes wrote: >>>>> Hello, >>>>> >>>>> >>>>> In MailScanner.conf, we have >>>>> >>>>> # Spam Blacklist: >>>>> # Make this point to a ruleset, and anything in that ruleset whose >>>>> value >>>>> # is "yes" will *always* be marked as spam. >>>>> # This value can be over-ridden by the "Is Definitely Not Spam" >>>>> setting. >>>>> # This can also be the filename of a ruleset. >>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>>>> >>>>> >>>>> In spam_blacklist.rules, we have : >>>>> >>>>> From: 66.63.168. yes >>>>> >>>>> FromOrTo: default no >>>>> >>>>> >>>>> >>>>> As this rule could be over-ridden, I check that >>>>> >>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>>> >>>>> the file spam_whitelist.rules doesn't contain anything about that >>>>> domain or IP or the recipient >>>>> >>>>> >>>>> Then, I wonder why the following mail was not tagged as SPAM >>>>> >>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>>>> 6.3-4.01 (built >>>>> Aug 3 2007; 32bit)) with ESMTP id >>>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>>>> for (ORCPT email_address); Thu, >>>>> 31 Jan 2008 20:21:28 +0100 (CET) >>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >>>>> [127.0.0.1]) >>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >>>>> ; Thu, >>>>> 31 Jan 2008 20:21:38 +0100 (CET) >>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>>>> hk8fra01g741; Thu, >>>>> 31 Jan 2008 14:19:07 -0500 >>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>>>> From: Travel Offers >>>>> X-SGSI-MailScanner: Found to be clean >>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >>>> Because it scored 3.5 where the required score is 5. >>>>> X-SGSI-Spam-Score: sss >>>>> X-SGSI-From: travel-offers@mytravfolks.com >>>>> X-SGSI-Spam-Status: No >>>>> >>>>> -- >>>>> Pascal >>>>> >>>>> >>>>> >>>> Jules >>>> >>> yes but as we have the header >>> >>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>> >>> which matches the rule in spam_blacklist.rules >>> >>> From: 66.63.168. yes >>> >>> The message should have been tagged Spam >>> >>> >>> -- >>> Pascal >>> >>> >>> >> Do those rules check all received headers, or just the last one >> received from? >> Julian would know for sure. > > They just check the last one, the IP address of the SMTP client that > sent the message to your server. > > Jules > Then there is the answer. As far as mailscanner is concerned, the above message came from; Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) which doesn't match your blacklist. The only host that it would have matched on would have been smtp4.sgsi.ucl.ac.be if that is in your control. Thanks Julian for the clarification! MailScanner rocks!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080204/a8490ec5/signature.bin From ugob at lubik.ca Mon Feb 4 16:51:07 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 16:51:36 2008 Subject: Mail::ClamAV Message-ID: Hi, Server: Centos 4 X64 Resolved: Problem 1: Can't compile Mail::ClamAV 0.21. Tried CPAN, source, and Julian's package, they all give the same result. I had to install bzip2-devel and then it compiled. Problem 2: I also tried the perl-Mail-ClamAV from the rpmforge repository. However, MailScanner can't find it, even after a 'ldconfig'. Here is the list of the flies included by perl-Mail-ClamAV /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail/ClamAV.pm /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.bs /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so /usr/share/doc/perl-Mail-ClamAV-0.21 /usr/share/doc/perl-Mail-ClamAV-0.21/Changes /usr/share/doc/perl-Mail-ClamAV-0.21/INSTALL /usr/share/doc/perl-Mail-ClamAV-0.21/MANIFEST /usr/share/doc/perl-Mail-ClamAV-0.21/META.yml /usr/share/doc/perl-Mail-ClamAV-0.21/README /usr/share/man/man3/Mail::ClamAV.3pm.gz Compiled at Aug 15 2006 05:56:23 @INC: /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib64/perl5/site_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.1/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.1/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . I don't understand how come MailScanner can't find it... Regards, Ugo From MailScanner at ecs.soton.ac.uk Mon Feb 4 18:13:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 18:14:13 2008 Subject: Mail::ClamAV In-Reply-To: References: Message-ID: <47A755DB.7080706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Hi, > > Server: Centos 4 X64 > > Resolved: Problem 1: Can't compile Mail::ClamAV 0.21. Tried CPAN, > source, and Julian's package, they all give the same result. I had to > install bzip2-devel and then it compiled. > > Problem 2: I also tried the perl-Mail-ClamAV from the rpmforge > repository. However, MailScanner can't find it, even after a 'ldconfig'. > > Here is the list of the flies included by perl-Mail-ClamAV > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail/ClamAV.pm > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.bs > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so > What do you get from an "ldd" on this file? > /usr/share/doc/perl-Mail-ClamAV-0.21 > /usr/share/doc/perl-Mail-ClamAV-0.21/Changes > /usr/share/doc/perl-Mail-ClamAV-0.21/INSTALL > /usr/share/doc/perl-Mail-ClamAV-0.21/MANIFEST > /usr/share/doc/perl-Mail-ClamAV-0.21/META.yml > /usr/share/doc/perl-Mail-ClamAV-0.21/README > /usr/share/man/man3/Mail::ClamAV.3pm.gz > > > > Compiled at Aug 15 2006 05:56:23 > @INC: > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi > /usr/lib/perl5/5.8.5 > /usr/lib64/perl5/site_perl/5.8.5/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.4/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.3/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.2/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.1/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.0/x86_64-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.5 > /usr/lib/perl5/site_perl/5.8.4 > /usr/lib/perl5/site_perl/5.8.3 > /usr/lib/perl5/site_perl/5.8.2 > /usr/lib/perl5/site_perl/5.8.1 > /usr/lib/perl5/site_perl/5.8.0 > /usr/lib/perl5/site_perl > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.4/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.3/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.2/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.1/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.0/x86_64-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.5 > /usr/lib/perl5/vendor_perl/5.8.4 > /usr/lib/perl5/vendor_perl/5.8.3 > /usr/lib/perl5/vendor_perl/5.8.2 > /usr/lib/perl5/vendor_perl/5.8.1 > /usr/lib/perl5/vendor_perl/5.8.0 > /usr/lib/perl5/vendor_perl > . > > > I don't understand how come MailScanner can't find it... > > Regards, > Ugo > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp1XdEfZZRxQVtlQRAuv9AKDYcrnmfpuVL/8slAfTvx7gcLpQWQCfQBCa a/GV0YHqOr2XeMtsIisvKms= =o+TY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Mon Feb 4 18:27:52 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 18:30:18 2008 Subject: Mail::ClamAV In-Reply-To: <47A755DB.7080706@ecs.soton.ac.uk> References: <47A755DB.7080706@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >> /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so >> > What do you get from an "ldd" on this file? [root@relay9 Mail-ClamAV-0.21]# ldd /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so libz.so.1 => /usr/lib64/libz.so.1 (0x0000002a9566a000) libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x0000002a9577d000) libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x0000002a9588c000) libclamav.so.3 => /usr/lib64/libclamav.so.3 (0x0000002a959c1000) libc.so.6 => /lib64/tls/libc.so.6 (0x0000002a95b5a000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x0000002a95d8f000) libclamunrar_iface.so.3 => /usr/lib64/libclamunrar_iface.so.3 (0x0000002a95ea5000) libnsl.so.1 => /lib64/libnsl.so.1 (0x0000002a95fa7000) /lib64/ld-linux-x86-64.so.2 (0x000000552aaaa000) libclamunrar.so.3 => /usr/lib64/libclamunrar.so.3 (0x0000002a960be000) Regards, Ugo From MailScanner at ecs.soton.ac.uk Mon Feb 4 18:40:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 18:40:52 2008 Subject: Mail::ClamAV In-Reply-To: References: <47A755DB.7080706@ecs.soton.ac.uk> Message-ID: <47A75C1A.9090003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you try to build the module by hand, does it work when you do the "make test" stage? Don't do the "make install", just all the steps up to it. Ugo Bellavance wrote: > Julian Field wrote: >>> /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so >>> >> What do you get from an "ldd" on this file? > > [root@relay9 Mail-ClamAV-0.21]# ldd > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so > > libz.so.1 => /usr/lib64/libz.so.1 (0x0000002a9566a000) > libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x0000002a9577d000) > libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x0000002a9588c000) > libclamav.so.3 => /usr/lib64/libclamav.so.3 (0x0000002a959c1000) > libc.so.6 => /lib64/tls/libc.so.6 (0x0000002a95b5a000) > libpthread.so.0 => /lib64/tls/libpthread.so.0 > (0x0000002a95d8f000) > libclamunrar_iface.so.3 => /usr/lib64/libclamunrar_iface.so.3 > (0x0000002a95ea5000) > libnsl.so.1 => /lib64/libnsl.so.1 (0x0000002a95fa7000) > /lib64/ld-linux-x86-64.so.2 (0x000000552aaaa000) > libclamunrar.so.3 => /usr/lib64/libclamunrar.so.3 > (0x0000002a960be000) > > Regards, > > Ugo > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp1wcEfZZRxQVtlQRAqF+AKDSzhvhj3yuli2qw17HUb7dJh+6LgCg7lrH /lhyfR05zOVmzeXOYRkTKlI= =RvTV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Mon Feb 4 18:53:03 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 18:53:25 2008 Subject: Mail::ClamAV In-Reply-To: <47A75C1A.9090003@ecs.soton.ac.uk> References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you try to build the module by hand, does it work when you do the > "make test" stage? > Don't do the "make install", just all the steps up to it. [root@server Mail-ClamAV-0.21]# make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/Mail-ClamAV....ok All tests successful. Files=1, Tests=10, 3 wallclock secs ( 2.47 cusr + 0.12 csys = 2.59 CPU) From MailScanner at ecs.soton.ac.uk Mon Feb 4 19:30:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 19:31:09 2008 Subject: Mail::ClamAV In-Reply-To: References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> Message-ID: <47A767DC.2040900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmmm..... If you set "Virus Scanners = clamavmodule", then what does "MailScanner - --debug" say? Anything interesting? And "MailScanner --lint"? Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> If you try to build the module by hand, does it work when you do the >> "make test" stage? >> Don't do the "make install", just all the steps up to it. > > [root@server Mail-ClamAV-0.21]# make test > PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" > "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t > t/Mail-ClamAV....ok > All tests successful. > Files=1, Tests=10, 3 wallclock secs ( 2.47 cusr + 0.12 csys = 2.59 > CPU) > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp2fjEfZZRxQVtlQRAppxAJ9iVAvidDIXRNOVCyFAVFSALkKSfwCg600z 5CooKhk8LFOusNlAHo5l8eE= =lgoF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Feb 4 19:49:11 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 4 19:50:08 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <027801c8672f$76d65160$0202fea9@support01> References: <027801c8672f$76d65160$0202fea9@support01> Message-ID: <47A76C37.6080206@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nigel Kendrick wrote: | Thanks for the list - is it available as a MailScanner blacklist so I can | just drop it in place and live a quiet life??? Just go to the Trend Micro website and test the ERS RBL. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHp2wzBvzDRVjxmYERAjSgAJ9ayexMOaoKAQ9wRqAvRnXklJ052gCfW7Td 5vAuoP4J3H+VstXQyLG4Dpw= =2FIr -----END PGP SIGNATURE----- From ugob at lubik.ca Mon Feb 4 19:55:07 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 19:55:29 2008 Subject: Mail::ClamAV In-Reply-To: <47A767DC.2040900@ecs.soton.ac.uk> References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> <47A767DC.2040900@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hmmm..... > If you set "Virus Scanners = clamavmodule", then what does "MailScanner > - --debug" say? Anything interesting? And "MailScanner --lint"? [root@server ~]# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp ClamAV Perl module not found, did you install it? at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 507 Same thing with --lint From ugob at lubik.ca Mon Feb 4 20:37:36 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 20:38:10 2008 Subject: Can't upgrade some perl modules In-Reply-To: <57368.10.0.0.31.1197908211.squirrel@webmail.rpcs.net> References: <57368.10.0.0.31.1197908211.squirrel@webmail.rpcs.net> Message-ID: Richard Potter wrote: > On Mon, December 17, 2007 9:14 am, Ugo Bellavance wrote: > >> Hi, >> >> This is MailScanner version 4.61.7 >> >> When I try a yum update (using rpmforge), I get these errors, so I can't >> really update my systems: >> >> file /usr/share/man/man3/bigint.3pm.gz conflicts between attempted >> installs of perl-5.8.0-97.EL3 and perl-bignum-0.22-1.el3.rf >> file /usr/share/man/man3/bignum.3pm.gz conflicts between attempted >> installs of perl-5.8.0-97.EL3 and perl-bignum-0.22-1.el3.rf >> file /usr/share/man/man3/bigrat.3pm.gz conflicts between attempted >> installs of perl-5.8.0-97.EL3 and perl-bignum-0.22-1.el3.rf >> file /usr/share/man/man3/Test::Builder.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> file /usr/share/man/man3/Test::More.3pm.gz conflicts between attempted >> installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> file /usr/share/man/man3/Test::Simple.3pm.gz conflicts between attempted >> installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> file /usr/share/man/man3/Test::Tutorial.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> >> Is there a way to update w/o having to upgrade MS? > > This *appears* to be a yum problem. I have installed the following > plugins, to work around this problem. This is on my testing box. > > # yum install yum-fastestmirror yum-skip-broken yum-kmod yum-kernel-module > yum-priorities yum-plugin-priorities, yum-plugin-fastestmirror, in fact... (maybe it has changed name) Ugo From gcle at smcaus.com.au Mon Feb 4 21:09:42 2008 From: gcle at smcaus.com.au (Gerard Cleary) Date: Mon Feb 4 21:10:05 2008 Subject: MailScanner cannot analyse tif files In-Reply-To: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> References: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> Message-ID: <200802050809.42529.gcle@smcaus.com.au> On Mon, 4 Feb 2008 20:00:06 Martin.Hepworth wrote: > Hi > > This is normally an antivirus issue, and the error comes from that. > > What AV you using? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 Thanks for the reply. We use Kaspersky - scanner for Linux version 5.5. Gerard. > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Gerard Cleary > > Sent: 04 February 2008 02:49 > > To: mailscanner@lists.mailscanner.info > > Subject: MailScanner cannot analyse tif files > > > > Hi there, > > > > Our company has started receiving tif files from our parent company in > > Japan. > > Unfortunately, MailScanner cannot analyse them and it produces a message: > > "MailScanner: Could not analyze message". > > > > When I bypass MailScanner, the file gets delivered and when I run the > > "file" > > command I get the following output: > > [gcle@msf ~]$ file XAM00011.tif > > XAM00011.tif: TIFF image data, little-endian > > [gcle@msf ~]$ file -i XAM00011.tif > > XAM00011.tif: image/tiff > > > > I have tried to get tif files bypassed by MailScanner using the following > > line > > in filename.rules.conf: (without the > > diamond > > brackets of course and with the whitespace between fields all TABs) and a > > matching line in filetype.rules.conf: (same > > provisos as above). > > > > Getting desperate, I put an entry into allow.filenames.rules: > \.tif> and an entry into allow.filetypes.rules: > > (again, > > with the same provisos as above). > > > > I still get the "couldn't analyze" message so I then asked for a sample > > of the > > tif file from our technical department who use these files in their work. > > > > When I received it I ran the "file" command as usual and I got the > > following > > results: > > [gcle@msf ~]$ file XAL00471.tif > > XAL00471.tif: TIFF image data, big-endian > > [gcle@msf ~]$ file -i XAL00471.tif > > XAL00471.tif: image/tiff > > > > It seems that once the file has been through the technical department, it > > is > > turned into a "big-endian" file and MailScanner has no problem with it at > > all. (Our parent company in Japan use AS400 mainframes.) > > > > I am using MailScanner 4.65.3 on Centos Release 4.4 and Sendmail 8.14.0. > > > > I have tried having the MailScanner configuration "TNEF Expander" > > saying "internal" and then saying "/usr/bin/tnef" (with an accompanying > > maxsize setting many times greater than these tif files) but there is no > > change in the resulting message. > > > > I have checked the archives for "endian" entries but the four entries > > that come up have "endian" as a minor detail. > > > > I had thought that the "endian" bit format would be transparent to users > > because the operating systems were meant to "deal" with it but maybe I'm > > badly mistaken. > > > > Does anybody know what the problem really is please and how I can get > > around > > it in MailScanner? I can provide the two named files above if anybody > > thought that might be useful. > > > > In the meantime, I have turned off all MailScanner checking of any eMail > > from > > our parent company but this is not our preferred option. > > > > Gerard. > > -- -- Gerard Cleary Systems Administrator SMC Pneumatics (Australia) P/L Ph: +61 2 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From MailScanner at ecs.soton.ac.uk Mon Feb 4 22:38:13 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 22:38:40 2008 Subject: Mail::ClamAV In-Reply-To: References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> <47A767DC.2040900@ecs.soton.ac.uk> Message-ID: <47A793D5.1040002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In /etc/MailScanner/virus.scanners.conf, does the clamavmodule line say this: clamavmodule /bin/false /tmp ? If it does, then I'm starting to run out of ideas. :-( Jules. Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hmmm..... >> If you set "Virus Scanners = clamavmodule", then what does >> "MailScanner - --debug" say? Anything interesting? And "MailScanner >> --lint"? > > > [root@server ~]# MailScanner --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > ClamAV Perl module not found, did you install it? at > /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 507 > > Same thing with --lint > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp5PYEfZZRxQVtlQRAmTeAKCigSX7pa4BMMtZHi+6xk0MnsX+MwCdFUmF TZUACbJV9nAiLLBIpr7gikU= =Ypxh -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Tue Feb 5 08:28:29 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Tue Feb 5 08:28:48 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> Message-ID: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> Le 04-f?vr.-08 ? 17:36, Scott Silva a ?crit : > on 2/4/2008 4:01 AM Julian Field spake the following: >> Scott Silva wrote: >>> * PGP Signed by an unknown key >>> on 2/1/2008 3:56 AM Pascal Maes spake the following: >>>> Le 01-f??vr.-08 ? 12:38, Julian Field a ??crit : >>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> >>>>> >>>>> Pascal Maes wrote: >>>>>> Hello, >>>>>> >>>>>> >>>>>> In MailScanner.conf, we have >>>>>> >>>>>> # Spam Blacklist: >>>>>> # Make this point to a ruleset, and anything in that ruleset >>>>>> whose value >>>>>> # is "yes" will *always* be marked as spam. >>>>>> # This value can be over-ridden by the "Is Definitely Not Spam" >>>>>> setting. >>>>>> # This can also be the filename of a ruleset. >>>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>>>>> >>>>>> >>>>>> In spam_blacklist.rules, we have : >>>>>> >>>>>> From: 66.63.168. yes >>>>>> >>>>>> FromOrTo: default no >>>>>> >>>>>> >>>>>> >>>>>> As this rule could be over-ridden, I check that >>>>>> >>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>>>> >>>>>> the file spam_whitelist.rules doesn't contain anything about that >>>>>> domain or IP or the recipient >>>>>> >>>>>> >>>>>> Then, I wonder why the following mail was not tagged as SPAM >>>>>> >>>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>>>>> 6.3-4.01 (built >>>>>> Aug 3 2007; 32bit)) with ESMTP id >>>>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>>>>> for (ORCPT email_address); Thu, >>>>>> 31 Jan 2008 20:21:28 +0100 (CET) >>>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >>>>>> [127.0.0.1]) >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>>>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >>>>>> ; Thu, >>>>>> 31 Jan 2008 20:21:38 +0100 (CET) >>>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>>>>> hk8fra01g741; Thu, >>>>>> 31 Jan 2008 14:19:07 -0500 >>>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>>>>> From: Travel Offers >>>>>> X-SGSI-MailScanner: Found to be clean >>>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, >>>>>> score=3.5, >>>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >>>>> Because it scored 3.5 where the required score is 5. >>>>>> X-SGSI-Spam-Score: sss >>>>>> X-SGSI-From: travel-offers@mytravfolks.com >>>>>> X-SGSI-Spam-Status: No >>>>>> >>>>>> -- >>>>>> Pascal >>>>>> >>>>>> >>>>>> >>>>> Jules >>>>> >>>> yes but as we have the header >>>> >>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>> >>>> which matches the rule in spam_blacklist.rules >>>> >>>> From: 66.63.168. yes >>>> >>>> The message should have been tagged Spam >>>> >>>> >>>> -- >>>> Pascal >>>> >>>> >>>> >>> Do those rules check all received headers, or just the last one >>> received from? >>> Julian would know for sure. >> They just check the last one, the IP address of the SMTP client >> that sent the message to your server. >> Jules > Then there is the answer. As far as mailscanner is concerned, the > above message came from; > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > which doesn't match your blacklist. > The only host that it would have matched on would have been > smtp4.sgsi.ucl.ac.be if that is in your control. > > Thanks Julian for the clarification! > MailScanner rocks!!! > I'm not sure. The message here above is the message which is in the mailbox but MailScanner is acting before: Mail --> SMTP4 (Postfix) -> MailScanner -> Postfix -> Mailboxes (1) (2) (3) In (1), you have Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) In (2), Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) In (3), Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) The master.cf file for Postfix looks like smtp inet n - n - 500 smtpd -o smtpd_client_connection_count_limit=500 -o smtpd_proxy_filter=127.0.0.1:10025 -o receive_override_options=no_address_mappings # # For injecting mail back into postfix from ClamSMTP 127.0.0.1:10026 inet n - n - - smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 Our SMTP box receives the message. The message goes through some "before-filters" and goes back to postfix with the option smtpd_authorized_xforward_hosts=127.0.0.0/8 to keep the headers of the previous MTA server. Then Postfix puts the message in the HOLD queue where MailScanner takes it and puts it back into the Postfix queue. I'm pretty sure that MailScanner should see the 66.63.168.38 IP address otherwise why is the "Is Definitely Not Spam" rule working : Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org ) is whitelisted Regards -- Pascal From glenn.steen at gmail.com Tue Feb 5 08:40:28 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 08:40:46 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> Message-ID: <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> On 05/02/2008, Pascal Maes wrote: > > Le 04-f?vr.-08 ? 17:36, Scott Silva a ?crit : > > > on 2/4/2008 4:01 AM Julian Field spake the following: > >> Scott Silva wrote: > >>> * PGP Signed by an unknown key > >>> on 2/1/2008 3:56 AM Pascal Maes spake the following: > >>>> Le 01-f?(c)vr.-08 ? 12:38, Julian Field a ?(c)crit : > >>>> > >>>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>>> Hash: SHA1 > >>>>> > >>>>> > >>>>> > >>>>> Pascal Maes wrote: > >>>>>> Hello, > >>>>>> > >>>>>> > >>>>>> In MailScanner.conf, we have > >>>>>> > >>>>>> # Spam Blacklist: > >>>>>> # Make this point to a ruleset, and anything in that ruleset > >>>>>> whose value > >>>>>> # is "yes" will *always* be marked as spam. > >>>>>> # This value can be over-ridden by the "Is Definitely Not Spam" > >>>>>> setting. > >>>>>> # This can also be the filename of a ruleset. > >>>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no > >>>>>> > >>>>>> > >>>>>> In spam_blacklist.rules, we have : > >>>>>> > >>>>>> From: 66.63.168. yes > >>>>>> > >>>>>> FromOrTo: default no > >>>>>> > >>>>>> > >>>>>> > >>>>>> As this rule could be over-ridden, I check that > >>>>>> > >>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > >>>>>> > >>>>>> the file spam_whitelist.rules doesn't contain anything about that > >>>>>> domain or IP or the recipient > >>>>>> > >>>>>> > >>>>>> Then, I wonder why the following mail was not tagged as SPAM > >>>>>> > >>>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > >>>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server > >>>>>> 6.3-4.01 (built > >>>>>> Aug 3 2007; 32bit)) with ESMTP id > >>>>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> > >>>>>> for (ORCPT email_address); Thu, > >>>>>> 31 Jan 2008 20:21:28 +0100 (CET) > >>>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain > >>>>>> [127.0.0.1]) > >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for > >>>>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) > >>>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for > >>>>>> ; Thu, > >>>>>> 31 Jan 2008 20:21:38 +0100 (CET) > >>>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id > >>>>>> hk8fra01g741; Thu, > >>>>>> 31 Jan 2008 14:19:07 -0500 > >>>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 > >>>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) > >>>>>> From: Travel Offers > >>>>>> X-SGSI-MailScanner: Found to be clean > >>>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, > >>>>>> score=3.5, > >>>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) > >>>>> Because it scored 3.5 where the required score is 5. > >>>>>> X-SGSI-Spam-Score: sss > >>>>>> X-SGSI-From: travel-offers@mytravfolks.com > >>>>>> X-SGSI-Spam-Status: No > >>>>>> > >>>>>> -- > >>>>>> Pascal > >>>>>> > >>>>>> > >>>>>> > >>>>> Jules > >>>>> > >>>> yes but as we have the header > >>>> > >>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > >>>> > >>>> which matches the rule in spam_blacklist.rules > >>>> > >>>> From: 66.63.168. yes > >>>> > >>>> The message should have been tagged Spam > >>>> > >>>> > >>>> -- > >>>> Pascal > >>>> > >>>> > >>>> > >>> Do those rules check all received headers, or just the last one > >>> received from? > >>> Julian would know for sure. > >> They just check the last one, the IP address of the SMTP client > >> that sent the message to your server. > >> Jules > > Then there is the answer. As far as mailscanner is concerned, the > > above message came from; > > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > > which doesn't match your blacklist. > > The only host that it would have matched on would have been > > smtp4.sgsi.ucl.ac.be if that is in your control. > > > > Thanks Julian for the clarification! > > MailScanner rocks!!! > > > > I'm not sure. > The message here above is the message which is in the mailbox but > MailScanner is acting before: > > Mail --> SMTP4 (Postfix) -> MailScanner -> Postfix -> Mailboxes > (1) (2) (3) > > In (1), you have Received: from rssl2.mytravfolks.com (unknown > [66.63.168.38]) > > In (2), Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain > [127.0.0.1]) > > In (3), Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > > The master.cf file for Postfix looks like > > smtp inet n - n - 500 smtpd > -o smtpd_client_connection_count_limit=500 > -o smtpd_proxy_filter=127.0.0.1:10025 > -o receive_override_options=no_address_mappings > # > # For injecting mail back into postfix from ClamSMTP > 127.0.0.1:10026 inet n - n - - smtpd > -o content_filter= > -o receive_override_options=no_unknown_recipient_checks > -o smtpd_helo_restrictions= > -o smtpd_client_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o mynetworks_style=host > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > > > Our SMTP box receives the message. > The message goes through some "before-filters" and goes back to > postfix with the option > > smtpd_authorized_xforward_hosts=127.0.0.0/8 > > to keep the headers of the previous MTA server. > Then Postfix puts the message in the HOLD queue where MailScanner > takes it and puts it back into the Postfix queue. > > I'm pretty sure that MailScanner should see the 66.63.168.38 IP > address otherwise why is the "Is Definitely Not Spam" rule working : > > Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 > from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > ) is whitelisted > > > Regards Anything happening to the message _after_ MailScaner doesn't hjave any impact on your problem... What happens before though... You have to make sure that your SA trust_path is OK, and all should be well. Why do you use the ClamSMTP thing at all? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 5 08:45:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 08:53:06 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> Message-ID: <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> On 05/02/2008, Glenn Steen wrote: > On 05/02/2008, Pascal Maes wrote: (snip) > > Then Postfix puts the message in the HOLD queue where MailScanner > > takes it and puts it back into the Postfix queue. > > > > I'm pretty sure that MailScanner should see the 66.63.168.38 IP > > address otherwise why is the "Is Definitely Not Spam" rule working : > > > > Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 > > from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > > ) is whitelisted > > > > > > Regards > Anything happening to the message _after_ MailScaner doesn't hjave any > impact on your problem... What happens before though... You have to > make sure that your SA trust_path is OK, and all should be well. Why > do you use the ClamSMTP thing at all? > > Cheers Oh, sorry, not an sa issue... Still, yhe last client to handle this is the clamsmtp thing, which might just be the problem. Again, why do you use that? Theoretically MailScanner (through the batching, and using either clamavmodule or clamd) should be more efficient and less likely to be able to be DoS'd... That "not-really-part-of-SMTP-flow insulation" is ... golden. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pascal.maes at elec.ucl.ac.be Tue Feb 5 09:36:03 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Tue Feb 5 09:36:20 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> Message-ID: <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > On 05/02/2008, Glenn Steen wrote: >> On 05/02/2008, Pascal Maes wrote: > (snip) >>> Then Postfix puts the message in the HOLD queue where MailScanner >>> takes it and puts it back into the Postfix queue. >>> >>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>> address otherwise why is the "Is Definitely Not Spam" rule working : >>> >>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 >>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>> ) is whitelisted >>> >>> >>> Regards >> Anything happening to the message _after_ MailScaner doesn't hjave >> any >> impact on your problem... What happens before though... You have to >> make sure that your SA trust_path is OK, and all should be well. Why >> do you use the ClamSMTP thing at all? >> >> Cheers > Oh, sorry, not an sa issue... Still, yhe last client to handle this is > the clamsmtp thing, which might just be the problem. > Again, why do you use that? Theoretically MailScanner (through the > batching, and using either clamavmodule or clamd) should be more > efficient and less likely to be able to be DoS'd... That > "not-really-part-of-SMTP-flow insulation" is ... golden. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se One advantage of using ClamSMTP is the reject of the worm at the connection time. As we receive a lot of mail per day, it's not negligible. As MailScanner is using McAffe, we have two different AV to check the messages. -- Pascal From edward at tdcs.com.au Tue Feb 5 11:02:41 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Feb 5 11:03:50 2008 Subject: How to get certain things through Message-ID: Example of rejected message I'm sending (relevant names/IPs changed) Our e-mail content detector has just been triggered by a message you sent: To: Subject: Try again Date: Tue Feb 5 19:22:40 2008 One or more of the attachments (menu_content.js, warrantyresult.asp.htm, validate.js, support.js, utilities.js, Westan.zip, fw_menu.js) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: Report: MailScanner: JScript Scripts are dangerous in email (menu_content.js) Report: MailScanner: Attempt to hide real filename extension (warrantyresult.asp.htm) Report: MailScanner: JScript Scripts are dangerous in email (support.js) Report: MailScanner: JScript Scripts are dangerous in email (validate.js) Report: MailScanner: JScript Scripts are dangerous in email (utilities.js) Report: MailScanner: JScript Scripts are dangerous in email (fw_menu.js) -- MailScanner Email Virus Scanner For all your IT requirements visit: http://www.transtec.co.uk I've added my recipient to the spam.whitelist.rules and whitelist.rules: FromOrTo: *@ yes The message attachment still gets quarantined. Is there any way to say like "listen up MailScanner - whenever I send to the following address, just shut the hell up and send it already, don't even bother looking at this message" Reason I ask is that this is the second time something like this has happened, and when I send stuff OUT of my network, sometimes I need to send stuff like this. I'd already zipped the files too, but MailScanner is obviously too clever for that as well. Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Feb 5 11:31:36 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 11:31:46 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> Message-ID: <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> On 05/02/2008, Pascal Maes wrote: > > Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > > > On 05/02/2008, Glenn Steen wrote: > >> On 05/02/2008, Pascal Maes wrote: > > (snip) > >>> Then Postfix puts the message in the HOLD queue where MailScanner > >>> takes it and puts it back into the Postfix queue. > >>> > >>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>> address otherwise why is the "Is Definitely Not Spam" rule working : > >>> > >>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 > >>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>> ) is whitelisted > >>> > >>> > >>> Regards > >> Anything happening to the message _after_ MailScaner doesn't hjave > >> any > >> impact on your problem... What happens before though... You have to > >> make sure that your SA trust_path is OK, and all should be well. Why > >> do you use the ClamSMTP thing at all? > >> > >> Cheers > > Oh, sorry, not an sa issue... Still, yhe last client to handle this is > > the clamsmtp thing, which might just be the problem. > > Again, why do you use that? Theoretically MailScanner (through the > > batching, and using either clamavmodule or clamd) should be more > > efficient and less likely to be able to be DoS'd... That > > "not-really-part-of-SMTP-flow insulation" is ... golden. > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > One advantage of using ClamSMTP is the reject of the worm at the > connection time. > As we receive a lot of mail per day, it's not negligible. No, but then neither is the resource drain;-). > As MailScanner is using McAffe, we have two different AV to check the > messages. Prudent, but did you look at processing times etc for the "all MS" case? Sure, the real killer is likely SA, and the ClamSMTP thing will avoid that... I wonder if the clamav milter would be a "nicer" solution, avoiding your current problem... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Tue Feb 5 11:45:21 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 5 11:45:48 2008 Subject: OT: RepuScore Message-ID: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> Any of you stumbled across this http://isr.uncc.edu/RepuScore/ yet ? Looks pretty interesting. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Feb 5 12:04:04 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 12:04:15 2008 Subject: How to get certain things through In-Reply-To: References: Message-ID: <223f97700802050404l3c5d71ebi4de1635d131f964a@mail.gmail.com> On 05/02/2008, Edward Dekkers wrote: > Example of rejected message I'm sending (relevant names/IPs changed) > > Our e-mail content detector has just been triggered by a message you sent: > To: > Subject: Try again > Date: Tue Feb 5 19:22:40 2008 > > One or more of the attachments (menu_content.js, warrantyresult.asp.htm, > validate.js, support.js, utilities.js, Westan.zip, fw_menu.js) are on > the list of unacceptable attachments for this site and will not have > been delivered. > > Consider renaming the files to avoid this constraint. > > The virus detector said this about the message: > Report: Report: MailScanner: JScript Scripts are dangerous in email > (menu_content.js) > Report: MailScanner: Attempt to hide real filename extension > (warrantyresult.asp.htm) > Report: MailScanner: JScript Scripts are dangerous in email (support.js) > Report: MailScanner: JScript Scripts are dangerous in email (validate.js) > Report: MailScanner: JScript Scripts are dangerous in email (utilities.js) > Report: MailScanner: JScript Scripts are dangerous in email (fw_menu.js) > > > -- > MailScanner > Email Virus Scanner > > > > For all your IT requirements visit: http://www.transtec.co.uk > > I've added my recipient to the spam.whitelist.rules and whitelist.rules: > > FromOrTo: *@ yes > > The message attachment still gets quarantined. Yes, of course. What would the SPAM whitelist have to do with Dangerous Content scanning? Nothing, of course:-). This is a rule in filename.rules.conf that trigger. To "whitelist" that, look at this wiki page: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading ... To easily create a filename.whitelist.rules.conf, just copy the existing file and change every deny (in the first column) to accept ... then apply that as described on the page;-) > Is there any way to say like "listen up MailScanner - whenever I send to the > following address, just shut the hell up and send it already, don't even > bother looking at this message" Yes, with a ruleset on the "Scan Messages" setting ... > Reason I ask is that this is the second time something like this has > happened, and when I send stuff OUT of my network, sometimes I need to send > stuff like this. > > I'd already zipped the files too, but MailScanner is obviously too clever > for that as well. > You can use the Archive Depth thing to control this. Has been covered in the past. Look in the archives. > Regards, > Ed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Tue Feb 5 12:45:14 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Feb 5 12:45:37 2008 Subject: How to get certain things through In-Reply-To: Message-ID: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Edward There's a 'big knob' at the top of MailScanner.conf called Scan Messages. You can add ruleset here for the addresses you want NO scanning at all to happen.....NB best to avoid FROM fred@domain.com as this is easily spoofed. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Edward Dekkers > Sent: 05 February 2008 11:03 > To: MailScanner discussion > Subject: How to get certain things through > > Example of rejected message I'm sending (relevant names/IPs changed) > > Our e-mail content detector has just been triggered by a message you sent: > To: > Subject: Try again > Date: Tue Feb 5 19:22:40 2008 > > One or more of the attachments (menu_content.js, warrantyresult.asp.htm, > validate.js, support.js, utilities.js, Westan.zip, fw_menu.js) are on > the list of unacceptable attachments for this site and will not have > been delivered. > > Consider renaming the files to avoid this constraint. > > The virus detector said this about the message: > Report: Report: MailScanner: JScript Scripts are dangerous in email > (menu_content.js) > Report: MailScanner: Attempt to hide real filename extension > (warrantyresult.asp.htm) > Report: MailScanner: JScript Scripts are dangerous in email (support.js) > Report: MailScanner: JScript Scripts are dangerous in email (validate.js) > Report: MailScanner: JScript Scripts are dangerous in email (utilities.js) > Report: MailScanner: JScript Scripts are dangerous in email (fw_menu.js) > > > -- > MailScanner > Email Virus Scanner > > > > For all your IT requirements visit: http://www.transtec.co.uk > > I've added my recipient to the spam.whitelist.rules and whitelist.rules: > > FromOrTo: *@ yes > > The message attachment still gets quarantined. > > Is there any way to say like "listen up MailScanner - whenever I send to > the > following address, just shut the hell up and send it already, don't even > bother looking at this message" > > Reason I ask is that this is the second time something like this has > happened, and when I send stuff OUT of my network, sometimes I need to > send > stuff like this. > > I'd already zipped the files too, but MailScanner is obviously too clever > for that as well. > > Regards, > Ed. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From pascal.maes at elec.ucl.ac.be Tue Feb 5 13:18:07 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Tue Feb 5 13:18:19 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> Message-ID: <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > On 05/02/2008, Pascal Maes wrote: >> >> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : >> >>> On 05/02/2008, Glenn Steen wrote: >>>> On 05/02/2008, Pascal Maes wrote: >>> (snip) >>>>> Then Postfix puts the message in the HOLD queue where MailScanner >>>>> takes it and puts it back into the Postfix queue. >>>>> >>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>>>> address otherwise why is the "Is Definitely Not Spam" rule >>>>> working : >>>>> >>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message >>>>> E8686E9102.A7655 >>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>>>> ) is whitelisted >>>>> >>>>> >>>>> Regards >>>> Anything happening to the message _after_ MailScaner doesn't hjave >>>> any >>>> impact on your problem... What happens before though... You have to >>>> make sure that your SA trust_path is OK, and all should be well. >>>> Why >>>> do you use the ClamSMTP thing at all? >>>> >>>> Cheers >>> Oh, sorry, not an sa issue... Still, yhe last client to handle >>> this is >>> the clamsmtp thing, which might just be the problem. >>> Again, why do you use that? Theoretically MailScanner (through the >>> batching, and using either clamavmodule or clamd) should be more >>> efficient and less likely to be able to be DoS'd... That >>> "not-really-part-of-SMTP-flow insulation" is ... golden. >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >> >> One advantage of using ClamSMTP is the reject of the worm at the >> connection time. >> As we receive a lot of mail per day, it's not negligible. > > No, but then neither is the resource drain;-). > >> As MailScanner is using McAffe, we have two different AV to check the >> messages. > > Prudent, but did you look at processing times etc for the "all MS" > case? > Sure, the real killer is likely SA, and the ClamSMTP thing will > avoid that... > I wonder if the clamav milter would be a "nicer" solution, avoiding > your current problem... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- OK, I have included some MailScanner::Log::InfoLog in Config.pm to see what happens. All the clientip are 127.0.0.1 :-( Whitelisting is working because the check is done on the From address and not on the client IP. The blacklisting, in that case doesn't work because it's an IP address. So, we can't use before-filter with Postifx and MailScanner and hope that the white or black listing will work with IP addresses even we use the smtpd_authorized_xforward_hosts. Is that right ? If yes, what's the use of smtpd_authorized_xforward_hosts (to be posted on the postfix list also) ? -- Pascal From glenn.steen at gmail.com Tue Feb 5 13:35:03 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 13:35:15 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> References: <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> Message-ID: <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> On 05/02/2008, Pascal Maes wrote: > > Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > > > On 05/02/2008, Pascal Maes wrote: > >> > >> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >> > >>> On 05/02/2008, Glenn Steen wrote: > >>>> On 05/02/2008, Pascal Maes wrote: > >>> (snip) > >>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>> takes it and puts it back into the Postfix queue. > >>>>> > >>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>> working : > >>>>> > >>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>> E8686E9102.A7655 > >>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>> ) is whitelisted > >>>>> > >>>>> > >>>>> Regards > >>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>> any > >>>> impact on your problem... What happens before though... You have to > >>>> make sure that your SA trust_path is OK, and all should be well. > >>>> Why > >>>> do you use the ClamSMTP thing at all? > >>>> > >>>> Cheers > >>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>> this is > >>> the clamsmtp thing, which might just be the problem. > >>> Again, why do you use that? Theoretically MailScanner (through the > >>> batching, and using either clamavmodule or clamd) should be more > >>> efficient and less likely to be able to be DoS'd... That > >>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>> > >>> Cheers > >>> -- > >>> -- Glenn > >>> email: glenn < dot > steen < at > gmail < dot > com > >>> work: glenn < dot > steen < at > ap1 < dot > se > >> > >> One advantage of using ClamSMTP is the reject of the worm at the > >> connection time. > >> As we receive a lot of mail per day, it's not negligible. > > > > No, but then neither is the resource drain;-). > > > >> As MailScanner is using McAffe, we have two different AV to check the > >> messages. > > > > Prudent, but did you look at processing times etc for the "all MS" > > case? > > Sure, the real killer is likely SA, and the ClamSMTP thing will > > avoid that... > > I wonder if the clamav milter would be a "nicer" solution, avoiding > > your current problem... > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > what happens. > All the clientip are 127.0.0.1 :-( > > Whitelisting is working because the check is done on the From address > and not on the client IP. > The blacklisting, in that case doesn't work because it's an IP address. > > So, we can't use before-filter with Postifx and MailScanner and hope > that the white or black listing will work with IP addresses even we > use the smtpd_authorized_xforward_hosts. > > Is that right ? Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" loopback when determining the ip... Perhaps a bit like SA does it (with the trust thing). > If yes, what's the use of smtpd_authorized_xforward_hosts (to be > posted on the postfix list also) ? Good question. Perhaps one (Jules) could use that...:). BTW, wear your asbetos underwear when telling the pf-list your problem... they seriously dislike MS... still...:(. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at usherbrooke.ca Tue Feb 5 15:46:25 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue Feb 5 15:48:29 2008 Subject: SPAM in .DOC Message-ID: <47A884D1.4010806@USherbrooke.ca> Hello all, How do you fight spam in .DOC files? We seem to be receiving more every day and it slips through most of the time. Is there some SA plugin that could be used? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Tue Feb 5 18:01:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 5 18:02:01 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> References: <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> Message-ID: <47A8A480.3010706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 05/02/2008, Pascal Maes wrote: > >> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : >> >> >>> On 05/02/2008, Pascal Maes wrote: >>> >>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : >>>> >>>> >>>>> On 05/02/2008, Glenn Steen wrote: >>>>> >>>>>> On 05/02/2008, Pascal Maes wrote: >>>>>> >>>>> (snip) >>>>> >>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner >>>>>>> takes it and puts it back into the Postfix queue. >>>>>>> >>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>>>>>> address otherwise why is the "Is Definitely Not Spam" rule >>>>>>> working : >>>>>>> >>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message >>>>>>> E8686E9102.A7655 >>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>>>>>> ) is whitelisted >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> >>>>>> Anything happening to the message _after_ MailScaner doesn't hjave >>>>>> any >>>>>> impact on your problem... What happens before though... You have to >>>>>> make sure that your SA trust_path is OK, and all should be well. >>>>>> Why >>>>>> do you use the ClamSMTP thing at all? >>>>>> >>>>>> Cheers >>>>>> >>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle >>>>> this is >>>>> the clamsmtp thing, which might just be the problem. >>>>> Again, why do you use that? Theoretically MailScanner (through the >>>>> batching, and using either clamavmodule or clamd) should be more >>>>> efficient and less likely to be able to be DoS'd... That >>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. >>>>> >>>>> Cheers >>>>> -- >>>>> -- Glenn >>>>> email: glenn < dot > steen < at > gmail < dot > com >>>>> work: glenn < dot > steen < at > ap1 < dot > se >>>>> >>>> One advantage of using ClamSMTP is the reject of the worm at the >>>> connection time. >>>> As we receive a lot of mail per day, it's not negligible. >>>> >>> No, but then neither is the resource drain;-). >>> >>> >>>> As MailScanner is using McAffe, we have two different AV to check the >>>> messages. >>>> >>> Prudent, but did you look at processing times etc for the "all MS" >>> case? >>> Sure, the real killer is likely SA, and the ClamSMTP thing will >>> avoid that... >>> I wonder if the clamav milter would be a "nicer" solution, avoiding >>> your current problem... >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >>> -- >>> >> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see >> what happens. >> All the clientip are 127.0.0.1 :-( >> >> Whitelisting is working because the check is done on the From address >> and not on the client IP. >> The blacklisting, in that case doesn't work because it's an IP address. >> >> So, we can't use before-filter with Postifx and MailScanner and hope >> that the white or black listing will work with IP addresses even we >> use the smtpd_authorized_xforward_hosts. >> >> Is that right ? >> > > Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > loopback when determining the ip... Perhaps a bit like SA does it > (with the trust thing). > I can't do that. MailScanner directly reads the IP address of the TCP/IP connection source, it doesn't involve looking at the headers of the message at all. > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be >> posted on the postfix list also) ? >> > Good question. Perhaps one (Jules) could use that...:). > BTW, wear your asbetos underwear when telling the pf-list your > problem... they seriously dislike MS... still...:(. > Don't expect to get anything useful from the Postfix list about MailScanner. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHqKSBEfZZRxQVtlQRAtIBAKDAH66JUoxeiDrlsor/EyyXDTiRxQCgiYMT tPDr+UYiud5jntzIQsY1x9k= =wnfG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Tue Feb 5 18:11:45 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Feb 5 18:11:07 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A8A480.3010706@ecs.soton.ac.uk> References: <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be><223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Don't expect to get anything useful from the Postfix list about > MailScanner. About as likely as Manchester United winning the Superbowl, eh? ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gerard at seibercom.net Tue Feb 5 18:32:07 2008 From: gerard at seibercom.net (Gerard) Date: Tue Feb 5 18:32:45 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> Message-ID: <20080205133207.60cad375@scorpio> On Tue, 5 Feb 2008 14:18:07 +0100 Pascal Maes wrote: [snip] > If yes, what's the use of smtpd_authorized_xforward_hosts (to be > posted on the postfix list also) ? Guess I am going to have to keep up with the Postfix forum to see how this turns out. Somehow I think it is going to be futile. -- Gerard gerard@seibercom.net LOVE: Love ties in a knot in the end of the rope. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080205/87082be3/signature.bin From ka at pacific.net Tue Feb 5 19:46:31 2008 From: ka at pacific.net (Ken A) Date: Tue Feb 5 19:46:43 2008 Subject: OT: RepuScore In-Reply-To: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> References: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> Message-ID: <47A8BD17.4020600@pacific.net> --[ UxBoD ]-- wrote: > Any of you stumbled across this http://isr.uncc.edu/RepuScore/ yet ? Looks pretty interesting. > > Regards, > Hmmmm. They state that 35% of email is authenticated by DKIM, SenderID, SPF or other means. I doubt that statistic, but overall it does look promising. http://www.usenix.org/events/lisa07/tech/full_papers/singaraju/singaraju_html/index.html Ken -- Ken Anderson Pacific.Net From rmcdona2 at uwo.ca Tue Feb 5 21:20:08 2008 From: rmcdona2 at uwo.ca (Robert McDonald) Date: Tue Feb 5 21:20:18 2008 Subject: Restoring archived emails Message-ID: Hello All,I am currently archiving mail to a directory using the Archive Mail option. My question is how would I go about restoring these files? I can see the files in the directory but they are not stored in the standard text email format I am used to seeing. Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080205/825cc470/attachment.html From scud at etailengine.com Tue Feb 5 22:23:23 2008 From: scud at etailengine.com (Pete Scudamore) Date: Tue Feb 5 22:30:21 2008 Subject: MailScanner install problem References: <010d01c836de$eeed0710$f105010a@pc> Message-ID: The problem occurs during the rpmbuild process in the post-install phase during the check-buildroot command. check-buildroot is designed to ensure there are no references to the temporary installation directory in the rpm. The way that variables are defined in the SPEC files has somehow changed in the build process. The solution is to run ./install.sh from the unpackaged MailScanner directory. Let the install fail on the first build attempt. You can break out of the script using ^C. Edit the /root/.rpmmacros file Add the following line to the end of the file: %__arch_install_post %{nil} This tells rpmbuild not to run check-buildroot. All of the perl modules will now build into rpms normally. MailScanner will install correctly. Cheers, Scud From glenn.steen at gmail.com Tue Feb 5 22:42:52 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 22:43:04 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A8A480.3010706@ecs.soton.ac.uk> References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: <223f97700802051442u7b337d95rb46238372102b332@mail.gmail.com> On 05/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 05/02/2008, Pascal Maes wrote: > > > >> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > >> > >> > >>> On 05/02/2008, Pascal Maes wrote: > >>> > >>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >>>> > >>>> > >>>>> On 05/02/2008, Glenn Steen wrote: > >>>>> > >>>>>> On 05/02/2008, Pascal Maes wrote: > >>>>>> > >>>>> (snip) > >>>>> > >>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>>>> takes it and puts it back into the Postfix queue. > >>>>>>> > >>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>>>> working : > >>>>>>> > >>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>>>> E8686E9102.A7655 > >>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>>>> ) is whitelisted > >>>>>>> > >>>>>>> > >>>>>>> Regards > >>>>>>> > >>>>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>>>> any > >>>>>> impact on your problem... What happens before though... You have to > >>>>>> make sure that your SA trust_path is OK, and all should be well. > >>>>>> Why > >>>>>> do you use the ClamSMTP thing at all? > >>>>>> > >>>>>> Cheers > >>>>>> > >>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>>>> this is > >>>>> the clamsmtp thing, which might just be the problem. > >>>>> Again, why do you use that? Theoretically MailScanner (through the > >>>>> batching, and using either clamavmodule or clamd) should be more > >>>>> efficient and less likely to be able to be DoS'd... That > >>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>>>> > >>>>> Cheers > >>>>> -- > >>>>> -- Glenn > >>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>> > >>>> One advantage of using ClamSMTP is the reject of the worm at the > >>>> connection time. > >>>> As we receive a lot of mail per day, it's not negligible. > >>>> > >>> No, but then neither is the resource drain;-). > >>> > >>> > >>>> As MailScanner is using McAffe, we have two different AV to check the > >>>> messages. > >>>> > >>> Prudent, but did you look at processing times etc for the "all MS" > >>> case? > >>> Sure, the real killer is likely SA, and the ClamSMTP thing will > >>> avoid that... > >>> I wonder if the clamav milter would be a "nicer" solution, avoiding > >>> your current problem... > >>> > >>> Cheers > >>> -- > >>> -- Glenn > >>> email: glenn < dot > steen < at > gmail < dot > com > >>> work: glenn < dot > steen < at > ap1 < dot > se > >>> -- > >>> > >> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > >> what happens. > >> All the clientip are 127.0.0.1 :-( > >> > >> Whitelisting is working because the check is done on the From address > >> and not on the client IP. > >> The blacklisting, in that case doesn't work because it's an IP address. > >> > >> So, we can't use before-filter with Postifx and MailScanner and hope > >> that the white or black listing will work with IP addresses even we > >> use the smtpd_authorized_xforward_hosts. > >> > >> Is that right ? > >> > > > > Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > > loopback when determining the ip... Perhaps a bit like SA does it > > (with the trust thing). > > > I can't do that. MailScanner directly reads the IP address of the TCP/IP > connection source, it doesn't involve looking at the headers of the > message at all. True. Bummer. That completely defeats any such "smtp base pre-filters" to work (any MTA) in conjunction with IP-based rulesets. Really bad, that... since using the email to/from address for WL is so... spoofable...:(. Oh well, Pascal will have to look at the milter route then... Or let MS do all AV... > > > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be > >> posted on the postfix list also) ? > >> > > Good question. Perhaps one (Jules) could use that...:). > > BTW, wear your asbetos underwear when telling the pf-list your > > problem... they seriously dislike MS... still...:(. > > > Don't expect to get anything useful from the Postfix list about MailScanner. Hehe, we know what they'll say:-). And what other product they'll tote...:/. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 5 22:45:06 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 22:45:23 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: <223f97700802051445m599e3e64uec8ec407d4cfcbe0@mail.gmail.com> On 05/02/2008, Kevin Miller wrote: > Julian Field wrote: > > > Don't expect to get anything useful from the Postfix list about > > MailScanner. > > About as likely as Manchester United winning the Superbowl, eh? > ;-) > Probably much less likely than that...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 5 22:55:02 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 22:55:12 2008 Subject: Restoring archived emails In-Reply-To: References: Message-ID: <223f97700802051455o5f8a776agb2a60009d9449891@mail.gmail.com> On 05/02/2008, Robert McDonald wrote: > Hello All, > > I am currently archiving mail to a directory using the Archive Mail option. > My question is how would I go about restoring these files? I can see the > files in the directory but they are not stored in the standard text email > format I am used to seeing. > > Thanks in advance Look at the instructions to release fromquarantine specific for your MTA (example: look at postfix->howto->release_form_quarantine ... or somesuch): http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:mta .... provided your archived mail files are the actual queue files (they couldbe other things as well.... like mbox files...). If you use Postfix, you can use the postcat command to look at the content of the queue file. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edward at tdcs.com.au Tue Feb 5 23:39:19 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Feb 5 23:40:09 2008 Subject: How to get certain things through In-Reply-To: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: > Edward > > There's a 'big knob' at the top of MailScanner.conf called Scan > Messages. > > You can add ruleset here for the addresses you want NO scanning at all > to happen.....NB best to avoid FROM fred@domain.com as this is easily > spoofed. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 Well, not quite at the top of my file, but a search found it. I changed it from: Scan Messages = yes To Scan Messages = %rules-dir%/scan.messages.rules And copied my spam.whitelist.rules to scan.messages.rules My spam.whitelist.rules only had a couple of domains in it in the form: FromOrTo: *@ yes So I'm assuming the syntax is the same. I've restarted MailScanner and I'm crossing my fingers. Thanks for your help. (And Glenn too). Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From edward at tdcs.com.au Wed Feb 6 00:23:22 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Feb 6 00:24:14 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: > Well, not quite at the top of my file, but a search found it. > > I changed it from: > > Scan Messages = yes > To > Scan Messages = %rules-dir%/scan.messages.rules > > And copied my spam.whitelist.rules to scan.messages.rules > > My spam.whitelist.rules only had a couple of domains in it in the form: > > FromOrTo: *@ yes > > So I'm assuming the syntax is the same. > > I've restarted MailScanner and I'm crossing my fingers. > > Thanks for your help. (And Glenn too). > > Regards, > Ed. Sorry to continue on with this thread guys, but the attachments are still getting stripped. I've added my e-mail domain to the scan.messages.rules in the form: FromOrTo: *@ yes I've checked the permissions on the .rules files and even tried 0777 just to allow everything to read it. But to no avail (yes, I did remember to restart MailScanner too). It is either ignoring this file or something else funky is going on. In summary - I can't send a mail with an unacceptable (to MailScanner) attachment, even when I specifically allow it in my scan.messages.rules. Any way I can debug this further? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Wed Feb 6 05:00:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 05:00:37 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: <47A93ED2.10904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Dekkers wrote: |> Well, not quite at the top of my file, but a search found it. |> |> I changed it from: |> |> Scan Messages = yes |> To |> Scan Messages = %rules-dir%/scan.messages.rules |> |> And copied my spam.whitelist.rules to scan.messages.rules |> |> My spam.whitelist.rules only had a couple of domains in it in the form: |> |> FromOrTo: *@ yes |> |> So I'm assuming the syntax is the same. |> |> I've restarted MailScanner and I'm crossing my fingers. |> |> Thanks for your help. (And Glenn too). |> |> Regards, |> Ed. | | Sorry to continue on with this thread guys, but the attachments are still | getting stripped. I've added my e-mail domain to the scan.messages.rules in | the form: | | FromOrTo: *@ yes | | I've checked the permissions on the .rules files and even tried 0777 just to | allow everything to read it. But to no avail (yes, I did remember to restart | MailScanner too). | | It is either ignoring this file or something else funky is going on. | | In summary - I can't send a mail with an unacceptable (to MailScanner) | attachment, even when I specifically allow it in my scan.messages.rules. What is your file attachment config? My default rules do not allow proprietary document formats to pass and for those relatives that want to pass them along I use another (more loosely) set of rules. #H#Filename Rules = %etc-dir%/filename.rules.conf Filename Rules = %rules-dir%/filenames.rules Then take it from there to make your rules set more or less strict per user/domain/..... Do not forget to do this for your filetypes also! Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqT7QBvzDRVjxmYERAsRAAJ99A2t40WVjCZtKGFb6bRXMQpyJiQCgm7FW coAhTHPvWcVDl8aWSiVm/UQ= =6rmH -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Feb 6 05:06:32 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 05:07:00 2008 Subject: OT: RepuScore In-Reply-To: <47A8BD17.4020600@pacific.net> References: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> <47A8BD17.4020600@pacific.net> Message-ID: <47A94058.6020505@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken A wrote: | --[ UxBoD ]-- wrote: |> Any of you stumbled across this http://isr.uncc.edu/RepuScore/ yet ? |> Looks pretty interesting. |> |> Regards, |> | | Hmmmm. They state that 35% of email is authenticated by DKIM, SenderID, | SPF or other means. I doubt that statistic, but overall it does look | promising. | http://www.usenix.org/events/lisa07/tech/full_papers/singaraju/singaraju_html/index.html It is 35% of all authenticated email. That is quite a distiction. I use SPF for the family domain and add GPG myself to my email as a bonus. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqUBWBvzDRVjxmYERAlMVAJsEtwHTe7i9Djk8qYNzU4NcuW9NKwCgphrW DcM+RnMwNdpj+GfMznIZUPA= =msuf -----END PGP SIGNATURE----- From edward at tdcs.com.au Wed Feb 6 05:46:45 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Feb 6 05:47:35 2008 Subject: How to get certain things through In-Reply-To: <47A93ED2.10904@vanderkooij.org> References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> <47A93ED2.10904@vanderkooij.org> Message-ID: > What is your file attachment config? My default rules do not allow > proprietary document formats to pass and for those relatives that want > to pass them along I use another (more loosely) set of rules. > > #H#Filename Rules = %etc-dir%/filename.rules.conf > Filename Rules = %rules-dir%/filenames.rules > > Then take it from there to make your rules set more or less strict per > user/domain/..... > > Do not forget to do this for your filetypes also! > > Hugo. This is where it gets confusing. There does not appear to be a global "Ignore scanning from my local network outbound" kind of thing and if there is, I cannot get it to work. I've found the filename.rules.conf and the filetype.rules.conf (in the %etc-dir%) which seem to be responsible for killing off my attachment. I've modified the MailScanner.conf to have: Allow Filenames = %rules-dir%/allow.filenames.rules Allow Filetypes = %rules-dir%/allow.filetypes.rules I ASSUME these are the sorts of files you are talking about. Well, I've added my details to both the above mentioned files (which I touched to create) From: 192.168.0. yes From: yes It's still killing off (in this case) EXE files. Surely I'm just stupid and this IS possible? When I run updatedb and then locate MailScanner.conf I only seem to have one copy of this, so it IS looking at it, just not reacting to some of the options. Or is it? Am I screwing up somewhere else? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Wed Feb 6 06:21:57 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 06:22:36 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> <47A93ED2.10904@vanderkooij.org> Message-ID: <47A95205.6030907@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Dekkers wrote: |> What is your file attachment config? My default rules do not allow |> proprietary document formats to pass and for those relatives that want |> to pass them along I use another (more loosely) set of rules. |> |> #H#Filename Rules = %etc-dir%/filename.rules.conf |> Filename Rules = %rules-dir%/filenames.rules |> |> Then take it from there to make your rules set more or less strict per |> user/domain/..... |> |> Do not forget to do this for your filetypes also! | | This is where it gets confusing. | | There does not appear to be a global "Ignore scanning from my local network | outbound" kind of thing and if there is, I cannot get it to work. | | I've found the filename.rules.conf and the filetype.rules.conf (in the | %etc-dir%) which seem to be responsible for killing off my attachment. | | I've modified the MailScanner.conf to have: | | Allow Filenames = %rules-dir%/allow.filenames.rules | Allow Filetypes = %rules-dir%/allow.filetypes.rules Leave these lines empty as they were! Or use them properly. | I ASSUME these are the sorts of files you are talking about. No. Most definitly not. | Well, I've added my details to both the above mentioned files (which I | touched to create) | | From: 192.168.0. yes | From: yes So you now allowed the file extention yes and the filetype yes in there. I have never seen that extention in use. But perhaps they have their uses in your case. If you use a rule file instead of a rule in the config file your rulefile must follow the conventions for the rule in the original config file. So let's d this again. Shall we? In %etc-dir%/MailScanner.conf: # Do not use these!!! Allow Filenames = Deny Filenames = Allow Filetypes = Deny Filetypes = # But use these Filename Rules = %rules-dir%/filenames.rules Filetype Rules = %rules-dir%/filetypes.rules Then in %rules-dir%/filenames.rules Describe which filename config file to use for each user: FromOrTo: harry@... %etc-dir%/filename-loose.rules.conf FromOrTo: hugo@... %etc-dir%/filename-strict.rules.conf .... Then copy filename.rules.conf to filename-loose.rules.conf and remove whatever you do not want to be stopped by MailScanner. And the strict file can get added whatever you do not wish to pass. The filetype thing works in a similar fashion to the filename rules. Do not forget to work out both of them to make it work. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqVICBvzDRVjxmYERAp5lAKCh5w+aObG/22nRxGgZsWtd+7ynpwCdGmo1 U5ZM4jlkebHsZCYnDenAEYU= =S+iN -----END PGP SIGNATURE----- From edward at tdcs.com.au Wed Feb 6 07:02:25 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Feb 6 07:03:11 2008 Subject: How to get certain things through In-Reply-To: <47A95205.6030907@vanderkooij.org> References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> <47A93ED2.10904@vanderkooij.org> <47A95205.6030907@vanderkooij.org> Message-ID: > So let's d this again. Shall we? I think that's a great idea. > > In %etc-dir%/MailScanner.conf: > > # Do not use these!!! > Allow Filenames = > Deny Filenames = > Allow Filetypes = > Deny Filetypes = > # But use these > Filename Rules = %rules-dir%/filenames.rules > Filetype Rules = %rules-dir%/filetypes.rules > > Then in %rules-dir%/filenames.rules > Describe which filename config file to use for each user: > > FromOrTo: harry@... %etc-dir%/filename-loose.rules.conf > FromOrTo: hugo@... %etc-dir%/filename- > strict.rules.conf > .... > > Then copy filename.rules.conf to filename-loose.rules.conf and remove > whatever you do not want to be stopped by MailScanner. > > And the strict file can get added whatever you do not wish to pass. > > The filetype thing works in a similar fashion to the filename rules. Do > not forget to work out both of them to make it work. > > Hugo. Hartstikke Bedankt Hugo. After sending my last e-mail I finally found some examples on the internet that went deeper into the file rules, so I was sort of heading there, but you got me over the line. I HAD confused the "Allow Filename" and "Allow Filetype" with the "Filename Rules" and "Filetype Rules" statements in the MailScanner.conf so without you I'd still be struggling. I now also understand the difference between a .conf and a .rules file. Appreciate it. All test messages from my account with EXE attachments now working. Any other content like jscript files are still being blocked (I left them in my loose rules file). So, all done - thank Hugo De Groeten, Ed -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alexbo at myself.com Wed Feb 6 08:39:27 2008 From: alexbo at myself.com (alexbo@myself.com) Date: Wed Feb 6 08:39:38 2008 Subject: internal ip address Message-ID: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> Hi there, my Linux server has MailScanner v4.65.3 with postfix v2.1.5 When, for example, I send a message from a pc whose internal ip address is 10.0.0.175 taking a look in the headers of outgoing mail I've seen the last header just before Message-ID to appear like that Received: from [10.0.0.175] (pc1 [10.0.0.175]) by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) Why the ip address of the sender is shown (twice) in square brackets ? My task is avoiding the outer world to know the internal ip of the sender... so googling on the internet I seen a similar case on www.securityfocus.com/archive/91/421789/30/ using "Remove These Headers" rule but after doing those modifications I've noticed that all outgoing mail is marked to be received from "Unknown". Many other searches on the net returned no results at all, so I will know if somebody could help this poor man how to hide internal ip address ot the sender avoiding last issue. -- Thank you, Alex -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com! From twiztar at gmail.com Wed Feb 6 10:12:12 2008 From: twiztar at gmail.com (Erik Weber) Date: Wed Feb 6 10:12:35 2008 Subject: Google maps blocked as .ico Message-ID: <47A987FC.3060500@gmail.com> I tried to send an (html) email with the following tag: and it gets blocked with the following message: Feb 4 09:34:10 mr1 MailScanner[10893]: Filename Checks: Windows icon file security vulnerability (EC92781E7A.38B97 mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185) Feb 4 09:34:10 mr1 MailScanner[10893]: Saved infected "mapdata%%3Fcc=no%%26.ico" to /var/spool/MailScanner/quarantine/20080204/EC92781E7A.38B97 The only reference to .ico files I have is this in filename.rules.conf: deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows Version information: This is Red Hat Enterprise Linux ES release 4 (Nahant Update 4) This is Perl version 5.008005 (5.8.5) 2.73 File::Basename 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools I've only taken the packages I believe is relevant, if anything is missing or unclear please let me know. Any tips, solutions, advices on how to solve this is highly appreciated. -- Erik Weber From telecaadmin at gmail.com Wed Feb 6 10:16:44 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Wed Feb 6 10:17:14 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: <47A9890C.2030108@gmail.com> > Scan Messages = yes > To > Scan Messages = %rules-dir%/scan.messages.rules > > And copied my spam.whitelist.rules to scan.messages.rules > > My spam.whitelist.rules only had a couple of domains in it in the form: > > FromOrTo: *@ yes The scan.messages.rules is the opposite - if you want messages From: to be whitelisted (ie not scanned at all), you have to write "no" there. Example: From: main.internal.server no (no = do NOT scan!) BR, Ronny From glenn.steen at gmail.com Wed Feb 6 10:54:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 6 10:54:56 2008 Subject: internal ip address In-Reply-To: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> Message-ID: <223f97700802060254k7ff2dd5bq4bb8a4cb93be8071@mail.gmail.com> On 06/02/2008, alexbo@myself.com wrote: > Hi there, > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > When, for example, I send a message from a pc whose internal ip address is 10.0.0.175 taking a look in the headers of outgoing mail I've seen the last header just before Message-ID to appear like that > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > Why the ip address of the sender is shown (twice) in square brackets ? > > My task is avoiding the outer world to know the internal ip of the sender... so googling on the internet I seen a similar case on > > www.securityfocus.com/archive/91/421789/30/ > > using "Remove These Headers" rule but after doing those modifications I've noticed that all outgoing mail is marked to be received from "Unknown". > Many other searches on the net returned no results at all, so I will know if somebody could help this poor man how to hide internal ip address ot the sender avoiding last issue. > > -- > Thank you, > Alex > Actually what you intend to do is in direct violation of the RFCs governing SMTP and e-mail. The "gained security" is minor and the information leak as such is negligible. The "rules broken" are of the MUST category, so the strongest there is in the standards. Be that as it may, this is actually not a MailScanner problem, it starts and ends at your MTA. When you try use the Remove These Headers feature of MailScanner to remove the "offending" Received: line, you likey end up without any valid Received line at all. I'd suggest you rethink your strategy, or at least let Postfix handle this (IIRC there are numerous examples on the net on how to do this... google (and www.postfix.org:-) is your friend here;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Feb 6 11:00:56 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 6 11:01:06 2008 Subject: Google maps blocked as .ico In-Reply-To: <47A987FC.3060500@gmail.com> References: <47A987FC.3060500@gmail.com> Message-ID: <223f97700802060300j5394c14ah7efb96bc13b8466f@mail.gmail.com> On 06/02/2008, Erik Weber wrote: > I tried to send an (html) email with the following tag: > > src="http://mt.google.com/mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185" > > > > and it gets blocked with the following message: > Feb 4 09:34:10 mr1 MailScanner[10893]: Filename Checks: Windows icon > file security vulnerability (EC92781E7A.38B97 > mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185) > Feb 4 09:34:10 mr1 MailScanner[10893]: Saved infected > "mapdata%%3Fcc=no%%26.ico" to > /var/spool/MailScanner/quarantine/20080204/EC92781E7A.38B97 > > The only reference to .ico files I have is this in filename.rules.conf: > deny \.ico$ Windows icon file security > vulnerability Possible buffer > overflow in Windows > > Version information: > This is Red Hat Enterprise Linux ES release 4 (Nahant Update 4) > This is Perl version 5.008005 (5.8.5) > 2.73 File::Basename > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > > I've only taken the packages I believe is relevant, if anything is > missing or unclear please let me know. > Any tips, solutions, advices on how to solve this is highly appreciated. > If you want to pass attachments that are windoze icon files (or at least have that file name ending), then why don't you edit your copy of filename.rules.conf and allow that? Or is your gripe that this shouldn't have been treated as a file attachment in the first place? If so, provide a copy (preferably the message file from your quarantine) of the offending message... Put it on pastebin or somesuch...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From twiztar at gmail.com Wed Feb 6 11:15:21 2008 From: twiztar at gmail.com (Erik Weber) Date: Wed Feb 6 11:15:38 2008 Subject: Google maps blocked as .ico In-Reply-To: <223f97700802060300j5394c14ah7efb96bc13b8466f@mail.gmail.com> References: <47A987FC.3060500@gmail.com> <223f97700802060300j5394c14ah7efb96bc13b8466f@mail.gmail.com> Message-ID: <47A996C9.6070504@gmail.com> Glenn Steen wrote: > On 06/02/2008, Erik Weber wrote: > >> I tried to send an (html) email with the following tag: >> >> > src="http://mt.google.com/mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185" >> > >> >> > If you want to pass attachments that are windoze icon files (or at > least have that file name ending), then why don't you edit your copy > of filename.rules.conf and allow that? > Or is your gripe that this shouldn't have been treated as a file > attachment in the first place? If so, provide a copy (preferably the > message file from your quarantine) of the offending message... Put it > on pastebin or somesuch...:) > > > It's not an attachment and it doesn't have an .ico ending, actually it doesn't have an ending at all. http://rafb.net/p/VvXN4O76.html is the relevant portion of the mail. -- Erik Weber From uxbod at splatnix.net Wed Feb 6 11:20:00 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 11:20:25 2008 Subject: Google maps blocked as .ico In-Reply-To: <47A996C9.6070504@gmail.com> Message-ID: <14368770.4171202296800192.JavaMail.root@office.splatnix.net> Its something wrong with the regex parsing as it is picking out .ico from Point.iconid=15 in the URL. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Feb 6 11:34:41 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 11:35:02 2008 Subject: Google maps blocked as .ico In-Reply-To: <14368770.4171202296800192.JavaMail.root@office.splatnix.net> Message-ID: <29597293.4351202297681623.JavaMail.root@office.splatnix.net> Hmmm. Thinking about this little problem. Could you post the whole message on that paste site, obviously sanitize it first for the email addresses. Would be good to see the MIME headers, as I wonder if it is being treated as a inline image. What email client was used to send it ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > Its something wrong with the regex parsing as it is picking out .ico > from Point.iconid=15 in the URL. > > Regards, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at usherbrooke.ca Wed Feb 6 13:30:30 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Wed Feb 6 13:31:58 2008 Subject: internal ip address In-Reply-To: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> Message-ID: <47A9B676.1010705@USherbrooke.ca> alexbo@myself.com a ?crit : > Hi there, > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > When, for example, I send a message from a pc whose internal ip address is 10.0.0.175 taking a look in the headers of outgoing mail I've seen the last header just before Message-ID to appear like that > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > Why the ip address of the sender is shown (twice) in square brackets ? > > My task is avoiding the outer world to know the internal ip of the sender... Alex, The IP addresses you use are non-routable. That means nobody can access your computers from the internet because no router will allow them. So don't worry about the whole world knowing about your internal IP addresses. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From alexbo at myself.com Wed Feb 6 13:52:28 2008 From: alexbo at myself.com (alexbo@myself.com) Date: Wed Feb 6 13:52:38 2008 Subject: internal ip address Message-ID: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com> Thank you Denis for your reply. I realize what you wrote, but it appears to me that exposing internal ip addresses may lead anyone to know what is my internal network structure: the problem I am talking about is regarding an enterprise network, where various clients are involved in sending mail to the outer world. Is there a way to hide those internal ip addresses ? Regards, Alex > ----- Original Message ----- > From: "Denis Beauchemin" > To: "MailScanner discussion" > Subject: Re: internal ip address > Date: Wed, 06 Feb 2008 08:30:30 -0500 > > > alexbo@myself.com a ?crit : > > Hi there, > > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > > When, for example, I send a message from a pc whose internal ip > > address is 10.0.0.175 taking a look in the headers of outgoing > > mail I've seen the last header just before Message-ID to appear > > like that > > > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > > > Why the ip address of the sender is shown (twice) in square brackets ? > > > > My task is avoiding the outer world to know the internal ip of the sender... > > Alex, > > The IP addresses you use are non-routable. That means nobody can > access your computers from the internet because no router will > allow them. So don't worry about the whole world knowing about > your internal IP addresses. > > Denis > > -- _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com! From alexbo at myself.com Wed Feb 6 14:02:33 2008 From: alexbo at myself.com (alexbo@myself.com) Date: Wed Feb 6 14:02:42 2008 Subject: internal ip address Message-ID: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> I supposed what you wrote; is there at least a way to replace ip address (the one between square brackets) with my mail server public ip ? I asked for help in this list since seems to me that Postfix is tricked by MailScanner, i.e. header_checks is used with "hold" policy so other remedies can't apply. Forgive me if these are trivial tasks but I'm not an Administrator (with the capital A), so if there are clues for my issue I'd humbly ask for let me know them. -- Regards, Alex > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Subject: Re: internal ip address > Date: Wed, 6 Feb 2008 11:54:41 +0100 > > > On 06/02/2008, alexbo@myself.com wrote: > > Hi there, > > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > > When, for example, I send a message from a pc whose internal ip > > address is 10.0.0.175 taking a look in the headers of outgoing > > mail I've seen the last header just before Message-ID to appear > > like that > > > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > > > Why the ip address of the sender is shown (twice) in square brackets ? > > > > My task is avoiding the outer world to know the internal ip of > > the sender... so googling on the internet I seen a similar case on > > > > www.securityfocus.com/archive/91/421789/30/ > > > > using "Remove These Headers" rule but after doing those > > modifications I've noticed that all outgoing mail is marked to be > > received from "Unknown". > > Many other searches on the net returned no results at all, so I > > will know if somebody could help this poor man how to hide > > internal ip address ot the sender avoiding last issue. > > > > -- > > Thank you, > > Alex > > > Actually what you intend to do is in direct violation of the RFCs > governing SMTP and e-mail. The "gained security" is minor and the > information leak as such is negligible. The "rules broken" are of the > MUST category, so the strongest there is in the standards. > > Be that as it may, this is actually not a MailScanner problem, it > starts and ends at your MTA. > When you try use the Remove These Headers feature of MailScanner to > remove the "offending" Received: line, you likey end up without any > valid Received line at all. > > I'd suggest you rethink your strategy, or at least let Postfix handle > this (IIRC there are numerous examples on the net on how to do this... > google (and www.postfix.org:-) is your friend here;-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com! From uxbod at splatnix.net Wed Feb 6 14:04:43 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 14:05:10 2008 Subject: internal ip address In-Reply-To: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com> Message-ID: <8652792.5011202306683195.JavaMail.root@office.splatnix.net> why does it matter? most enterprise networks use a private range anyway, and therefore non-routable from the outside. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- alexbo@myself.com wrote: > Thank you Denis for your reply. > I realize what you wrote, but it appears to me that exposing internal > ip addresses may lead anyone to know what is my internal network > structure: > the problem I am talking about is regarding an enterprise network, > where various clients are involved in sending mail to the outer > world. > Is there a way to hide those internal ip addresses ? > Regards, > Alex -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Feb 6 16:13:30 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 6 16:13:40 2008 Subject: internal ip address In-Reply-To: <8652792.5011202306683195.JavaMail.root@office.splatnix.net> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com> <8652792.5011202306683195.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> On 06/02/2008, --[ UxBoD ]-- wrote: > why does it matter? most enterprise networks use a private range anyway, and therefore non-routable from the outside. > > Regards, I think the reasoning is that "vital" topoligical info will "leak"... The value of such info is very limited, as a means for an attack, so one really has to try balance the "value" gained with the value lost (in breaking tracability... the thing that make Received lines sacrosanct). > ----- alexbo@myself.com wrote: > > > Thank you Denis for your reply. > > I realize what you wrote, but it appears to me that exposing internal > > ip addresses may lead anyone to know what is my internal network > > structure: > > the problem I am talking about is regarding an enterprise network, > > where various clients are involved in sending mail to the outer > > world. > > Is there a way to hide those internal ip addresses ? > > Regards, > > Alex ISTR this being discussed in the past, do a list search, it might turn up the info you need (Was it Hugo who did this...?)... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Wed Feb 6 16:29:30 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 6 16:29:47 2008 Subject: internal ip address In-Reply-To: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> References: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> Message-ID: on 2/6/2008 6:02 AM alexbo@myself.com spake the following: > I supposed what you wrote; is there at least a way to replace ip address (the one between square brackets) with my mail server public ip ? > I asked for help in this list since seems to me that Postfix is tricked by MailScanner, i.e. header_checks is used with "hold" policy so other remedies can't apply. > Forgive me if these are trivial tasks but I'm not an Administrator (with the capital A), so if there are clues for my issue I'd humbly ask for let me know them. > -- You keep trying to remove something that; 1) Has no real value to anyone in the outside world 2) Will probably break your messages. If the anonymity is that important, you can try webmail running on the mail server. Then all the headers should have localhost. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080206/63448a32/signature.bin From m.anderlini at database.it Wed Feb 6 16:36:26 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Feb 6 16:36:45 2008 Subject: [OT] sendmail max msg e queue times process In-Reply-To: <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com><8652792.5011202306683195.JavaMail.root@office.splatnix.net> <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> Message-ID: <018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> This is a bit OT but I don't know where I can get help. ON a system using just sendmail ( version sendmail-8.13.1-3.2.el4) I would like to specify the max msg to process at time and how many often the queue shoud be processed. Thanks for any help and sorry again for my worst English :-) Best regards Marcello -- Messaggio verificato dal servizio antivirus di Database Informatica From telecaadmin at gmail.com Wed Feb 6 16:51:18 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Wed Feb 6 16:51:30 2008 Subject: [OT] sendmail max msg e queue times process Message-ID: <47A9E586.3080000@gmail.com> Hi, > ON a system using just sendmail ( version sendmail-8.13.1-3.2.el4) > I would like to specify the max msg to process at time and how many > often the queue shoud be processed. please do not highjack threads to start a new one (by replying to a message and starting a new thread). Look here http://www.sendmail.org/~ca/email/man/sendmail.html Depending on your distribution and configuration you might have to adjust your startup script. Here's one option regarding "how often to process the mail": -q[time] Processed saved messages in the queue at given intervals. Then there is at http://www.sendmail.org/m4/tweaking_config.html MaxQueueRunSize "Essentially, this will stop reading each queue directory after this number of entries are reached" Cheers, Ronny From hvdkooij at vanderkooij.org Wed Feb 6 18:37:46 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 18:38:27 2008 Subject: internal ip address In-Reply-To: <47A9B676.1010705@USherbrooke.ca> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> Message-ID: <47A9FE7A.8080308@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denis Beauchemin wrote: | alexbo@myself.com a ?crit : |> Hi there, |> my Linux server has MailScanner v4.65.3 with postfix v2.1.5 |> When, for example, I send a message from a pc whose internal ip |> address is 10.0.0.175 taking a look in the headers of outgoing mail |> I've seen the last header just before Message-ID to appear like that |> |> Received: from [10.0.0.175] (pc1 [10.0.0.175]) |> by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 |> for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) |> |> Why the ip address of the sender is shown (twice) in square brackets ? |> |> My task is avoiding the outer world to know the internal ip of the |> sender... | | Alex, | | The IP addresses you use are non-routable. That means nobody can access | your computers from the internet because no router will allow them. So | don't worry about the whole world knowing about your internal IP addresses. Those were my thoughts exactly. However a lot of auditors will make remarks on this in their report and note it as information disclosures. Some of them might actually mark them as critical issues that MUST be resolved. Ain't this a funny world? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqf55BvzDRVjxmYERAtxEAJ9TYUyqQqi5rs3+Re69ltNzqSt0HACdFa2S dDltFJS3gd82ekcyKQ0DloE= =0WqL -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Feb 6 18:40:08 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 18:40:43 2008 Subject: [OT] sendmail max msg e queue times process In-Reply-To: <018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com><8652792.5011202306683195.JavaMail.root@office.splatnix.net> <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> <018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> Message-ID: <47A9FF08.7010704@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcello Anderlini wrote: | This is a bit OT but I don't know where I can get help. Try it with a fresh message. You have now hijacked another thread. Perhaps you can try this yourself: tar --with-feathers Marcello ;-) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqf8GBvzDRVjxmYERAgeuAKCUqUWT+3JeTXaRd9AtvZniZMLW3wCfXjWg T7KGg/HHH9x5L0Wz/JBBweU= =hSI+ -----END PGP SIGNATURE----- From mkettler at evi-inc.com Wed Feb 6 19:17:10 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Feb 6 19:17:41 2008 Subject: internal ip address In-Reply-To: <47A9FE7A.8080308@vanderkooij.org> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> Message-ID: <47AA07B6.2090702@evi-inc.com> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Denis Beauchemin wrote: > | Alex, > | > | The IP addresses you use are non-routable. That means nobody can access > | your computers from the internet because no router will allow them. So > | don't worry about the whole world knowing about your internal IP > addresses. > > Those were my thoughts exactly. Being non-routable helps you from a perspective of hackers using the information to directly break in to your network. However, an attacker probably knows all of your routable IPs anyway, so really that's not the threat vector. The problem, in some situations, is the information exposed can still be used for other purposes. ie: studying the network structure so they know where to go once they get in via some other method. By googling around for postings on email list archives, you can often generate a lot of information about the network structure. Such information can also be used to aid social engineering attacks by figuring out who works with who. Of course, this isn't exactly a "hardcore" risk factor like an open dialin, but it is information that an attacker can make use of. Whether that matters to your situation or not depends on your threat model, but anyone who sees it as presenting no risk at all is clearly mistaken. (ie: just because it is a trivial risk in the network of an ad agency, does not mean it's trivial in a financial organization where social engineering attacks are more likely.) From uxbod at splatnix.net Wed Feb 6 19:28:10 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 19:28:37 2008 Subject: internal ip address In-Reply-To: <47AA07B6.2090702@evi-inc.com> Message-ID: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. I am more annoyed when companies use peoples name as the workstation identifier eg. BOBSQUAREPANTS a quick G00gle and you get Mr B Squarepants CEO A Big Piggy Bank! Makes a nice target once on the network, or as Matt said some simple social engineering. Most of it is common sense, but how often do we see not much of that in IT ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Matt Kettler" wrote: > Hugo van der Kooij wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Wed Feb 6 19:53:21 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Wed Feb 6 19:53:43 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <20080205133207.60cad375@scorpio> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <20080205133207.60cad375@scorpio> Message-ID: Le 05-f?vr.-08 ? 19:32, Gerard a ?crit : > On Tue, 5 Feb 2008 14:18:07 +0100 > Pascal Maes wrote: > > [snip] > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be >> posted on the postfix list also) ? > > Guess I am going to have to keep up with the Postfix forum to see how > this turns out. Somehow I think it is going to be futile. > You exaggerate a little bit ;-) Of course I get a remark but also the solution : > Pascal Maes wrote: >> The question is >> Even with the option, smtpd_authorized_xforward_hosts, the first >> "Received" is always the localhost. >> That's a problem as we (MailScanner) can't use black or white >> listing based on the IP address of the client. >> A solution ? > > Use a header_checks rule with IGNORE to remove the offending line > from the queue file. > > Note that MailScanner is known to not work reliably with postfix and > is therefore not recommended or supported here. The header_check is now : /^Received: .* \[127\.0\.0\.1\]/ IGNORE /^Received:/ HOLD and it works. -- Pascal From mkettler at evi-inc.com Wed Feb 6 20:00:34 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Feb 6 20:00:58 2008 Subject: internal ip address In-Reply-To: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> References: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> Message-ID: <47AA11E2.9090800@evi-inc.com> --[ UxBoD ]-- wrote: > Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. Really? Do you vlan? Do you vlan based on department, building floor, or other useful locality? Most large networks do. You find out that lead sales guy x works in a particular office, then find an email from him archived somewhere.. then look for others in the same company with similar IP ranges... you now know a list of people that work together, and where they work. Lather, rinse, repeat. It's really not that hard once you realize most networks are logically structured. You're just leveraging lots of little bits of information to create a larger picture. This isn't really much different than what your average private investigator does when digging through public records. It takes time to study this kind of thing, but again, what's your threat level? Also consider kids (ie: those in school/college) have time in abundance, and are your most common hackers. Consider your competitors, they may not break in, but studying your business may be useful to them in trying to out-compete you. From lists at sequestered.net Wed Feb 6 20:14:41 2008 From: lists at sequestered.net (Jay Chandler) Date: Wed Feb 6 20:14:54 2008 Subject: Definite Fraud? Message-ID: <47AA1531.4040205@sequestered.net> I'm sure this has been rehashed before, but... *MailScanner has detected definite fraud in the website at "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah Obviously it's detecting the 301 redirect, but that doesn't necessarily bespeak fraud. There are a lot of non-fraudulent things that it could be, ranging from shock pictures to Rick Rolls to inredibly long URLs. Has anyone discussed changing the wording here? -- Jay Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: Your mail is being routed through Germany... and they're censoring us From hvdkooij at vanderkooij.org Wed Feb 6 20:15:38 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 20:16:24 2008 Subject: internal ip address In-Reply-To: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> References: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> Message-ID: <47AA156A.305@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 alexbo@myself.com wrote: | I supposed what you wrote; is there at least a way to replace ip address (the one between square brackets) with my mail server public ip ? | I asked for help in this list since seems to me that Postfix is tricked by MailScanner, i.e. header_checks is used with "hold" policy so other remedies can't apply. | Forgive me if these are trivial tasks but I'm not an Administrator (with the capital A), so if there are clues for my issue I'd humbly ask for let me know them. Hmmm. One wonders why someone using outblaze.com would even wonder about such questions. But you can do this in postfix if you combine the tips. See also: http://www.google.nl/search?q=postfix+strip+received If you still want to combine this with the HOLD function for outbound email then things might get a bit more tricky. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqhVnBvzDRVjxmYERAsENAKCtL6cC1oBvdJ4gHu2T2wMJHbDECQCdHS9r xpNKJLafJ2C7ZPFSG21mRmk= =WqTn -----END PGP SIGNATURE----- From uxbod at splatnix.net Wed Feb 6 20:19:11 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 20:20:19 2008 Subject: internal ip address In-Reply-To: <16271973.5291202329076958.JavaMail.root@office.splatnix.net> Message-ID: <13317001.5311202329151779.JavaMail.root@office.splatnix.net> Your not wrong Matt, but what concerns me more is MTAs that give away their identity with respect to what software they are running. It becomes easier to attack as potential vulnerabilities are easier to find. It also depends on what somebodies objective it aswell, do you target a individuals PC or go after the cream a nice central data store.our Understanding and appreciating your threat level is very important, especially when trying to convince SOX auditors why certain things are not being done ;) Perhaps the ability to cloak certain information is not a bad thing, and I do take on board your comments, but how far do you go ? I do not believe that it would be to hard to write a MS plugin for stripping certain information ie. the clients IP address perhaps it should be added to the SMTP RFC ? IMHO I would prefer to educate our staff on how easy social engineering can be undertaken to glean sensitive information from the company! and even stop staff from signing upto loads of different mailing lists and publishing their company email addresses all over the net. Unfortunately management do not always see it the same way ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kit at simplysites.co.uk Wed Feb 6 21:18:47 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Feb 6 21:19:04 2008 Subject: whitelist TO email addresses sent by users on the server Message-ID: Hi I am not sure whether its built into mailscanner or good practice, but is there a way of not scanning mail sent from addresses that users from the server has already sent to. A bit of a twister but eg user on server sends to a@abc.com a@abc.com then replys, surely a@abc.com should be a friend and that email should not really be scanned for spam......forever Kit -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080206/2d7f5748/attachment.html From cotharyus at gmail.com Wed Feb 6 23:17:49 2008 From: cotharyus at gmail.com (Drew) Date: Wed Feb 6 23:17:58 2008 Subject: Mailscanner segfaults on spamassassin lint test Message-ID: <715841970802061517l812694bp74db41fe7b6aa401@mail.gmail.com> Hello, I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults when running lint on spamassassin. Unfortunately, at this time the best (most informative) error I have is this, from the lint test through the mailwatch interface: /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol "PL_exit_flags" I'm posting this here on a recommendation I got from a FreeBSD list. I've taken the following steps so far: rebuilt perl and all perl modules. made double sure all the right steps were taken after the perl upgrade. rebuilt world Perl version is 5.8.8 Thanks in advance for any assistance you folks can provide. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080206/7b5a221c/attachment.html From ugob at lubik.ca Thu Feb 7 00:12:28 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 7 00:12:51 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: References: Message-ID: <47AA4CEC.5030109@lubik.ca> Kit Wong wrote: > Hi > I am not sure whether its built into mailscanner or good practice, but > is there a way of not scanning mail sent from addresses that users from > the server has already sent to. A bit of a twister but eg > > user on server sends to a@abc.com > > a@abc.com then replys, surely a@abc.com > should be a friend and that email should not really > be scanned for spam......forever Since e-mail addresses can be easily spoofed, it is not such a good idea. It is not possible to do that in MailScanner (for now). Ugo From ugob at lubik.ca Thu Feb 7 00:12:28 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 7 00:13:55 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: References: Message-ID: <47AA4CEC.5030109@lubik.ca> Kit Wong wrote: > Hi > I am not sure whether its built into mailscanner or good practice, but > is there a way of not scanning mail sent from addresses that users from > the server has already sent to. A bit of a twister but eg > > user on server sends to a@abc.com > > a@abc.com then replys, surely a@abc.com > should be a friend and that email should not really > be scanned for spam......forever Since e-mail addresses can be easily spoofed, it is not such a good idea. It is not possible to do that in MailScanner (for now). Ugo -- This message has been verified by LastSpam (http://www.lastspam.com) eMail security service, provided by Lubik Ce courriel a ete verifie par le service de securite pour courriels LastSpam (http://www.lastspam.com), fourni par Lubik (http://www.lubik.ca) www.lubik.ca From hvdkooij at vanderkooij.org Thu Feb 7 06:39:12 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Feb 7 06:40:01 2008 Subject: Definite Fraud? In-Reply-To: <47AA1531.4040205@sequestered.net> References: <47AA1531.4040205@sequestered.net> Message-ID: <47AAA790.2030908@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay Chandler wrote: | I'm sure this has been rehashed before, but... | | | *MailScanner has detected definite fraud in the website at | "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah | | | | Obviously it's detecting the 301 redirect, but that doesn't necessarily | bespeak fraud. There are a lot of non-fraudulent things that it could | be, ranging from shock pictures to Rick Rolls to inredibly long URLs. | | Has anyone discussed changing the wording here? The 301 redirect is not considered. But as /blah is not identical to /2b514w there is an issue with an URL being hidden. The wording of the message is in fact your job as an adminstrator. That is why the text is in seperate langauge files. If you use templates without a changes and accept them then that is your choice but in this case the wording is yours to change. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqqeOBvzDRVjxmYERAibEAKCR81EoRtyyO9fZuSX4ytFAQ4mZcACfWLgN Ab3Ovs5FhJD58zhe5+9ZecU= =vEzq -----END PGP SIGNATURE----- From m.anderlini at database.it Thu Feb 7 08:53:31 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Thu Feb 7 08:53:50 2008 Subject: [OT] sendmail max msg e queue times process In-Reply-To: <47A9FF08.7010704@vanderkooij.org> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com><8652792.5011202306683195.JavaMail.root@office.splatnix.net> <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com><018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> <47A9FF08.7010704@vanderkooij.org> Message-ID: <01b801c86966$ea3a2940$2e01a8c0@dbdomain.database.it> I beg your pardon, I was not aware of my mistake. Sorry again. Marcello Anderlini wrote: | This is a bit OT but I don't know where I can get help. Try it with a fresh message. You have now hijacked another thread. Perhaps you can try this yourself: tar --with-feathers Marcello ;-) Hugo. - -- -- Messaggio verificato dal servizio antivirus di Database Informatica From pascal.maes at elec.ucl.ac.be Thu Feb 7 09:22:00 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Feb 7 09:22:21 2008 Subject: Modification of ruleset files Message-ID: Hello, I wonder if we need to restart MailScanner when a ruleset is modified ? Thanks -- Pascal From martinh at solidstatelogic.com Thu Feb 7 09:33:27 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 09:33:42 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: Message-ID: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> Kit Take a look at the watermarking feature in recent release of MailScanner, this should so the job. Whitelisting 'known' addresses can be fraught with danger. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kit Wong > Sent: 06 February 2008 21:19 > To: mailscanner@lists.mailscanner.info > Subject: whitelist TO email addresses sent by users on the server > > Hi > I am not sure whether its built into mailscanner or good practice, but is > there a way of not scanning mail sent from addresses that users from the > server has already sent to. A bit of a twister but eg > > user on server sends to a@abc.com > > a@abc.com then replys, surely a@abc.com should be a friend and that email > should not really be scanned for spam......forever > > > Kit ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Feb 7 09:39:49 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 09:39:59 2008 Subject: internal ip address In-Reply-To: <47AA07B6.2090702@evi-inc.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> Message-ID: <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> On 06/02/2008, Matt Kettler wrote: > Hugo van der Kooij wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Denis Beauchemin wrote: > > | Alex, > > | > > | The IP addresses you use are non-routable. That means nobody can access > > | your computers from the internet because no router will allow them. So > > | don't worry about the whole world knowing about your internal IP > > addresses. > > > > Those were my thoughts exactly. > > Being non-routable helps you from a perspective of hackers using the information > to directly break in to your network. However, an attacker probably knows all of > your routable IPs anyway, so really that's not the threat vector. > > The problem, in some situations, is the information exposed can still be used > for other purposes. ie: studying the network structure so they know where to go > once they get in via some other method. By googling around for postings on email > list archives, you can often generate a lot of information about the network > structure. Such information can also be used to aid social engineering attacks > by figuring out who works with who. > > Of course, this isn't exactly a "hardcore" risk factor like an open dialin, but > it is information that an attacker can make use of. Whether that matters to your > situation or not depends on your threat model, but anyone who sees it as > presenting no risk at all is clearly mistaken. (ie: just because it is a trivial > risk in the network of an ad agency, does not mean it's trivial in a financial > organization where social engineering attacks are more likely.) > Actually.... Since I do work in a .gov-ish financial organization.... I'd have to say I don't agree. Some VERY LARGE financial organizations have pretty shoddy network teams though, and in their cases... it really is relevant. You just can't make that generalization. For the vast majority of organizations, this is a very minor threat, not worth breaking RFC... I'm not saying you're wrong, just that it is ... really minor... compared to a lot of other email-related threats:-)... Yes, you can counter with "your generalization is bigger than mine"... I know I do it too...:-) On the whole, I see very little _real possibility_ of damages from this. It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Thu Feb 7 09:39:47 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 09:40:07 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802061517l812694bp74db41fe7b6aa401@mail.gmail.com> Message-ID: <60954af142962d4497dcddb3f77ca8ba@solidstatelogic.com> Drew Nice to see you here... What happen when you.. MailScanner --debug --debug-SA -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew > Sent: 06 February 2008 23:18 > To: mailscanner@lists.mailscanner.info > Subject: Mailscanner segfaults on spamassassin lint test > > Hello, > I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults when > running lint on spamassassin. Unfortunately, at this time the best (most > informative) error I have is this, from the lint test through the > mailwatch interface: > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > "PL_exit_flags" > > I'm posting this here on a recommendation I got from a FreeBSD list. I've > taken the following steps so far: > > rebuilt perl and all perl modules. > made double sure all the right steps were taken after the perl upgrade. > rebuilt world > > Perl version is 5.8.8 > > Thanks in advance for any assistance you folks can provide. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Feb 7 09:46:09 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 09:46:19 2008 Subject: internal ip address In-Reply-To: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> References: <47AA07B6.2090702@evi-inc.com> <13410930.5221202326090168.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802070146o123e1234pf99e837267bb1e90@mail.gmail.com> On 06/02/2008, --[ UxBoD ]-- wrote: > Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. I am more annoyed when companies use peoples name as the workstation identifier eg. BOBSQUAREPANTS a quick G00gle and you get Mr B Squarepants CEO A Big Piggy Bank! Makes a nice target once on the network, or as Matt said some simple social engineering. Most of it is common sense, but how often do we see not much of that in IT ;) > > Regards, > Indeed! And the abomination of naming servers from function... Ok, so oracle01.example.net does something... I wonder what....:-). Anyway, those two things... A) getting at a person/persons comp, and B) having a very clear target (due to naming conventions etc... are so much more usable than the info leaked in a Received line. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From t.d.lee at durham.ac.uk Thu Feb 7 09:48:24 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Feb 7 09:48:51 2008 Subject: MS/Solaris installation buglets Message-ID: Julian: to report a couple of Solaris MS (4.66.5) installation buglets. 1. MakeMaker requires a release of File::Spec which may be more recent than that native in the OS. You already distribute a good File::Spec. Solution: Re-order the installation to do File::Spec before MakeMaker. (Tested: it works.) 2. MakeMaker build reports "Can't locate Pod/Man.pm in @INC...". Might these need something like "Pod::Man" adding to the list of modules you distribute? There may be more waiting for later, but I'm suspending work on this attempted installation at present so we can decide the best approach. I'd be happy to try to beta-test things for you. Best wishes. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From glenn.steen at gmail.com Thu Feb 7 09:50:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 09:50:37 2008 Subject: internal ip address In-Reply-To: <47AA11E2.9090800@evi-inc.com> References: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> <47AA11E2.9090800@evi-inc.com> Message-ID: <223f97700802070150y5eeb6213rdd69680971d6a953@mail.gmail.com> On 06/02/2008, Matt Kettler wrote: > --[ UxBoD ]-- wrote: > > Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. > > Really? > > Do you vlan? Do you vlan based on department, building floor, or other useful > locality? Most large networks do. Subnetting? where did you get that mask you needed to make the base assumption? Nowhere... > You find out that lead sales guy x works in a particular office, then find an > email from him archived somewhere.. then look for others in the same company > with similar IP ranges... you now know a list of people that work together, and > where they work. Lather, rinse, repeat. > > It's really not that hard once you realize most networks are logically > structured. You're just leveraging lots of little bits of information to create > a larger picture. This isn't really much different than what your average > private investigator does when digging through public records. > > It takes time to study this kind of thing, but again, what's your threat level? > Also consider kids (ie: those in school/college) have time in abundance, and are > your most common hackers. Consider your competitors, they may not break in, but > studying your business may be useful to them in trying to out-compete you. > 'Cmon, the kids seldom know their way out of their behinds.... It's the guys and gals making a living of this that would likely make a dedicated effort like that. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Thu Feb 7 09:51:32 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Feb 7 09:51:42 2008 Subject: Modification of ruleset files In-Reply-To: References: Message-ID: <625385e30802070151y7afc7e40r579f37cb7e314cb5@mail.gmail.com> On Feb 7, 2008 10:22 AM, Pascal Maes wrote: > Hello, > > > I wonder if we need to restart MailScanner when a ruleset is modified ? No, a reload is sufficient. -- /peter From glenn.steen at gmail.com Thu Feb 7 10:21:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 10:21:42 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> References: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> Message-ID: <223f97700802070221v6147c180j7c4cb94cfce9d4e4@mail.gmail.com> On 07/02/2008, Martin.Hepworth wrote: > Kit > > Take a look at the watermarking feature in recent release of MailScanner, this should so the job. Would only work for replies though, unless one does really silly hoops in a CustomFunction. > Whitelisting 'known' addresses can be fraught with danger. > Amen! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cotharyus at gmail.com Thu Feb 7 10:35:20 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 10:35:30 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <60954af142962d4497dcddb3f77ca8ba@solidstatelogic.com> References: <715841970802061517l812694bp74db41fe7b6aa401@mail.gmail.com> <60954af142962d4497dcddb3f77ca8ba@solidstatelogic.com> Message-ID: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> On Feb 7, 2008 3:39 AM, Martin.Hepworth wrote: > Drew > > Nice to see you here... > > What happen when you.. > > MailScanner --debug --debug-SA > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 06 February 2008 23:18 > > To: mailscanner@lists.mailscanner.info > > Subject: Mailscanner segfaults on spamassassin lint test > > > > Hello, > > I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults when > > running lint on spamassassin. Unfortunately, at this time the best (most > > informative) error I have is this, from the lint test through the > > mailwatch interface: > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > > "PL_exit_flags" > > > > I'm posting this here on a recommendation I got from a FreeBSD list. > I've > > taken the following steps so far: > > > > rebuilt perl and all perl modules. > > made double sure all the right steps were taken after the perl upgrade. > > rebuilt world > > > > Perl version is 5.8.8 > > > > Thanks in advance for any assistance you folks can provide. > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Hi Martin, root@colossus(/usr)# mailscanner --debug --debug-SA In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp zsh: segmentation fault mailscanner --debug --debug-SA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/edf10333/attachment.html From ja at conviator.com Thu Feb 7 10:49:12 2008 From: ja at conviator.com (Jan Agermose) Date: Thu Feb 7 10:49:31 2008 Subject: whitelist / sbl-xbl.spamhaus.org Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> Hi Im running Mailscanner and using sbl-xbl.spamhaus.org as part of the sendmail setup. Is it somehow possible to whitelist an IP listed in the spamhouse database - until the issue is resolved? Im sure they are listed for a reason :-) my problem is that the mails they are sending to us are important and non-spam. Best regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/7cbf6d88/attachment.html From prandal at herefordshire.gov.uk Thu Feb 7 11:18:43 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Feb 7 11:19:00 2008 Subject: whitelist / sbl-xbl.spamhaus.org In-Reply-To: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> References: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA02EED968@HC-MBX02.herefordshire.gov.uk> It's easy. In sendmail's /etc/mail/access put Connect:a.b.c.d OK where a.b.c.d is the IP address you wish to allow. And then do a make -C /etc/mail to rebuild /etc/mail/access.db Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: 07 February 2008 10:49 To: mailscanner@lists.mailscanner.info Subject: whitelist / sbl-xbl.spamhaus.org Hi Im running Mailscanner and using sbl-xbl.spamhaus.org as part of the sendmail setup. Is it somehow possible to whitelist an IP listed in the spamhouse database - until the issue is resolved? Im sure they are listed for a reason :-) my problem is that the mails they are sending to us are important and non-spam. Best regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/81249d49/attachment.html From cde at alunys.com Thu Feb 7 15:39:26 2008 From: cde at alunys.com (Cedric Devillers) Date: Thu Feb 7 15:40:27 2008 Subject: Mailscanner generated duplicate message Message-ID: <47AB262E.6070808@alunys.com> Hello, I'm trying to revive this thread from the last month because we are observing the exact same behavior on one of our servers. So to remember the facts : - We are using mailscanner with postfix, and duplicated messages are generated by mailscanner. - This system is the only one where we are observing this behavior. It have a little particularity : it mainly act as a mail relay, but sometimes many mails are generated by the server itself (a script) and injected in postfix queues via sendmail command. We can always reproduce some duplicated messages with this script. - MailScanner is configured (by ruleset) to bypass scanning for thoses messages, but they are still entering the mailscanner logic (postix -> hold queue -> mailscanner (no scan) -> active queue). - Mailwatch is running on this server, and for each duplicates we see entries with null size body (2, 3, 4, sometimes 5) then at last a final entry with the full body. Note that the recipient see the full body on every duplicate. It looks like a locking problem, because all duplicates are with the same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to lock some queue file when message is marked not to be scanned by mailscanner ? I will not be very helpfull to debug perl code, but i can provide any needed logs to help finding the origin of the problem. This is really a serious problem in this particular installation. But i must say that we have dozens of other servers that are running mailscanner/postfix, and we are very happy about thems :) -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From rcastilloramos at yahoo.es Thu Feb 7 15:53:03 2008 From: rcastilloramos at yahoo.es (roberto martin castillo ramos) Date: Thu Feb 7 15:53:13 2008 Subject: installation Mailscanner into Centos5 Message-ID: <629494.89189.qm@web36402.mail.mud.yahoo.com> Hello, I am from Lima,Peru and i need your help please, i have installed a mail server into Centos5 and i can not install Mailscanner, from http://www.mailscanner.info/downloads.html#stable i used several installers and i execute the version 4.67.3(./ install.sh) and into /opt i saw the folder Mailscanner4.67.3 and i made the configuration to my Mailscanner.conf But when i execute chkconfig Mailscanner on i see a error messages: Mailscanner is not installed Please could you help me, i can not install Mailscanner into Centos 5 is there a packages for mailscanner to install into Centos5??? thanks --------------------------------- ?Con Mascota por primera vez? - S? un mejor Amigo Entra en Yahoo! Respuestas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/03c8f485/attachment.html From mkettler at evi-inc.com Thu Feb 7 15:53:18 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 15:53:39 2008 Subject: whitelist / sbl-xbl.spamhaus.org In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA02EED968@HC-MBX02.herefordshire.gov.uk> References: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> <7EF0EE5CB3B263488C8C18823239BEBA02EED968@HC-MBX02.herefordshire.gov.uk> Message-ID: <47AB296E.5080703@evi-inc.com> Randal, Phil wrote: > It's easy. > > In sendmail's /etc/mail/access put > > Connect:a.b.c.d OK > > where a.b.c.d is the IP address you wish to allow. > > And then do a > > make -C /etc/mail > > to rebuild /etc/mail/access.db > > Cheers, That will work, if they're using spamhaus at the MTA layer. But it won't help if it's in MailScanner or SpamAssassin. Jan, where in your mailsystem are you applying spamhaus that it's causing a problem? If it's being rejected by sendmail, the above should work great. If it's at the spamassassin level, you can "hack fix" it by adding this to your trusted_networks. However, beware that if you don't have any trusted_networks set, declaring one will disable the auto-guesser and you'll have to set this completely. If it's at the MailScanner level, you can probably use the spam.whitelist.rules. (this would also prevent SA from causing it to be tagged) From bpirie at rma.edu Thu Feb 7 15:59:40 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Feb 7 15:59:57 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <629494.89189.qm@web36402.mail.mud.yahoo.com> References: <629494.89189.qm@web36402.mail.mud.yahoo.com> Message-ID: <47AB2AEC.5040607@rma.edu> You have installed the wrong package. If you're running CentOS and want the stable release, you should have used # Version 4.66.5-3 for RedHat, Fedora and Mandrake Linux (and other RPM-based Linux Distributions) CentOS is built from RedHat sources, so this is the correct package for your system. If you want the beta release, you should have used # Version 4.67.3-1 for RedHat, Fedora and Mandrake Linux (and other RPM-based Linux distributions) Neither of these packages will install anything in /opt You may also want to install ClamAV 0.92 and SpamAssassin 3.2.4 easy installation package (incl. SA patch 5589) Brendan roberto martin castillo ramos wrote: > Hello, > > I am from Lima,Peru and i need your help please, i have installed a mail > server into Centos5 and i can not install Mailscanner, from > http://www.mailscanner.info/downloads.html#stable i used several > installers and i execute the version 4.67.3(./ install.sh) and into /opt > i saw the folder Mailscanner4.67.3 and i made the configuration to my > Mailscanner.conf > > But when i execute chkconfig Mailscanner on i see a error messages: > Mailscanner is not installed > > Please could you help me, i can not install Mailscanner into Centos 5 > is there a packages for mailscanner to install into Centos5??? > > thanks > > ------------------------------------------------------------------------ > > ?Con Mascota por primera vez? - S? un mejor Amigo > Entra en Yahoo! Respuestas > . > From martinh at solidstatelogic.com Thu Feb 7 16:01:31 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 16:02:10 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <629494.89189.qm@web36402.mail.mud.yahoo.com> Message-ID: <10e6b0980c4a914c96e96452661d14dd@solidstatelogic.com> Roberto Use the RPM based installer for Centos. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of roberto martin castillo ramos > Sent: 07 February 2008 15:53 > To: mailscanner@lists.mailscanner.info > Subject: installation Mailscanner into Centos5 > > Hello, > > I am from Lima,Peru and i need your help please, i have installed a mail > server into Centos5 and i can not install Mailscanner, from > http://www.mailscanner.info/downloads.html#stable i used several > installers and i execute the version 4.67.3(./ install.sh) and into /opt i > saw the folder Mailscanner4.67.3 and i made the configuration to my > Mailscanner.conf > > But when i execute chkconfig Mailscanner on i see a error messages: > Mailscanner is not installed > > Please could you help me, i can not install Mailscanner into Centos 5 > is there a packages for mailscanner to install into Centos5??? > > thanks > > ________________________________ > > > ?Con Mascota por primera vez? - S? un mejor Amigo > Entra en Yahoo! Respuestas > ylc=X3oDMTE4ZWhyZjU0BF9TAzIxMTQ3MTQzMjIEc2VjA0Jhbm5lcgRzbGsDQWNxdWlzaXRpb2 > 4-?link=over&sid=XXXXXXXX> . ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Thu Feb 7 16:05:49 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 16:06:05 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> Message-ID: <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> Drew How did you install SA etc, I can't remember what you said on the freebsd list. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew > Sent: 07 February 2008 10:35 > To: MailScanner discussion > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > wrote: > > > Drew > > Nice to see you here... > > What happen when you.. > > MailScanner --debug --debug-SA > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 06 February 2008 23:18 > > To: mailscanner@lists.mailscanner.info > > Subject: Mailscanner segfaults on spamassassin lint test > > > > Hello, > > I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults > when > > running lint on spamassassin. Unfortunately, at this time the best > (most > > informative) error I have is this, from the lint test through the > > mailwatch interface: > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > > "PL_exit_flags" > > > > I'm posting this here on a recommendation I got from a FreeBSD > list. I've > > taken the following steps so far: > > > > rebuilt perl and all perl modules. > > made double sure all the right steps were taken after the perl > upgrade. > > rebuilt world > > > > Perl version is 5.8.8 > > > > Thanks in advance for any assistance you folks can provide. > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Hi Martin, > > root@colossus(/usr)# mailscanner --debug --debug-SA > In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > zsh: segmentation fault mailscanner --debug --debug-SA > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From v at vladville.com Thu Feb 7 16:10:22 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 16:10:33 2008 Subject: Skipping SpamAssassin if sender is on an RBL Message-ID: Is there any way to skip/bypass the SA check (and the resources it takes up) and store spam in the quarantine automatically if the sender is on an RBL? I'm looking over my stats over the past few days and can't help but see that SA resources are wasted on the senders that are on RBLs but we still have to keep them for that one out of a million SPAMs that someone will eventually consider critical :( -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/dd1ad237/attachment.html From mkettler at evi-inc.com Thu Feb 7 16:09:39 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 16:10:35 2008 Subject: [ot] internal ip address In-Reply-To: <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> Message-ID: <47AB2D43.9020700@evi-inc.com> Glenn Steen wrote: > For the > vast majority of organizations, this is a very minor threat, not worth > breaking RFC... Like.. gmail? Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a Received: header, but I don't see anything in 2821/2822/1123 requiring you to add a from clause. > I'm not saying you're wrong, just that it is ... really minor... > compared to a lot of other email-related threats:-)... Yes, you can > counter with "your generalization is bigger than mine"... I know I do > it too...:-) > > On the whole, I see very little _real possibility_ of damages from this. > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). I would agree in most cases it is very minor or negligible. I never said this applied to most, or even very many people. My only point was the "if it's unroutable, you can't hack it" argument isn't a very complete view of network security. From cotharyus at gmail.com Thu Feb 7 16:11:42 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 16:11:57 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> Message-ID: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Everything was installed from ports except for MailWatch, which really doesn't play into this except that the lint test from Mailwatch is where the only informative error seems to be coming from. On Feb 7, 2008 10:05 AM, Martin.Hepworth wrote: > Drew > > How did you install SA etc, I can't remember what you said on the freebsd > list. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 07 February 2008 10:35 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > wrote: > > > > > > Drew > > > > Nice to see you here... > > > > What happen when you.. > > > > MailScanner --debug --debug-SA > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > Sent: 06 February 2008 23:18 > > > To: mailscanner@lists.mailscanner.info > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > Hello, > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > segfaults > > when > > > running lint on spamassassin. Unfortunately, at this time the > best > > (most > > > informative) error I have is this, from the lint test through > the > > > mailwatch interface: > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > > > "PL_exit_flags" > > > > > > I'm posting this here on a recommendation I got from a FreeBSD > > list. I've > > > taken the following steps so far: > > > > > > rebuilt perl and all perl modules. > > > made double sure all the right steps were taken after the perl > > upgrade. > > > rebuilt world > > > > > > Perl version is 5.8.8 > > > > > > Thanks in advance for any assistance you folks can provide. > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are intended for > > the > > addressee only and may be confidential. If they come to you in > error > > you must take no action based on them, nor must you copy or show > > them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those > > of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > Hi Martin, > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > In Debugging mode, not forking... > > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/83b0b288/attachment.html From Denis.Beauchemin at usherbrooke.ca Thu Feb 7 16:21:26 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Thu Feb 7 16:22:14 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: Message-ID: <47AB3006.2010303@USherbrooke.ca> Vlad Mazek a ?crit : > Is there any way to skip/bypass the SA check (and the resources it > takes up) and store spam in the quarantine automatically if the sender > is on an RBL? > > I'm looking over my stats over the past few days and can't help but > see that SA resources are wasted on the senders that are on RBLs but > we still have to keep them for that one out of a million SPAMs that > someone will eventually consider critical :( > > -Vlad Vlad, Personnally, I do RBL checks at the MTA level and in SA but none in MS. I also run a caching-nameserver. That way I don't waste many resources. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From v at vladville.com Thu Feb 7 16:33:48 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 16:33:59 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB3006.2010303@USherbrooke.ca> References: <47AB3006.2010303@USherbrooke.ca> Message-ID: RBL check at the MTA wouldn't store the messages in the MailScanner quarantines... -Vlad On 2/7/08, Denis Beauchemin wrote: > > Vlad Mazek a ?crit : > > Is there any way to skip/bypass the SA check (and the resources it > > takes up) and store spam in the quarantine automatically if the sender > > is on an RBL? > > > > I'm looking over my stats over the past few days and can't help but > > see that SA resources are wasted on the senders that are on RBLs but > > we still have to keep them for that one out of a million SPAMs that > > someone will eventually consider critical :( > > > > -Vlad > Vlad, > > Personnally, I do RBL checks at the MTA level and in SA but none in MS. > I also run a caching-nameserver. That way I don't waste many resources. > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/4338e3b8/attachment.html From richard.frovarp at sendit.nodak.edu Thu Feb 7 16:39:45 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Feb 7 16:39:55 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> Message-ID: <47AB3451.2060500@sendit.nodak.edu> Vlad Mazek wrote: > RBL check at the MTA wouldn't store the messages in the MailScanner > quarantines... > > -Vlad No, it would bounce back to sender so they know they have a problem. Check out Spam Lists To Be Spam. Or Spam Lists To Reach High Score depending on how your actions are. That should do the trick. From v at vladville.com Thu Feb 7 16:59:57 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 17:00:07 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB3451.2060500@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> Message-ID: So how does a message that gets hit by Spam Lists To Be Spam bypass spamassassin checks in MailScanner? -Vlad** On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > RBL check at the MTA wouldn't store the messages in the MailScanner > > quarantines... > > > > -Vlad > No, it would bounce back to sender so they know they have a problem. > > Check out Spam Lists To Be Spam. Or Spam Lists To Reach High Score > depending on how your actions are. That should do the trick. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/1317f362/attachment.html From martinh at solidstatelogic.com Thu Feb 7 17:08:07 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 17:08:25 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: Drew Hmmmm What does "MailScanner -v" give ya??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew > Sent: 07 February 2008 16:12 > To: MailScanner discussion > Subject: Re: Mailscanner segfaults on spamassassin lint test > > Everything was installed from ports except for MailWatch, which really > doesn't play into this except that the lint test from Mailwatch is where > the only informative error seems to be coming from. > > > On Feb 7, 2008 10:05 AM, Martin.Hepworth > wrote: > > > Drew > > How did you install SA etc, I can't remember what you said on the > freebsd list. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > Sent: 07 February 2008 10:35 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > > wrote: > > > > > > Drew > > > > Nice to see you here... > > > > What happen when you.. > > > > MailScanner --debug --debug-SA > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > Sent: 06 February 2008 23:18 > > > To: mailscanner@lists.mailscanner.info > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > Hello, > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > segfaults > > when > > > running lint on spamassassin. Unfortunately, at this time > the best > > (most > > > informative) error I have is this, from the lint test > through the > > > mailwatch interface: > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined > symbol > > > "PL_exit_flags" > > > > > > I'm posting this here on a recommendation I got from a > FreeBSD > > list. I've > > > taken the following steps so far: > > > > > > rebuilt perl and all perl modules. > > > made double sure all the right steps were taken after the > perl > > upgrade. > > > rebuilt world > > > > > > Perl version is 5.8.8 > > > > > > Thanks in advance for any assistance you folks can > provide. > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are > intended for > > the > > addressee only and may be confidential. If they come to you > in error > > you must take no action based on them, nor must you copy or > show > > them > > to anyone. Please advise the sender by replying to this e- > mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely > those > > of > > the author and unless specifically stated to the contrary, > are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a > secure > > communications medium and can be subject to data corruption. > We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and > any > > attachments are free from known viruses but in keeping with > good > > computing practice, you should ensure that they are virus > free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 > 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the > website! > > > > > > Hi Martin, > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > In Debugging mode, not forking... > > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From dyioulos at firstbhph.com Thu Feb 7 17:23:36 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Thu Feb 7 17:23:53 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <629494.89189.qm@web36402.mail.mud.yahoo.com> References: <629494.89189.qm@web36402.mail.mud.yahoo.com> Message-ID: <200802071223.37072.dyioulos@firstbhph.com> On Thursday 07 February 2008 10:53 am, roberto martin castillo ramos wrote: > Hello, > > I am from Lima,Peru and i need your help please, i have installed a mail > server into Centos5 and i can not install Mailscanner, from > http://www.mailscanner.info/downloads.html#stable i used several installers > and i execute the version 4.67.3(./ install.sh) and into /opt i saw the > folder Mailscanner4.67.3 and i made the configuration to my > Mailscanner.conf > > But when i execute chkconfig Mailscanner on i see a error messages: > Mailscanner is not installed > > Please could you help me, i can not install Mailscanner into Centos 5 > is there a packages for mailscanner to install into Centos5??? > > thanks > > > --------------------------------- > > ?Con Mascota por primera vez? - S? un mejor Amigo > Entra en Yahoo! Respuestas. Assuming you installed with the RPM version of MailScanner, try "rpm -q mailscanner" (N.B. not Mailscanner with a capital M. That will return a "not installed) to see if your installation was successful. Then, perhaps try and start MailScanner with "service MailScanner start" (again, not that M in Mail and S in Scanner are capitalized). Finally, I think you'd do a "checkconfig --level 345 MailScanner on" (once again, watch the capitalization of MailScanner. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dyioulos at firstbhph.com Thu Feb 7 17:43:17 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Thu Feb 7 17:43:38 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <200802071223.37072.dyioulos@firstbhph.com> References: <629494.89189.qm@web36402.mail.mud.yahoo.com> <200802071223.37072.dyioulos@firstbhph.com> Message-ID: <200802071243.18054.dyioulos@firstbhph.com> On Thursday 07 February 2008 12:23 pm, Dimitri Yioulos wrote: > On Thursday 07 February 2008 10:53 am, roberto martin castillo ramos wrote: > > Hello, > > > > I am from Lima,Peru and i need your help please, i have installed a > > mail server into Centos5 and i can not install Mailscanner, from > > http://www.mailscanner.info/downloads.html#stable i used several > > installers and i execute the version 4.67.3(./ install.sh) and into /opt > > i saw the folder Mailscanner4.67.3 and i made the configuration to my > > Mailscanner.conf > > > > But when i execute chkconfig Mailscanner on i see a error messages: > > Mailscanner is not installed > > > > Please could you help me, i can not install Mailscanner into Centos 5 > > is there a packages for mailscanner to install into Centos5??? > > > > thanks > > > > > > --------------------------------- > > > > ?Con Mascota por primera vez? - S? un mejor Amigo > > Entra en Yahoo! Respuestas. > Oops, a couple of corrections are in order (see in-line): > Assuming you installed with the RPM version of MailScanner, try "rpm -q > mailscanner" (N.B. not Mailscanner with a capital M. That will return a > "not installed) to see if your installation was successful. Then, perhaps > try and start MailScanner with "service MailScanner start" (again, not that > M in Mail and S in Scanner are capitalized). Note that M in Mail and S in Scanner are capitalized. > Finally, I think you'd do a "checkconfig --level 345 MailScanner on" (once again, watch the capitalization of MailScanner. "chkconfig --level 345 MailScanner on" Sorry about that. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.frovarp at sendit.nodak.edu Thu Feb 7 17:46:29 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Feb 7 17:46:39 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> Message-ID: <47AB43F5.9030004@sendit.nodak.edu> Vlad Mazek wrote: > So how does a message that gets hit by Spam Lists To Be Spam bypass > spamassassin checks in MailScanner? > > -Vlad** *If spam and high scoring spam have the same actions, I think it will bypass. Or if you just set it to be high scoring spam, it will take that action.* From gerard at seibercom.net Thu Feb 7 18:20:37 2008 From: gerard at seibercom.net (Gerard) Date: Thu Feb 7 18:21:06 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: <20080207132037.6e0f17ae@scorpio> On Thu, 7 Feb 2008 10:11:42 -0600 Drew wrote: > Everything was installed from ports except for MailWatch, which really > doesn't play into this except that the lint test from Mailwatch is > where the only informative error seems to be coming from. And what would lead you to that conclusion? -- Gerard gerard@seibercom.net We'll cross that bridge when we come back to it later. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/a2990843/signature.bin From cotharyus at gmail.com Thu Feb 7 18:45:10 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 19:10:09 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <20080207132037.6e0f17ae@scorpio> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> Message-ID: <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> On Feb 7, 2008 12:20 PM, Gerard wrote: > On Thu, 7 Feb 2008 10:11:42 -0600 > Drew wrote: > > > Everything was installed from ports except for MailWatch, which really > > doesn't play into this except that the lint test from Mailwatch is > > where the only informative error seems to be coming from. > > And what would lead you to that conclusion? > > Mostly that this seems related to SA specifically, and as far as I know, other than some logging preferences in the mailscanner config, mailwatch doesn't have any real bearing on SA. Or have I deceived myself? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/4930d6c0/attachment.html From cotharyus at gmail.com Thu Feb 7 18:43:09 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 19:13:53 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: References: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: <715841970802071043r4943c4dbmba6c4dbfbaeb46d8@mail.gmail.com> On Feb 7, 2008 11:08 AM, Martin.Hepworth wrote: > Drew > > Hmmmm > > What does "MailScanner -v" give ya??? > > > root@colossus(~)# mailscanner -v Running on FreeBSD colossus.cotharyus.net 6.3-STABLE FreeBSD 6.3-STABLE #3: Sun Feb 3 14:31:40 CST 2008 lauasanf@colossus.cotharyus.net:/usr/obj/usr/src/sys/Colossus i386 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.64.3 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.87 Math::BigInt 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.17 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.601 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17009 Error 0.21 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS missing Inline 1.08 IO::String 1.07 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.15 Math::BigRat 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.007 NetAddr::IP missing Parse::RecDescent missing SAVI 3.07 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI 0.74 version 0.66 YAML > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 07 February 2008 16:12 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > Everything was installed from ports except for MailWatch, which really > > doesn't play into this except that the lint test from Mailwatch is where > > the only informative error seems to be coming from. > > > > > > On Feb 7, 2008 10:05 AM, Martin.Hepworth > > wrote: > > > > > > Drew > > > > How did you install SA etc, I can't remember what you said on the > > freebsd list. > > > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > > Sent: 07 February 2008 10:35 > > > To: MailScanner discussion > > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > > > > wrote: > > > > > > > > > Drew > > > > > > Nice to see you here... > > > > > > What happen when you.. > > > > > > MailScanner --debug --debug-SA > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner- > > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > Sent: 06 February 2008 23:18 > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > > > Hello, > > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > > segfaults > > > when > > > > running lint on spamassassin. Unfortunately, at this > time > > the best > > > (most > > > > informative) error I have is this, from the lint test > > through the > > > > mailwatch interface: > > > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: > Undefined > > symbol > > > > "PL_exit_flags" > > > > > > > > I'm posting this here on a recommendation I got from a > > FreeBSD > > > list. I've > > > > taken the following steps so far: > > > > > > > > rebuilt perl and all perl modules. > > > > made double sure all the right steps were taken after > the > > perl > > > upgrade. > > > > rebuilt world > > > > > > > > Perl version is 5.8.8 > > > > > > > > Thanks in advance for any assistance you folks can > > provide. > > > > > > > > > > > > > > > > > > > > > > > ******************************************************************** > > > ** > > > Confidentiality : This e-mail and any attachments are > > intended for > > > the > > > addressee only and may be confidential. If they come to > you > > in error > > > you must take no action based on them, nor must you copy > or > > show > > > them > > > to anyone. Please advise the sender by replying to this e- > > mail > > > immediately and then delete the original from your > computer. > > > Opinion : Any opinions expressed in this e-mail are > entirely > > those > > > of > > > the author and unless specifically stated to the contrary, > > are not > > > necessarily those of the author's employer. > > > Security Warning : Internet e-mail is not necessarily a > > secure > > > communications medium and can be subject to data > corruption. > > We > > > advise > > > that you consider this fact when e-mailing us. > > > Viruses : We have taken steps to ensure that this e-mail > and > > any > > > attachments are free from known viruses but in keeping > with > > good > > > computing practice, you should ensure that they are virus > > free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 > > 1RU, > > > United Kingdom > > > > > ******************************************************************** > > > ** > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the > > website! > > > > > > > > > Hi Martin, > > > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > > In Debugging mode, not forking... > > > SpamAssassin temp dir = > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are intended for > > the > > addressee only and may be confidential. If they come to you in > error > > you must take no action based on them, nor must you copy or show > > them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those > > of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/b5f28fb9/attachment-0001.html From cotharyus at gmail.com Thu Feb 7 18:43:09 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 19:26:26 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: References: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: <715841970802071043r4943c4dbmba6c4dbfbaeb46d8@mail.gmail.com> On Feb 7, 2008 11:08 AM, Martin.Hepworth wrote: > Drew > > Hmmmm > > What does "MailScanner -v" give ya??? > > > root@colossus(~)# mailscanner -v Running on FreeBSD colossus.cotharyus.net 6.3-STABLE FreeBSD 6.3-STABLE #3: Sun Feb 3 14:31:40 CST 2008 lauasanf@colossus.cotharyus.net:/usr/obj/usr/src/sys/Colossus i386 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.64.3 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.87 Math::BigInt 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.17 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.601 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17009 Error 0.21 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS missing Inline 1.08 IO::String 1.07 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.15 Math::BigRat 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.007 NetAddr::IP missing Parse::RecDescent missing SAVI 3.07 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI 0.74 version 0.66 YAML > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 07 February 2008 16:12 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > Everything was installed from ports except for MailWatch, which really > > doesn't play into this except that the lint test from Mailwatch is where > > the only informative error seems to be coming from. > > > > > > On Feb 7, 2008 10:05 AM, Martin.Hepworth > > wrote: > > > > > > Drew > > > > How did you install SA etc, I can't remember what you said on the > > freebsd list. > > > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > > Sent: 07 February 2008 10:35 > > > To: MailScanner discussion > > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > > > > wrote: > > > > > > > > > Drew > > > > > > Nice to see you here... > > > > > > What happen when you.. > > > > > > MailScanner --debug --debug-SA > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner- > > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > Sent: 06 February 2008 23:18 > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > > > Hello, > > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > > segfaults > > > when > > > > running lint on spamassassin. Unfortunately, at this > time > > the best > > > (most > > > > informative) error I have is this, from the lint test > > through the > > > > mailwatch interface: > > > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: > Undefined > > symbol > > > > "PL_exit_flags" > > > > > > > > I'm posting this here on a recommendation I got from a > > FreeBSD > > > list. I've > > > > taken the following steps so far: > > > > > > > > rebuilt perl and all perl modules. > > > > made double sure all the right steps were taken after > the > > perl > > > upgrade. > > > > rebuilt world > > > > > > > > Perl version is 5.8.8 > > > > > > > > Thanks in advance for any assistance you folks can > > provide. > > > > > > > > > > > > > > > > > > > > > > > ******************************************************************** > > > ** > > > Confidentiality : This e-mail and any attachments are > > intended for > > > the > > > addressee only and may be confidential. If they come to > you > > in error > > > you must take no action based on them, nor must you copy > or > > show > > > them > > > to anyone. Please advise the sender by replying to this e- > > mail > > > immediately and then delete the original from your > computer. > > > Opinion : Any opinions expressed in this e-mail are > entirely > > those > > > of > > > the author and unless specifically stated to the contrary, > > are not > > > necessarily those of the author's employer. > > > Security Warning : Internet e-mail is not necessarily a > > secure > > > communications medium and can be subject to data > corruption. > > We > > > advise > > > that you consider this fact when e-mailing us. > > > Viruses : We have taken steps to ensure that this e-mail > and > > any > > > attachments are free from known viruses but in keeping > with > > good > > > computing practice, you should ensure that they are virus > > free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 > > 1RU, > > > United Kingdom > > > > > ******************************************************************** > > > ** > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the > > website! > > > > > > > > > Hi Martin, > > > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > > In Debugging mode, not forking... > > > SpamAssassin temp dir = > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are intended for > > the > > addressee only and may be confidential. If they come to you in > error > > you must take no action based on them, nor must you copy or show > > them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those > > of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/b5f28fb9/attachment-0002.html From gerard at seibercom.net Thu Feb 7 19:55:20 2008 From: gerard at seibercom.net (Gerard) Date: Thu Feb 7 19:55:47 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> Message-ID: <20080207145520.712df002@scorpio> On Thu, 7 Feb 2008 12:45:10 -0600 Drew wrote: > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > Drew wrote: > > > > > Everything was installed from ports except for MailWatch, which > > > really doesn't play into this except that the lint test from > > > Mailwatch is where the only informative error seems to be coming > > > from. > > > > And what would lead you to that conclusion? > > > > > Mostly that this seems related to SA specifically, and as far as I > know, other than some logging preferences in the mailscanner config, > mailwatch doesn't have any real bearing on SA. Or have I deceived > myself? I don't use the program myself; however, I did find some information regarding it and FreeBSD. http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:startup_script http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:minor_fixes Whether any of that will be of any help to you. I have no idea. -- Gerard gerard@seibercom.net The Wright Bothers weren't the first to fly. They were just the first not to crash. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/3c86ddc6/signature.bin From glenn.steen at gmail.com Thu Feb 7 20:52:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 20:52:21 2008 Subject: [ot] internal ip address In-Reply-To: <47AB2D43.9020700@evi-inc.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> Message-ID: <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> On 07/02/2008, Matt Kettler wrote: > Glenn Steen wrote: > > For the > > vast majority of organizations, this is a very minor threat, not worth > > breaking RFC... > > Like.. gmail? :-) > Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 > > Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a > Received: header, but I don't see anything in 2821/2822/1123 requiring you to > add a from clause. Ah, but the "breakage" is in _removing_ a Received line added by another SMTP server, be that internal or not... Hm, maybe I'm an idiot, and the original question was just about the Received line added by the MS gw... Sigh. Just goes to show one shouldn't try to do more than three things simultaneously (I got my new DB servers today, or rather the storage and racks... as a surprise "here we are, four workdays early.... Where should we put them?" kind of thing, on a busy day...). Sorry, might've be me typing without much afterthought. > > I'm not saying you're wrong, just that it is ... really minor... > > compared to a lot of other email-related threats:-)... Yes, you can > > counter with "your generalization is bigger than mine"... I know I do > > it too...:-) > > > > On the whole, I see very little _real possibility_ of damages from this. > > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). > > I would agree in most cases it is very minor or negligible. I never said this > applied to most, or even very many people. See above, me reading too fast:-). I tend to react to "security by obscurity" or "the auditor said this is bad for everyone" kind of arguments, where one hasn't done any form of risk assessment... so that was probably what got me going:-). > My only point was the "if it's unroutable, you can't hack it" argument isn't a > very complete view of network security. Quite true. As usual,I find we're in violent agreement (of a sorts:-). I truly value your comments. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cotharyus at gmail.com Thu Feb 7 21:03:01 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 21:03:10 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <20080207145520.712df002@scorpio> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <20080207145520.712df002@scorpio> Message-ID: <715841970802071303t2df0cd65h16d270f4ab225857@mail.gmail.com> Gerard, I've read all of that. For what it's worth, I've had MailScanner/Postfix/Mailwatch running on FreeBSD previously, and not had problems. I've gone through and double checked a few config options, and installed all the missing perl modules from the mailscanner -v that it was requested I run - the only one that I didn't install was SAVI because that's directly related to Sophos which I don't have, and don't intend to use. On Feb 7, 2008 1:55 PM, Gerard wrote: > On Thu, 7 Feb 2008 12:45:10 -0600 > Drew wrote: > > > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > > Drew wrote: > > > > > > > Everything was installed from ports except for MailWatch, which > > > > really doesn't play into this except that the lint test from > > > > Mailwatch is where the only informative error seems to be coming > > > > from. > > > > > > And what would lead you to that conclusion? > > > > > > > > Mostly that this seems related to SA specifically, and as far as I > > know, other than some logging preferences in the mailscanner config, > > mailwatch doesn't have any real bearing on SA. Or have I deceived > > myself? > > I don't use the program myself; however, I did find some information > regarding it and FreeBSD. > > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes > > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:startup_script > > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:minor_fixes > > Whether any of that will be of any help to you. I have no idea. > > -- > > Gerard > gerard@seibercom.net > > The Wright Bothers weren't the first to fly. > They were just the first not to crash. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/9337d35f/attachment.html From mkettler at evi-inc.com Thu Feb 7 21:13:17 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 21:13:46 2008 Subject: [ot] internal ip address In-Reply-To: <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> Message-ID: <47AB746D.1030504@evi-inc.com> Glenn Steen wrote: > On 07/02/2008, Matt Kettler wrote: >> Glenn Steen wrote: >>> For the >>> vast majority of organizations, this is a very minor threat, not worth >>> breaking RFC... >> Like.. gmail? > :-) > >> Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 >> >> Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a >> Received: header, but I don't see anything in 2821/2822/1123 requiring you to >> add a from clause. > Ah, but the "breakage" is in _removing_ a Received line added by > another SMTP server, be that internal or not... True, but to achieve the goal of the origination of this thread, you don't need to remove a Received line.. You just need to generate one without a "from" clause. > Hm, maybe I'm an > idiot, and the original question was just about the Received line > added by the MS gw... You're not an idiot, just lost in the noise of the thread. The header from the original post is: _______________________________________ Received: from [10.0.0.175] (pc1 [10.0.0.175]) by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) _______________________________________ Which you could, in theory, sanitize by not generating a from clause at smtp.vvv.net. From glenn.steen at gmail.com Thu Feb 7 22:20:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 22:21:00 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> Message-ID: <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> On 07/02/2008, Drew wrote: > > > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > Drew wrote: > > > > > Everything was installed from ports except for MailWatch, which really > > > doesn't play into this except that the lint test from Mailwatch is > > > where the only informative error seems to be coming from. > > > > And what would lead you to that conclusion? > > > > > > Mostly that this seems related to SA specifically, and as far as I know, > other than some logging preferences in the mailscanner config, mailwatch > doesn't have any real bearing on SA. Or have I deceived myself? > Apart from you running SA as your apache userwhen you see the error.... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From v at vladville.com Thu Feb 7 22:21:59 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 22:22:09 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB43F5.9030004@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: Nope, still gets processed by MailScanner: Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in SBL+XBL Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for message m17M9lxS016045 Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from 75.63.44.11( ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, URIBL_WS_SURBL 2.10) Notice that it still passes it through SpamAssassin. I have the the following in my MailScanner.conf: Spam List = SBL+XBL Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 1 -Vlad On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > So how does a message that gets hit by Spam Lists To Be Spam bypass > > spamassassin checks in MailScanner? > > > > -Vlad** > *If spam and high scoring spam have the same actions, I think it will > bypass. Or if you just set it to be high scoring spam, it will take that > action.* > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/5453c23c/attachment.html From cotharyus at gmail.com Thu Feb 7 22:33:20 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 22:33:31 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> Message-ID: <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> Glen, Point taken. However it's worked for me before. Does this help any? root@colossus()# spamassassin -D --lint [10051] dbg: logger: adding facilities: all [10051] dbg: logger: logging level is DBG [10051] dbg: generic: SpamAssassin version 3.2.4 [10051] dbg: config: score set 0 chosen. [10051] dbg: util: running in taint mode? yes [10051] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [10051] dbg: util: PATH included '/opt/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/sbin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/java/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/sbin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/java/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/sbin', keeping [10051] dbg: util: PATH included '/bin', keeping [10051] dbg: util: PATH included '/usr/sbin', keeping [10051] dbg: util: PATH included '/usr/bin', keeping [10051] dbg: util: PATH included '/usr/games', keeping [10051] dbg: util: PATH included '/usr/local/sbin', keeping [10051] dbg: util: PATH included '/usr/local/bin', keeping [10051] dbg: util: PATH included '/usr/X11R6/bin', keeping [10051] dbg: util: PATH included '/home/lauasanf/bin', keeping [10051] dbg: util: final PATH set to: /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/home/lauasanf/bin [10051] dbg: dns: is Net::DNS::Resolver available? yes [10051] dbg: dns: Net::DNS version: 0.62 [10051] dbg: diag: perl platform: 5.008008 freebsd [10051] dbg: diag: module installed: Digest::SHA1, version 2.11 [10051] dbg: diag: module installed: HTML::Parser, version 3.56 [10051] dbg: diag: module installed: Net::DNS, version 0.62 [10051] dbg: diag: module installed: MIME::Base64, version 3.07 [10051] dbg: diag: module installed: DB_File, version 1.814 [10051] dbg: diag: module installed: Net::SMTP, version 2.31 [10051] dbg: diag: module installed: Mail::SPF, version v2.004 [10051] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [10051] dbg: diag: module installed: IP::Country::Fast, version 604.001 [10051] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [10051] dbg: diag: module installed: Net::Ident, version 1.20 [10051] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [10051] dbg: diag: module installed: IO::Socket::SSL, version 1.12 [10051] dbg: diag: module installed: Compress::Zlib, version 2.008 [10051] dbg: diag: module installed: Time::HiRes, version 1.9711 [10051] dbg: diag: module installed: Mail::DomainKeys, version 1.0 [10051] dbg: diag: module installed: Mail::DKIM, version 0.30 [10051] dbg: diag: module installed: DBI, version 1.601 [10051] dbg: diag: module installed: Getopt::Long, version 2.37 [10051] dbg: diag: module installed: LWP::UserAgent, version 2.033 [10051] dbg: diag: module installed: HTTP::Date, version 1.47 [10051] dbg: diag: module installed: Archive::Tar, version 1.38 [10051] dbg: diag: module installed: IO::Zlib, version 1.07 [10051] dbg: diag: module installed: Encode::Detect, version 1.00 [10051] dbg: ignore: using a test message to lint rules [10051] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules pre files [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/v312.pre [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/v320.pre [10051] dbg: config: using "/var/db/spamassassin/3.002004" for sys rules pre files [10051] dbg: config: using "/var/db/spamassassin/3.002004" for default rules dir [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org.cf [10051] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules dir [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/mailscanner.cf [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [10051] dbg: pyzor: local tests only, disabling Pyzor [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [10051] dbg: razor2: local tests only, skipping Razor [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [10051] dbg: reporter: local tests only, disabling SpamCop [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::DKIM from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dkim.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dkim.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dkim.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_subject.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_subject.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_subject.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/72_active.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [10051] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [10051] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [10051] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [10051] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [10051] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [10051] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [10051] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [10051] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [10051] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [10051] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [10051] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [10051] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [10051] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [10051] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [10051] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [10051] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI [10051] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B [10051] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING [10051] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [10051] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 [10051] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [10051] dbg: conf: finish parsing [10051] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x92aefe4) implements 'finish_parsing_end', priority 0 [10051] dbg: replacetags: replacing tags [10051] dbg: replacetags: done replacing tags [10051] dbg: bayes: no dbs present, cannot tie DB R/O: /usr/local/etc/MailScanner/bayes/bayes_toks [10051] dbg: config: score set 0 chosen. [10051] dbg: message: main message type: text/plain [10051] dbg: message: ---- MIME PARSER START ---- [10051] dbg: message: parsing normal part [10051] dbg: message: ---- MIME PARSER END ---- [10051] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x9432ea4) implements 'check_start', priority 0 [10051] dbg: bayes: no dbs present, cannot tie DB R/O: /usr/local/etc/MailScanner/bayes/bayes_toks [10051] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x93feb8c) implements 'check_main', priority 0 [10051] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [10051] dbg: metadata: X-Spam-Relays-Trusted: [10051] dbg: metadata: X-Spam-Relays-Untrusted: [10051] dbg: metadata: X-Spam-Relays-Internal: [10051] dbg: metadata: X-Spam-Relays-External: [10051] dbg: message: no encoding detected [10051] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x91feaa4) implements 'parsed_metadata', priority 0 [10051] dbg: dns: is DNS available? 0 [10051] dbg: rules: local tests only, ignoring RBL eval [10051] dbg: check: running tests for priority: -1000 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [10051] dbg: eval: all '*To' addrs: [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: -950 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: -900 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: -400 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: 0 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" [10051] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got hit: " [10051] dbg: rules: Message-Id: " [10051] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" [10051] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [10051] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1202423398" [10051] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [10051] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "< 1202423398@lint_rules> [10051] dbg: rules: " [10051] dbg: spf: checking to see if the message has a Received-SPF header that we can use [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: cannot get Envelope-From, cannot use SPF [10051] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) [10051] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) [10051] dbg: spf: spf_whitelist_from: could not find useable envelope sender [10051] dbg: rules: running body tests; score so far=1.899 [10051] dbg: rules: compiled body tests [10051] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [10051] dbg: rules: running uri tests; score so far=1.899 [10051] dbg: rules: compiled uri tests [10051] dbg: eval: stock info total: 0 [10051] dbg: rules: running rawbody tests; score so far=1.899 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" [10051] dbg: rules: running full tests; score so far=1.899 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=1.899 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: 500 [10051] dbg: dns: harvest_dnsbl_queries [10051] dbg: rules: running head tests; score so far=1.899 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=1.899 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=1.899 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=1.899 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=1.899 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=1.899 [10051] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: 1000 [10051] dbg: rules: running head tests; score so far=4.205 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=4.205 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=4.205 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=4.205 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=4.205 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=4.205 [10051] dbg: rules: compiled meta tests [10051] dbg: check: is spam? score=4.205 required=5 [10051] dbg: check: tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS [10051] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__TVD_BODY,__UNUSABLE_MSGID On Feb 7, 2008 4:20 PM, Glenn Steen wrote: > On 07/02/2008, Drew wrote: > > > > > > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > > Drew wrote: > > > > > > > Everything was installed from ports except for MailWatch, which > really > > > > doesn't play into this except that the lint test from Mailwatch is > > > > where the only informative error seems to be coming from. > > > > > > And what would lead you to that conclusion? > > > > > > > > > > Mostly that this seems related to SA specifically, and as far as I know, > > other than some logging preferences in the mailscanner config, mailwatch > > doesn't have any real bearing on SA. Or have I deceived myself? > > > Apart from you running SA as your apache userwhen you see the error.... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/14a26ec1/attachment-0001.html From Jeff.Mills at versacold.com.au Thu Feb 7 22:34:23 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Thu Feb 7 22:35:12 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca><47AB3451.2060500@sendit.nodak.edu><47AB43F5.9030004@sendit.nodak.edu> Message-ID: ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vlad Mazek Sent: Friday, 8 February 2008 9:22 AM To: MailScanner discussion Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL Nope, still gets processed by MailScanner: Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in SBL+XBL Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for message m17M9lxS016045 Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from MailScanner warning: numerical links are often malicious: 75.63.44.11 (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, URIBL_WS_SURBL 2.10) Notice that it still passes it through SpamAssassin. I have the the following in my MailScanner.conf: Spam List = SBL+XBL Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 1 -Vlad Can you not put the RBLs at MTA level? From v at vladville.com Thu Feb 7 22:39:08 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 22:39:17 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: My bad, that should have read "still gets processed by SpamAssassin" I'm basically searching for a way to eliminate additional lookups and overhead of processing the message through SpamAssassin if MailScanner already locates it on an RBL. I still have a requirement to keep the message in case someone needs to retrieve it, but I don't want to pay for the SpamAssassin overhead of processing that message if it's already on an RBL. -Vlad On 2/7/08, Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > 75.63.44.11 (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, > SpamAssassin (cached, score=23.378, required 5, autolearn=disabled, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL > 2.52, URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad > > On 2/7/08, Richard Frovarp wrote: > > > > Vlad Mazek wrote: > > > So how does a message that gets hit by Spam Lists To Be Spam bypass > > > spamassassin checks in MailScanner? > > > > > > -Vlad** > > *If spam and high scoring spam have the same actions, I think it will > > bypass. Or if you just set it to be high scoring spam, it will take that > > action.* > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -Vlad -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/0c34b321/attachment.html From mkettler at evi-inc.com Thu Feb 7 22:44:16 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 22:44:49 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <47AB89C0.2000804@evi-inc.com> Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > 75.63.44.11 (ka@creativeholidays.com.au > ) to rmel.org is > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad > Do you have: Always Include SpamAssassin Report = yes There's always been a bit of a double-edged sword on this setting. IIRC, this setting forces MailScanner to *ALWAYS* scan with SA, so it can always include a report. Of course, most folks that turn this on do so because they want the SA report to always be included whenever its generated, and not left off of nonspam. But MailScanner takes this option pretty literally from what I remember. Makes me wish there was two separate options: "Always scan with SpamAssassin" "Include SpamAssassin Report In NonSpam". From shuttlebox at gmail.com Thu Feb 7 22:46:55 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Feb 7 22:47:05 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> On Feb 7, 2008 11:21 PM, Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from 75.63.44.11 > (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin > (cached, score=23.378, required 5, autolearn=disabled, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL > 2.52, URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. What do have on? Log Spam Detailed Spam Report Always Include SpamAssassin Report Those options may force SA to be run. Test with different settings on them. -- /peter From ssilva at sgvwater.com Thu Feb 7 23:21:16 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 7 23:21:25 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB89C0.2000804@evi-inc.com> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47AB89C0.2000804@evi-inc.com> Message-ID: on 2/7/2008 2:44 PM Matt Kettler spake the following: > Vlad Mazek wrote: >> Nope, still gets processed by MailScanner: >> >> Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found >> in SBL+XBL >> Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit >> for message m17M9lxS016045 >> Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from >> 75.63.44.11 (ka@creativeholidays.com.au >> ) to rmel.org is >> spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, >> autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, >> RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, >> RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, >> STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, >> URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, >> URIBL_WS_SURBL 2.10) >> >> Notice that it still passes it through SpamAssassin. >> >> I have the the following in my MailScanner.conf: >> >> Spam List = SBL+XBL >> Spam Lists To Be Spam = 1 >> Spam Lists To Reach High Score = 1 >> >> -Vlad >> > > Do you have: > Always Include SpamAssassin Report = yes > > There's always been a bit of a double-edged sword on this setting. IIRC, > this setting forces MailScanner to *ALWAYS* scan with SA, so it can > always include a report. > > Of course, most folks that turn this on do so because they want the SA > report to always be included whenever its generated, and not left off of > nonspam. But MailScanner takes this option pretty literally from what I > remember. > > > Makes me wish there was two separate options: > > "Always scan with SpamAssassin" > "Include SpamAssassin Report In NonSpam". > Or at least "Never hide spamassasssin report" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/056b4f95/signature.bin From v at vladville.com Thu Feb 7 23:51:44 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 23:51:54 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: Someone already recommend that; No, putting the RBLs at the MTA would reject the message, I still need to be able to store it in case someone wants to retrieve false positive. Also, putting RBL's on the MTA eliminates any whitelisting that would be provided by MailScanner. -Vlad On 2/7/08, Jeff Mills wrote: > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vlad > Mazek > Sent: Friday, 8 February 2008 9:22 AM > To: MailScanner discussion > Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an > RBL > > > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 > found in SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache > hit for message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > MailScanner warning: numerical links are often malicious: 75.63.44.11 > (ka@creativeholidays.com.au) to rmel.org is spam, > SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad > > > Can you not put the RBLs at MTA level? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/90874acd/attachment.html From v at vladville.com Thu Feb 7 23:56:19 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 23:56:29 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> Message-ID: Always Include SpamAssassin Report = no Log Spam = yes Detailed Spam Report = yes I'll flip the "Log Spam" to off and see if it makes a difference. The Always Include SpamAssassin Report is set to no though, I remember a discussion on here about it Matt. I have now flipped all three to no, let's see what it does... -Vlad On 2/7/08, shuttlebox wrote: > > On Feb 7, 2008 11:21 PM, Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > > SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > > message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > 75.63.44.11 > > (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin > > (cached, score=23.378, required 5, autolearn=disabled, > > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, > RCVD_IN_BL_SPAMCOP_NET > > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, > URIBL_SC_SURBL > > 2.52, URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > What do have on? > > Log Spam > Detailed Spam Report > Always Include SpamAssassin Report > > Those options may force SA to be run. Test with different settings on > them. > > -- > /peter > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/d72ba98b/attachment.html From v at vladville.com Fri Feb 8 00:08:26 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 00:08:36 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> Message-ID: Ok, with the following: Always Include SpamAssassin Report = no Detailed Spam Report = no Log Spam = yes .. MailScanner still passes it to SA. With Log Spam set to yes I can't tell if its running SA on every message or not but with debug on it sure seems like its passing it through SA.. -Vlad On 2/7/08, Vlad Mazek wrote: > > Always Include SpamAssassin Report = no > Log Spam = yes > Detailed Spam Report = yes > > I'll flip the "Log Spam" to off and see if it makes a difference. > > The Always Include SpamAssassin Report is set to no though, I remember a > discussion on here about it Matt. > > I have now flipped all three to no, let's see what it does... > > -Vlad > > > On 2/7/08, shuttlebox wrote: > > > > On Feb 7, 2008 11:21 PM, Vlad Mazek wrote: > > > Nope, still gets processed by MailScanner: > > > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in > > > SBL+XBL > > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for > > > message m17M9lxS016045 > > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > 75.63.44.11 > > > (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, > > SpamAssassin > > > (cached, score=23.378, required 5, autolearn=disabled, > > > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > > > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, > > RCVD_IN_BL_SPAMCOP_NET > > > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > > > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, > > URIBL_SC_SURBL > > > 2.52, URIBL_WS_SURBL 2.10) > > > > > > Notice that it still passes it through SpamAssassin. > > > > What do have on? > > > > Log Spam > > Detailed Spam Report > > Always Include SpamAssassin Report > > > > Those options may force SA to be run. Test with different settings on > > them. > > > > -- > > /peter > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -Vlad -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/af5cc809/attachment.html From ssilva at sgvwater.com Fri Feb 8 00:14:30 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 8 00:14:34 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: on 2/7/2008 3:51 PM Vlad Mazek spake the following: > Someone already recommend that; No, putting the RBLs at the MTA would > reject the message, I still need to be able to store it in case someone > wants to retrieve false positive. > > Also, putting RBL's on the MTA eliminates any whitelisting that would be > provided by MailScanner. > True. But nothing gets a mail administrator off his a$$ to fix his systems better than all his mail getting rejected during the initial smtp phase! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/a5610baa/signature.bin From v at vladville.com Fri Feb 8 01:40:37 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 01:40:46 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: Doesn't work like that in the business world... Remote Sender: I sent you the email. Internal Recipient: We didn't get the email. Five minutes later, IT is getting chewed out for blocking customers emails that almost always involve a $10 million dollar transaction for a company that doesn't have any extra room in the budget to beef up the security........ -Vlad On 2/7/08, Scott Silva wrote: > > True. But nothing gets a mail administrator off his a$$ to fix his systems > better than all his mail getting rejected during the initial smtp phase! > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/88bb3856/attachment.html From gmane at tippingmar.com Fri Feb 8 02:18:53 2008 From: gmane at tippingmar.com (Mark Nienberg) Date: Fri Feb 8 02:19:10 2008 Subject: Definite Fraud? In-Reply-To: <47AA1531.4040205@sequestered.net> References: <47AA1531.4040205@sequestered.net> Message-ID: Jay Chandler wrote: > I'm sure this has been rehashed before, but... > > > *MailScanner has detected definite fraud in the website at > "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah > > > > Obviously it's detecting the 301 redirect, but that doesn't necessarily > bespeak fraud. There are a lot of non-fraudulent things that it could > be, ranging from shock pictures to Rick Rolls to inredibly long URLs. > > Has anyone discussed changing the wording here? > The wording is correct. This is the message that is displayed when a url is found in the list /etc/MailScanner/phishing.bad.sites.conf. These are known phishing sites. This is different from the case where a link target and text do not match, which is described as a "possible" fraud. That said, it is a little strange that tinyurl.com is listed in phishing.bad.sites.conf, but it is. Mark From Richard.Frovarp at sendit.nodak.edu Fri Feb 8 03:07:58 2008 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Feb 8 03:08:21 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <47ABC78E.90503@sendit.nodak.edu> Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > in SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > for message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > *MailScanner warning: numerical links are often malicious:* > 75.63.44.11 (ka@creativeholidays.com.au > ) to rmel.org is > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad Actually, that one didn't get passed through SpamAssassin. It hit the cache. Not sure how that is handled differently. What version of MailScanner? What are your High Scoring Spam Actions? From Richard.Frovarp at sendit.nodak.edu Fri Feb 8 03:09:01 2008 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Feb 8 03:09:18 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <47ABC7CD.5000505@sendit.nodak.edu> Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > in SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > for message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > *MailScanner warning: numerical links are often malicious:* > 75.63.44.11 (ka@creativeholidays.com.au > ) to rmel.org is > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad Try: Spam Lists To Be Spam = 0 From v at vladville.com Fri Feb 8 04:09:13 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 04:15:58 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47ABC7CD.5000505@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC7CD.5000505@sendit.nodak.edu> Message-ID: Tried that earlier today, no difference in behavior. MailScanner finds it on SBL+XBL but proceeds to put it through SA anyhow. -Vlad On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > *MailScanner warning: numerical links are often malicious:* > > 75.63.44.11 (ka@creativeholidays.com.au > > ) to rmel.org is > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > > > I have the the following in my MailScanner.conf: > > > > Spam List = SBL+XBL > > Spam Lists To Be Spam = 1 > > Spam Lists To Reach High Score = 1 > > > > -Vlad > > Try: > Spam Lists To Be Spam = 0 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/228df152/attachment.html From ugob at lubik.ca Fri Feb 8 04:04:56 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Feb 8 05:05:22 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> Message-ID: Drew wrote: > Glen, > Point taken. However it's worked for me before. Does this help any? > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > /usr/local/etc/MailScanner/bayes/bayes_toks > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > /usr/local/etc/MailScanner/bayes/bayes_toks Looks like there is a problem bayes. Permissions? From hvdkooij at vanderkooij.org Fri Feb 8 05:48:21 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Feb 8 05:49:02 2008 Subject: Definite Fraud? In-Reply-To: References: <47AA1531.4040205@sequestered.net> Message-ID: <47ABED25.1060704@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Nienberg wrote: | Jay Chandler wrote: |> I'm sure this has been rehashed before, but... |> |> *MailScanner has detected definite fraud in the website at |> "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah |> |> |> Obviously it's detecting the 301 redirect, but that doesn't |> necessarily bespeak fraud. There are a lot of non-fraudulent things |> that it could be, ranging from shock pictures to Rick Rolls to |> inredibly long URLs. |> |> Has anyone discussed changing the wording here? | | The wording is correct. This is the message that is displayed when a | url is found in the list /etc/MailScanner/phishing.bad.sites.conf. | | These are known phishing sites. This is different from the case where a | link target and text do not match, which is described as a "possible" | fraud. | | That said, it is a little strange that tinyurl.com is listed in | phishing.bad.sites.conf, but it is. These things can point everywhere. So they should be approached with caution. But the classification should be greyish instead of pitch black. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHq+0jBvzDRVjxmYERAuuKAJ4rgwhzlyLtZDUMGkUB/BFTgN3oJQCeMJA8 uLEE8e3BbPi68iE0feIKp98= =2nOb -----END PGP SIGNATURE----- From glenn.steen at gmail.com Fri Feb 8 11:27:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 11:28:07 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> Message-ID: <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> On 08/02/2008, Ugo Bellavance wrote: > Drew wrote: > > Glen, > > Point taken. However it's worked for me before. Does this help any? > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > /usr/local/etc/MailScanner/bayes/bayes_toks > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > /usr/local/etc/MailScanner/bayes/bayes_toks > > Looks like there is a problem bayes. Permissions? > Yes, and it tells us that when run like that (what user?) it doesn't bomb... So, could you redo the debug run as your postfix user and as your apache user? I'm thinking perm problems here:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 11:38:29 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 11:38:41 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47AB262E.6070808@alunys.com> References: <47AB262E.6070808@alunys.com> Message-ID: <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> On 07/02/2008, Cedric Devillers wrote: > Hello, > > I'm trying to revive this thread from the last month because we are > observing the exact same behavior on one of our servers. Thanks for doing that, and for providing some more info. > So to remember the facts : > > - We are using mailscanner with postfix, and duplicated messages are > generated by mailscanner. > > - This system is the only one where we are observing this behavior. It > have a little particularity : it mainly act as a mail relay, but > sometimes many mails are generated by the server itself (a script) and > injected in postfix queues via sendmail command. We can always reproduce > some duplicated messages with this script. > > - MailScanner is configured (by ruleset) to bypass scanning for thoses > messages, but they are still entering the mailscanner logic (postix -> > hold queue -> mailscanner (no scan) -> active queue). What does the ruleset look like? I'm sure it doesn't matter, but ... just out of curiosity:-)... > - Mailwatch is running on this server, and for each duplicates we see > entries with null size body (2, 3, 4, sometimes 5) then at last a final > entry with the full body. Note that the recipient see the full body on > every duplicate. > > It looks like a locking problem, because all duplicates are with the > same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > lock some queue file when message is marked not to be scanned by > mailscanner ? Yes, this seems plausible... Could you provide some log examples? Just to see that it really is separate children reading the same queue file... > I will not be very helpfull to debug perl code, but i can provide any > needed logs to help finding the origin of the problem. I'll see what I can do, but... I think this isn't "my" code snippets, but a thing that might have been present for a while... And I have a serious lack of time to spend on this ATM (worse than last time, before Xmas)... So no promises:-). > This is really a serious problem in this particular installation. But i > must say that we have dozens of other servers that are running > mailscanner/postfix, and we are very happy about thems :) Does it help if you DO scan with MS, but skip things at the next level, for example: Scan Messages = yes Use SpamAssassin = no Dangerous Content Scanning = no ... and possibly a few more (do them with a ruleset, of course:-)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gugafer51 at gmail.com Fri Feb 8 12:04:13 2008 From: gugafer51 at gmail.com (Gustavo FC) Date: Fri Feb 8 12:04:24 2008 Subject: User's notifications. In-Reply-To: <47A1DA7E.1060905@ecs.soton.ac.uk> References: <73e0f9580801310558q458594b1p1f3c74bb7c8d6b96@mail.gmail.com> <47A1DA7E.1060905@ecs.soton.ac.uk> Message-ID: <73e0f9580802080404n7e1c6f15md9ac059ce17cbdc7@mail.gmail.com> They receive the content written in MAILSCANNER_HOME/reports/en/stored.content.message.txt. 2008/1/31, Julian Field : > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > But are they receiving notifications about spam or something else? What > does a sample notification say? > > Gustavo FC wrote: > > In my Mailscanner.conf, the "Spam Actions" attribute has only the > > "store" option, but the users receive the notification's emails. > > > > Spam Actions = store > > > > There are any other configuration that I can do? > > > > Gustavo FC > > > > > > Gustavo FC wrote: > > > Hi > > > > > > How can I disable the notifications send to users when theirs email is > > > deleted, stored, etc? > > > > > > > > > Gustavo F.C. > > In your MailScanner.conf you will have this setting with similar > actions. > > # What to do with spam > > # -------------------- > > # notify - Send the recipients a short > > notification that > > # spam addressed to them was not delivered. > > They > > # can then take action to request > > retrieval of > > # the original message if they think it > > was not > > # spam. > > Spam Actions = store deliver notify > > > > Take out the notify. > > Update the same for the other "Actions" sections. > > > > Restart MailScanner > > > > Done! > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.7.0 (Build 1012) > Comment: Use Thunderbird's Enigmail add-on to verify this message > Charset: ISO-8859-1 > > wj8DBQFHodqAEfZZRxQVtlQRAvikAJsElI3er4w2pa+YNGhy9Osx6WQsYQCfdUSb > SsWW++8t8/K23YG0mXA7v74= > =H3fL > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/f6f4a014/attachment.html From cotharyus at gmail.com Fri Feb 8 12:20:18 2008 From: cotharyus at gmail.com (Drew) Date: Fri Feb 8 12:20:27 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> Message-ID: <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> Actually, the reason the bayes stuff shows up is because the system hasn't processed any mail, and I haven't put any start dbs there. All permissions should be fine, it was one of the first things I checked. Unfortunately, at this time, I've basically ripped this system (which was originally 5.0, and has been upgraded over time to 6.3) down to essentially nothing but a bare install, and reinstalled everything. In the process a few things broke, which I should have fixed soon, in which case if things _still_ don't work, I'll be more than happy to run all tests as postfix and www. Of course, if this doesn't work, I may just nuke this install altogether and go with a fresh install, where I've set all of this software up and gotten it working twice without having to do as much as scratch my head over it. On Feb 8, 2008 5:27 AM, Glenn Steen wrote: > On 08/02/2008, Ugo Bellavance wrote: > > Drew wrote: > > > Glen, > > > Point taken. However it's worked for me before. Does this help any? > > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > > /usr/local/etc/MailScanner/bayes/bayes_toks > > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > > /usr/local/etc/MailScanner/bayes/bayes_toks > > > > Looks like there is a problem bayes. Permissions? > > > Yes, and it tells us that when run like that (what user?) it doesn't > bomb... So, could you redo the debug run as your postfix user and as > your apache user? > I'm thinking perm problems here:-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/02b24088/attachment.html From glenn.steen at gmail.com Fri Feb 8 12:28:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 12:28:37 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> Message-ID: <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> On 08/02/2008, Glenn Steen wrote: > On 07/02/2008, Cedric Devillers wrote: > > Hello, > > > > I'm trying to revive this thread from the last month because we are > > observing the exact same behavior on one of our servers. > Thanks for doing that, and for providing some more info. > > > So to remember the facts : > > > > - We are using mailscanner with postfix, and duplicated messages are > > generated by mailscanner. > > > > - This system is the only one where we are observing this behavior. It > > have a little particularity : it mainly act as a mail relay, but > > sometimes many mails are generated by the server itself (a script) and > > injected in postfix queues via sendmail command. We can always reproduce > > some duplicated messages with this script. > > > > - MailScanner is configured (by ruleset) to bypass scanning for thoses > > messages, but they are still entering the mailscanner logic (postix -> > > hold queue -> mailscanner (no scan) -> active queue). > What does the ruleset look like? I'm sure it doesn't matter, but ... > just out of curiosity:-)... > > > - Mailwatch is running on this server, and for each duplicates we see > > entries with null size body (2, 3, 4, sometimes 5) then at last a final > > entry with the full body. Note that the recipient see the full body on > > every duplicate. > > > > It looks like a locking problem, because all duplicates are with the > > same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > > ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > > lock some queue file when message is marked not to be scanned by > > mailscanner ? > Yes, this seems plausible... Could you provide some log examples? Just > to see that it really is separate children reading the same queue > file... > > > > I will not be very helpfull to debug perl code, but i can provide any > > needed logs to help finding the origin of the problem. > I'll see what I can do, but... I think this isn't "my" code snippets, > but a thing that might have been present for a while... And I have a > serious lack of time to spend on this ATM (worse than last time, > before Xmas)... So no promises:-). > > > This is really a serious problem in this particular installation. But i > > must say that we have dozens of other servers that are running > > mailscanner/postfix, and we are very happy about thems :) > Does it help if you DO scan with MS, but skip things at the next > level, for example: > Scan Messages = yes > Use SpamAssassin = no > Dangerous Content Scanning = no > ... and possibly a few more (do them with a ruleset, of course:-)? > BTW, do you have any milters enabled in Postfix? What version of Postfix? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 12:31:00 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 12:31:12 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> Message-ID: <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> On 08/02/2008, Drew wrote: > Actually, the reason the bayes stuff shows up is because the system hasn't > processed any mail, and I haven't put any start dbs there. All permissions > should be fine, it was one of the first things I checked. Unfortunately, at > this time, I've basically ripped this system (which was originally 5.0, and > has been upgraded over time to 6.3) down to essentially nothing but a bare > install, and reinstalled everything. In the process a few things broke, > which I should have fixed soon, in which case if things _still_ don't work, > I'll be more than happy to run all tests as postfix and www. Of course, if > this doesn't work, I may just nuke this install altogether and go with a > fresh install, where I've set all of this software up and gotten it working > twice without having to do as much as scratch my head over it. > :-) We'll be here, if you need us. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From v at vladville.com Fri Feb 8 12:32:55 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 12:33:05 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47ABC78E.90503@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC78E.90503@sendit.nodak.edu> Message-ID: Richard, You're right - it did hit the cache! I totally missed that. Spam actions are to store, both spam and high scoring spam. But still, it passes it through SA: RBL checks: m18CFjRV010282 found in SBL+XBL Feb 8 07:31:56 MailScanner[16681]: Message m18CFjRV010282 from 220.70.102.23 (volunteereda6@tahitiantreasure.com) to severnsidefabrics.co.uk is spam, SBL+XBL, SpamAssassin (not cached, score= 27.932, required 5, autolearn=disabled, OUTLOOK_3416 1.70, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, RDNS_NONE 0.10, TVD_SPACE_RATIO 2.90, URIBL_AB_SURBL 1.61, URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SBL 2.47, URIBL_SC_SURBL 2.52, URIBL_WS_SURBL 2.10) That one was not cached, same result... -Vlad On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > *MailScanner warning: numerical links are often malicious:* > > 75.63.44.11 (ka@creativeholidays.com.au > > ) to rmel.org is > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > > > I have the the following in my MailScanner.conf: > > > > Spam List = SBL+XBL > > Spam Lists To Be Spam = 1 > > Spam Lists To Reach High Score = 1 > > > > -Vlad > > Actually, that one didn't get passed through SpamAssassin. It hit the > cache. Not sure how that is handled differently. What version of > MailScanner? What are your High Scoring Spam Actions? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/fe774a40/attachment.html From v at vladville.com Fri Feb 8 12:33:25 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 12:33:28 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC78E.90503@sendit.nodak.edu> Message-ID: Running MailScanner 4.62.9 -Vlad On 2/8/08, Vlad Mazek wrote: > > Richard, > > You're right - it did hit the cache! I totally missed that. Spam actions > are to store, both spam and high scoring spam. > > But still, it passes it through SA: > > RBL checks: m18CFjRV010282 found in SBL+XBL > Feb 8 07:31:56 MailScanner[16681]: Message m18CFjRV010282 from > 220.70.102.23 (volunteereda6@tahitiantreasure.com) to > severnsidefabrics.co.uk is spam, SBL+XBL, SpamAssassin (not cached, score= > 27.932, required 5, autolearn=disabled, OUTLOOK_3416 1.70, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK > 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, RDNS_NONE 0.10, > TVD_SPACE_RATIO 2.90, URIBL_AB_SURBL 1.61, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SBL 2.47, URIBL_SC_SURBL > 2.52, URIBL_WS_SURBL 2.10) > > That one was not cached, same result... > > -Vlad > > On 2/7/08, Richard Frovarp wrote: > > > > Vlad Mazek wrote: > > > Nope, still gets processed by MailScanner: > > > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > > in SBL+XBL > > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > > for message m17M9lxS016045 > > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > > *MailScanner warning: numerical links are often malicious:* > > > 75.63.44.11 (ka@creativeholidays.com.au > > > ) to rmel.org is > > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > > URIBL_WS_SURBL 2.10) > > > > > > Notice that it still passes it through SpamAssassin. > > > > > > I have the the following in my MailScanner.conf: > > > > > > Spam List = SBL+XBL > > > Spam Lists To Be Spam = 1 > > > Spam Lists To Reach High Score = 1 > > > > > > -Vlad > > > > Actually, that one didn't get passed through SpamAssassin. It hit the > > cache. Not sure how that is handled differently. What version of > > MailScanner? What are your High Scoring Spam Actions? > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -Vlad -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/73fffe2c/attachment.html From Kit at simplysites.co.uk Fri Feb 8 12:46:09 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Fri Feb 8 12:46:26 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: <223f97700802070221v6147c180j7c4cb94cfce9d4e4@mail.gmail.com> References: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> <223f97700802070221v6147c180j7c4cb94cfce9d4e4@mail.gmail.com> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 07 February 2008 10:22 To: MailScanner discussion Subject: Re: whitelist TO email addresses sent by users on the server On 07/02/2008, Martin.Hepworth wrote: > Kit > > Take a look at the watermarking feature in recent release of MailScanner, this should so the job. Would only work for replies though, unless one does really silly hoops in a CustomFunction. > Whitelisting 'known' addresses can be fraught with danger. > Amen! ------------------------------------- I currently have MailScanner 4.50.15, silly question, what is the easiest way to upgrade to the latest version 4.66. Its on bluequartz centos running sendmail and spamassassin 3.1.9. Is there a guide on using watermarking? Thanks From glenn.steen at gmail.com Fri Feb 8 12:52:38 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 12:52:49 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A8A480.3010706@ecs.soton.ac.uk> References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> On 05/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 05/02/2008, Pascal Maes wrote: > > > >> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > >> > >> > >>> On 05/02/2008, Pascal Maes wrote: > >>> > >>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >>>> > >>>> > >>>>> On 05/02/2008, Glenn Steen wrote: > >>>>> > >>>>>> On 05/02/2008, Pascal Maes wrote: > >>>>>> > >>>>> (snip) > >>>>> > >>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>>>> takes it and puts it back into the Postfix queue. > >>>>>>> > >>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>>>> working : > >>>>>>> > >>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>>>> E8686E9102.A7655 > >>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>>>> ) is whitelisted > >>>>>>> > >>>>>>> > >>>>>>> Regards > >>>>>>> > >>>>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>>>> any > >>>>>> impact on your problem... What happens before though... You have to > >>>>>> make sure that your SA trust_path is OK, and all should be well. > >>>>>> Why > >>>>>> do you use the ClamSMTP thing at all? > >>>>>> > >>>>>> Cheers > >>>>>> > >>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>>>> this is > >>>>> the clamsmtp thing, which might just be the problem. > >>>>> Again, why do you use that? Theoretically MailScanner (through the > >>>>> batching, and using either clamavmodule or clamd) should be more > >>>>> efficient and less likely to be able to be DoS'd... That > >>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>>>> > >>>>> Cheers > >>>>> -- > >>>>> -- Glenn > >>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>> > >>>> One advantage of using ClamSMTP is the reject of the worm at the > >>>> connection time. > >>>> As we receive a lot of mail per day, it's not negligible. > >>>> > >>> No, but then neither is the resource drain;-). > >>> > >>> > >>>> As MailScanner is using McAffe, we have two different AV to check the > >>>> messages. > >>>> > >>> Prudent, but did you look at processing times etc for the "all MS" > >>> case? > >>> Sure, the real killer is likely SA, and the ClamSMTP thing will > >>> avoid that... > >>> I wonder if the clamav milter would be a "nicer" solution, avoiding > >>> your current problem... > >>> > >>> Cheers > >>> -- > >>> -- Glenn > >>> email: glenn < dot > steen < at > gmail < dot > com > >>> work: glenn < dot > steen < at > ap1 < dot > se > >>> -- > >>> > >> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > >> what happens. > >> All the clientip are 127.0.0.1 :-( > >> > >> Whitelisting is working because the check is done on the From address > >> and not on the client IP. > >> The blacklisting, in that case doesn't work because it's an IP address. > >> > >> So, we can't use before-filter with Postifx and MailScanner and hope > >> that the white or black listing will work with IP addresses even we > >> use the smtpd_authorized_xforward_hosts. > >> > >> Is that right ? > >> > > > > Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > > loopback when determining the ip... Perhaps a bit like SA does it > > (with the trust thing). > > > I can't do that. MailScanner directly reads the IP address of the TCP/IP > connection source, it doesn't involve looking at the headers of the > message at all. > > > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be > >> posted on the postfix list also) ? > >> > > Good question. Perhaps one (Jules) could use that...:). > > BTW, wear your asbetos underwear when telling the pf-list your > > problem... they seriously dislike MS... still...:(. > > > Don't expect to get anything useful from the Postfix list about MailScanner. > > Jules > Um, Jules... What about the clientip read from Received line in Postfix.pm (ReadQf, the third loop... If I counted things right...:-)? Isn't that what you use, and where one could possibly ... munge it? A bit like the BarricadeMX fixup, to get at the real sending server IP? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 13:15:42 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 13:18:10 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> Message-ID: <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> On 08/02/2008, Glenn Steen wrote: > On 08/02/2008, Glenn Steen wrote: > > On 07/02/2008, Cedric Devillers wrote: > > > Hello, > > > > > > I'm trying to revive this thread from the last month because we are > > > observing the exact same behavior on one of our servers. > > Thanks for doing that, and for providing some more info. > > > > > So to remember the facts : > > > > > > - We are using mailscanner with postfix, and duplicated messages are > > > generated by mailscanner. > > > > > > - This system is the only one where we are observing this behavior. It > > > have a little particularity : it mainly act as a mail relay, but > > > sometimes many mails are generated by the server itself (a script) and > > > injected in postfix queues via sendmail command. We can always reproduce > > > some duplicated messages with this script. > > > > > > - MailScanner is configured (by ruleset) to bypass scanning for thoses > > > messages, but they are still entering the mailscanner logic (postix -> > > > hold queue -> mailscanner (no scan) -> active queue). > > What does the ruleset look like? I'm sure it doesn't matter, but ... > > just out of curiosity:-)... > > > > > - Mailwatch is running on this server, and for each duplicates we see > > > entries with null size body (2, 3, 4, sometimes 5) then at last a final > > > entry with the full body. Note that the recipient see the full body on > > > every duplicate. > > > > > > It looks like a locking problem, because all duplicates are with the > > > same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > > > ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > > > lock some queue file when message is marked not to be scanned by > > > mailscanner ? > > Yes, this seems plausible... Could you provide some log examples? Just > > to see that it really is separate children reading the same queue > > file... > > > > > > > I will not be very helpfull to debug perl code, but i can provide any > > > needed logs to help finding the origin of the problem. > > I'll see what I can do, but... I think this isn't "my" code snippets, > > but a thing that might have been present for a while... And I have a > > serious lack of time to spend on this ATM (worse than last time, > > before Xmas)... So no promises:-). > > > > > This is really a serious problem in this particular installation. But i > > > must say that we have dozens of other servers that are running > > > mailscanner/postfix, and we are very happy about thems :) > > Does it help if you DO scan with MS, but skip things at the next > > level, for example: > > Scan Messages = yes > > Use SpamAssassin = no > > Dangerous Content Scanning = no > > ... and possibly a few more (do them with a ruleset, of course:-)? > > > > BTW, do you have any milters enabled in Postfix? What version of Postfix? > > Cheers I think we need Jules on this one, not only feeble lil' me:-). AFAICS, the locking/unlocking is handled _exactly_ the same regardless of the scanmail setting... But then, this is a rather complex bit of code, where the "execution path" isn't always as straightforward as it seems... Jules, could you spare a moment or two? Just to look at what could possibly be wrong with the message->scanmail = 0 scenario? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:23:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:23:57 2008 Subject: MS/Solaris installation buglets In-Reply-To: References: Message-ID: <47AC8204.2070206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Lee wrote: > Julian: to report a couple of Solaris MS (4.66.5) installation buglets. > > 1. MakeMaker requires a release of File::Spec which may be more recent > than that native in the OS. You already distribute a good File::Spec. > > Solution: Re-order the installation to do File::Spec before MakeMaker. > (Tested: it works.) > Done. Will be in the next release. > 2. MakeMaker build reports "Can't locate Pod/Man.pm in @INC...". Might > these need something like "Pod::Man" adding to the list of modules you > distribute? > This is a bigger problem. They don't distribute Pod::Man as a standalone module unfortunately. Is it vital? > > There may be more waiting for later, but I'm suspending work on this > attempted installation at present so we can decide the best approach. > > I'd be happy to try to beta-test things for you. > > > Best wishes. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIIFEfZZRxQVtlQRApJjAKCaJcg8MIU9ctlE/PyS6YlY6pxnjgCeO7HX XUvTVTggGV+O9pdg+fcQU5s= =Odyj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:46:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:46:54 2008 Subject: Definite Fraud? In-Reply-To: References: <47AA1531.4040205@sequestered.net> Message-ID: <47AC875A.2080700@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Nienberg wrote: > Jay Chandler wrote: >> I'm sure this has been rehashed before, but... >> >> >> *MailScanner has detected definite fraud in the website at >> "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah >> >> >> >> Obviously it's detecting the 301 redirect, but that doesn't >> necessarily bespeak fraud. There are a lot of non-fraudulent things >> that it could be, ranging from shock pictures to Rick Rolls to >> inredibly long URLs. >> >> Has anyone discussed changing the wording here? >> > > The wording is correct. This is the message that is displayed when a > url is found in the list /etc/MailScanner/phishing.bad.sites.conf. > > These are known phishing sites. This is different from the case where > a link target and text do not match, which is described as a > "possible" fraud. > > That said, it is a little strange that tinyurl.com is listed in > phishing.bad.sites.conf, but it is. It was on there as the url tinyurl.com/2n8vml was reported. To avoid URL obfuscation working, it blacklists the entire site. The report should have been for the target of that redirector, not the innocent redirector itself. I have removed tinyurl.com from the blacklist. Your site should update in the next hour or so. > > Mark > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIdbEfZZRxQVtlQRApTiAJsHrBW2ir22q29wo/I9xcruPxu7PACeL8pn Q6+LW/YBqynf9GmiQvoHDq8= =6X/W -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:47:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:48:16 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC7CD.5000505@sendit.nodak.edu> Message-ID: <47AC87AE.6010608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 But if you set Check SpamAssassin If On Spam List = no then it won't. Vlad Mazek wrote: > Tried that earlier today, no difference in behavior. MailScanner finds > it on SBL+XBL but proceeds to put it through SA anyhow. > > -Vlad > > On 2/7/08, *Richard Frovarp* > wrote: > > Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > *MailScanner warning: numerical links are often malicious:* > > *MailScanner warning: numerical links are often malicious:* > 75.63.44.11 <*MailScanner warning: numerical > links are often malicious:* http://75.63.44.11> > (ka@creativeholidays.com.au > > >) to rmel.org > is > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > > > I have the the following in my MailScanner.conf: > > > > Spam List = SBL+XBL > > Spam Lists To Be Spam = 1 > > Spam Lists To Reach High Score = 1 > > > > -Vlad > > Try: > Spam Lists To Be Spam = 0 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIevEfZZRxQVtlQRAkGAAKCwtIDJuD1qHBvOlsb0D3/TXrGS6wCg71HZ gELMIsocgaML5GkIpJQSOpo= =A8af -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:54:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:54:59 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> Message-ID: <47AC8945.3070803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 05/02/2008, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> >>> On 05/02/2008, Pascal Maes wrote: >>> >>> >>>> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : >>>> >>>> >>>> >>>>> On 05/02/2008, Pascal Maes wrote: >>>>> >>>>> >>>>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : >>>>>> >>>>>> >>>>>> >>>>>>> On 05/02/2008, Glenn Steen wrote: >>>>>>> >>>>>>> >>>>>>>> On 05/02/2008, Pascal Maes wrote: >>>>>>>> >>>>>>>> >>>>>>> (snip) >>>>>>> >>>>>>> >>>>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner >>>>>>>>> takes it and puts it back into the Postfix queue. >>>>>>>>> >>>>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>>>>>>>> address otherwise why is the "Is Definitely Not Spam" rule >>>>>>>>> working : >>>>>>>>> >>>>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message >>>>>>>>> E8686E9102.A7655 >>>>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>>>>>>>> ) is whitelisted >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> >>>>>>>>> >>>>>>>> Anything happening to the message _after_ MailScaner doesn't hjave >>>>>>>> any >>>>>>>> impact on your problem... What happens before though... You have to >>>>>>>> make sure that your SA trust_path is OK, and all should be well. >>>>>>>> Why >>>>>>>> do you use the ClamSMTP thing at all? >>>>>>>> >>>>>>>> Cheers >>>>>>>> >>>>>>>> >>>>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle >>>>>>> this is >>>>>>> the clamsmtp thing, which might just be the problem. >>>>>>> Again, why do you use that? Theoretically MailScanner (through the >>>>>>> batching, and using either clamavmodule or clamd) should be more >>>>>>> efficient and less likely to be able to be DoS'd... That >>>>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. >>>>>>> >>>>>>> Cheers >>>>>>> -- >>>>>>> -- Glenn >>>>>>> email: glenn < dot > steen < at > gmail < dot > com >>>>>>> work: glenn < dot > steen < at > ap1 < dot > se >>>>>>> >>>>>>> >>>>>> One advantage of using ClamSMTP is the reject of the worm at the >>>>>> connection time. >>>>>> As we receive a lot of mail per day, it's not negligible. >>>>>> >>>>>> >>>>> No, but then neither is the resource drain;-). >>>>> >>>>> >>>>> >>>>>> As MailScanner is using McAffe, we have two different AV to check the >>>>>> messages. >>>>>> >>>>>> >>>>> Prudent, but did you look at processing times etc for the "all MS" >>>>> case? >>>>> Sure, the real killer is likely SA, and the ClamSMTP thing will >>>>> avoid that... >>>>> I wonder if the clamav milter would be a "nicer" solution, avoiding >>>>> your current problem... >>>>> >>>>> Cheers >>>>> -- >>>>> -- Glenn >>>>> email: glenn < dot > steen < at > gmail < dot > com >>>>> work: glenn < dot > steen < at > ap1 < dot > se >>>>> -- >>>>> >>>>> >>>> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see >>>> what happens. >>>> All the clientip are 127.0.0.1 :-( >>>> >>>> Whitelisting is working because the check is done on the From address >>>> and not on the client IP. >>>> The blacklisting, in that case doesn't work because it's an IP address. >>>> >>>> So, we can't use before-filter with Postifx and MailScanner and hope >>>> that the white or black listing will work with IP addresses even we >>>> use the smtpd_authorized_xforward_hosts. >>>> >>>> Is that right ? >>>> >>>> >>> Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" >>> loopback when determining the ip... Perhaps a bit like SA does it >>> (with the trust thing). >>> >>> >> I can't do that. MailScanner directly reads the IP address of the TCP/IP >> connection source, it doesn't involve looking at the headers of the >> message at all. >> >>>> If yes, what's the use of smtpd_authorized_xforward_hosts (to be >>>> posted on the postfix list also) ? >>>> >>>> >>> Good question. Perhaps one (Jules) could use that...:). >>> BTW, wear your asbetos underwear when telling the pf-list your >>> problem... they seriously dislike MS... still...:(. >>> >>> >> Don't expect to get anything useful from the Postfix list about MailScanner. >> >> Jules >> >> > Um, Jules... What about the clientip read from Received line in > Postfix.pm (ReadQf, the third loop... If I counted things right...:-)? > Isn't that what you use, and where one could possibly ... munge it? A > bit like the BarricadeMX fixup, to get at the real sending server IP? > Are you talking about this bit of code? If it's 127.0.0.1 then I could choose to ignore it and pick up the next one. What's the IPv6 equivalent address that I'll see in the header? if (!$IPFound && $recdata =~ /^Received: .+\[(\d+\.\d+\.\d+\.\d+)\]/i) { $message->{clientip} = $1; $IPFound = 1; } elsif (!$IPFound && $recdata =~ /^Received: .+\[([\dabcdef.:]+)\]/i) { # It is an IPv6 address $message->{clientip} = $1; $IPFound = 1; } elsif (!$IPFound && $recdata =~ /^Received: .+\(Postfix/i) { $message->{clientip} = '127.0.0.1'; #spoof local sender from localhost $IPFound = 1; } Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIlGEfZZRxQVtlQRAqXiAJ9Hwn7x7WVfAkB/7TWQVRXJr5Fm8ACgjpfO /YYfdNJQNewkuRMVjJNrP7c= =g/Ew -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:56:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:56:47 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> Message-ID: <47AC89B2.80906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 08/02/2008, Glenn Steen wrote: > >> On 08/02/2008, Glenn Steen wrote: >> >>> On 07/02/2008, Cedric Devillers wrote: >>> >>>> Hello, >>>> >>>> I'm trying to revive this thread from the last month because we are >>>> observing the exact same behavior on one of our servers. >>>> >>> Thanks for doing that, and for providing some more info. >>> >>> >>>> So to remember the facts : >>>> >>>> - We are using mailscanner with postfix, and duplicated messages are >>>> generated by mailscanner. >>>> >>>> - This system is the only one where we are observing this behavior. It >>>> have a little particularity : it mainly act as a mail relay, but >>>> sometimes many mails are generated by the server itself (a script) and >>>> injected in postfix queues via sendmail command. We can always reproduce >>>> some duplicated messages with this script. >>>> >>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>> messages, but they are still entering the mailscanner logic (postix -> >>>> hold queue -> mailscanner (no scan) -> active queue). >>>> >>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>> just out of curiosity:-)... >>> >>> >>>> - Mailwatch is running on this server, and for each duplicates we see >>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>> entry with the full body. Note that the recipient see the full body on >>>> every duplicate. >>>> >>>> It looks like a locking problem, because all duplicates are with the >>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>> lock some queue file when message is marked not to be scanned by >>>> mailscanner ? >>>> >>> Yes, this seems plausible... Could you provide some log examples? Just >>> to see that it really is separate children reading the same queue >>> file... >>> >>> >>> >>>> I will not be very helpfull to debug perl code, but i can provide any >>>> needed logs to help finding the origin of the problem. >>>> >>> I'll see what I can do, but... I think this isn't "my" code snippets, >>> but a thing that might have been present for a while... And I have a >>> serious lack of time to spend on this ATM (worse than last time, >>> before Xmas)... So no promises:-). >>> >>> >>>> This is really a serious problem in this particular installation. But i >>>> must say that we have dozens of other servers that are running >>>> mailscanner/postfix, and we are very happy about thems :) >>>> >>> Does it help if you DO scan with MS, but skip things at the next >>> level, for example: >>> Scan Messages = yes >>> Use SpamAssassin = no >>> Dangerous Content Scanning = no >>> ... and possibly a few more (do them with a ruleset, of course:-)? >>> >>> >> BTW, do you have any milters enabled in Postfix? What version of Postfix? >> >> Cheers >> > > I think we need Jules on this one, not only feeble lil' me:-). > AFAICS, the locking/unlocking is handled _exactly_ the same regardless > of the scanmail setting... But then, this is a rather complex bit of > code, where the "execution path" isn't always as straightforward as it > seems... Jules, could you spare a moment or two? Just to look at what > could possibly be wrong with the message->scanmail = 0 scenario? > > Can you *briefly* explain what the problem is, what the symptoms are and where you think the problem might lie? This is a very long thread.... :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrImyEfZZRxQVtlQRAiZ2AJ9q5KAwE91I2yfRQ0UjyKDfw2GTEACfXOYi z0HxqLc10ndHSJQqhWFZ6cI= =VQKY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 8 18:51:09 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 18:51:21 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47AC8945.3070803@ecs.soton.ac.uk> References: <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> <47AC8945.3070803@ecs.soton.ac.uk> Message-ID: <223f97700802081051o201bcff3teeda59c815221842@mail.gmail.com> On 08/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 05/02/2008, Julian Field wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> > >> Glenn Steen wrote: > >> > >>> On 05/02/2008, Pascal Maes wrote: > >>> > >>> > >>>> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > >>>> > >>>> > >>>> > >>>>> On 05/02/2008, Pascal Maes wrote: > >>>>> > >>>>> > >>>>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On 05/02/2008, Glenn Steen wrote: > >>>>>>> > >>>>>>> > >>>>>>>> On 05/02/2008, Pascal Maes wrote: > >>>>>>>> > >>>>>>>> > >>>>>>> (snip) > >>>>>>> > >>>>>>> > >>>>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>>>>>> takes it and puts it back into the Postfix queue. > >>>>>>>>> > >>>>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>>>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>>>>>> working : > >>>>>>>>> > >>>>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>>>>>> E8686E9102.A7655 > >>>>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>>>>>> ) is whitelisted > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Regards > >>>>>>>>> > >>>>>>>>> > >>>>>>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>>>>>> any > >>>>>>>> impact on your problem... What happens before though... You have to > >>>>>>>> make sure that your SA trust_path is OK, and all should be well. > >>>>>>>> Why > >>>>>>>> do you use the ClamSMTP thing at all? > >>>>>>>> > >>>>>>>> Cheers > >>>>>>>> > >>>>>>>> > >>>>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>>>>>> this is > >>>>>>> the clamsmtp thing, which might just be the problem. > >>>>>>> Again, why do you use that? Theoretically MailScanner (through the > >>>>>>> batching, and using either clamavmodule or clamd) should be more > >>>>>>> efficient and less likely to be able to be DoS'd... That > >>>>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>>>>>> > >>>>>>> Cheers > >>>>>>> -- > >>>>>>> -- Glenn > >>>>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>>>> > >>>>>>> > >>>>>> One advantage of using ClamSMTP is the reject of the worm at the > >>>>>> connection time. > >>>>>> As we receive a lot of mail per day, it's not negligible. > >>>>>> > >>>>>> > >>>>> No, but then neither is the resource drain;-). > >>>>> > >>>>> > >>>>> > >>>>>> As MailScanner is using McAffe, we have two different AV to check the > >>>>>> messages. > >>>>>> > >>>>>> > >>>>> Prudent, but did you look at processing times etc for the "all MS" > >>>>> case? > >>>>> Sure, the real killer is likely SA, and the ClamSMTP thing will > >>>>> avoid that... > >>>>> I wonder if the clamav milter would be a "nicer" solution, avoiding > >>>>> your current problem... > >>>>> > >>>>> Cheers > >>>>> -- > >>>>> -- Glenn > >>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>> -- > >>>>> > >>>>> > >>>> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > >>>> what happens. > >>>> All the clientip are 127.0.0.1 :-( > >>>> > >>>> Whitelisting is working because the check is done on the From address > >>>> and not on the client IP. > >>>> The blacklisting, in that case doesn't work because it's an IP address. > >>>> > >>>> So, we can't use before-filter with Postifx and MailScanner and hope > >>>> that the white or black listing will work with IP addresses even we > >>>> use the smtpd_authorized_xforward_hosts. > >>>> > >>>> Is that right ? > >>>> > >>>> > >>> Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > >>> loopback when determining the ip... Perhaps a bit like SA does it > >>> (with the trust thing). > >>> > >>> > >> I can't do that. MailScanner directly reads the IP address of the TCP/IP > >> connection source, it doesn't involve looking at the headers of the > >> message at all. > >> > >>>> If yes, what's the use of smtpd_authorized_xforward_hosts (to be > >>>> posted on the postfix list also) ? > >>>> > >>>> > >>> Good question. Perhaps one (Jules) could use that...:). > >>> BTW, wear your asbetos underwear when telling the pf-list your > >>> problem... they seriously dislike MS... still...:(. > >>> > >>> > >> Don't expect to get anything useful from the Postfix list about MailScanner. > >> > >> Jules > >> > >> > > Um, Jules... What about the clientip read from Received line in > > Postfix.pm (ReadQf, the third loop... If I counted things right...:-)? > > Isn't that what you use, and where one could possibly ... munge it? A > > bit like the BarricadeMX fixup, to get at the real sending server IP? > > > Are you talking about this bit of code? > If it's 127.0.0.1 then I could choose to ignore it and pick up the next > one. What's the IPv6 equivalent address that I'll see in the header? > > if (!$IPFound && $recdata =~ /^Received: > .+\[(\d+\.\d+\.\d+\.\d+)\]/i) { > $message->{clientip} = $1; > $IPFound = 1; > } elsif (!$IPFound && $recdata =~ /^Received: > .+\[([\dabcdef.:]+)\]/i) { > # It is an IPv6 address > $message->{clientip} = $1; > $IPFound = 1; > } elsif (!$IPFound && > $recdata =~ /^Received: .+\(Postfix/i) { > $message->{clientip} = '127.0.0.1'; #spoof local sender from > localhost > $IPFound = 1; > } Yep, that it is.... IPv6 would be something like :::FFF.... wouldn't it:-). Sorry, I'm slightly tipsy (Champagne, no less!) after a hellish week. Head not screwed on rightly:-) I'd think this'd best be a settable thing (remove or not), since we can' do the same type of blanket assumptions as you can with BarricadeMX (that it is a "SMTP pre.filer" adding the line... or can we?)... > Jules > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 19:02:23 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 19:02:37 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47AC89B2.80906@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> Message-ID: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> On 08/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 08/02/2008, Glenn Steen wrote: > > > >> On 08/02/2008, Glenn Steen wrote: > >> > >>> On 07/02/2008, Cedric Devillers wrote: > >>> > >>>> Hello, > >>>> > >>>> I'm trying to revive this thread from the last month because we are > >>>> observing the exact same behavior on one of our servers. > >>>> > >>> Thanks for doing that, and for providing some more info. > >>> > >>> > >>>> So to remember the facts : > >>>> > >>>> - We are using mailscanner with postfix, and duplicated messages are > >>>> generated by mailscanner. > >>>> > >>>> - This system is the only one where we are observing this behavior. It > >>>> have a little particularity : it mainly act as a mail relay, but > >>>> sometimes many mails are generated by the server itself (a script) and > >>>> injected in postfix queues via sendmail command. We can always reproduce > >>>> some duplicated messages with this script. > >>>> > >>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses > >>>> messages, but they are still entering the mailscanner logic (postix -> > >>>> hold queue -> mailscanner (no scan) -> active queue). > >>>> > >>> What does the ruleset look like? I'm sure it doesn't matter, but ... > >>> just out of curiosity:-)... > >>> > >>> > >>>> - Mailwatch is running on this server, and for each duplicates we see > >>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final > >>>> entry with the full body. Note that the recipient see the full body on > >>>> every duplicate. > >>>> > >>>> It looks like a locking problem, because all duplicates are with the > >>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > >>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > >>>> lock some queue file when message is marked not to be scanned by > >>>> mailscanner ? > >>>> > >>> Yes, this seems plausible... Could you provide some log examples? Just > >>> to see that it really is separate children reading the same queue > >>> file... > >>> > >>> > >>> > >>>> I will not be very helpfull to debug perl code, but i can provide any > >>>> needed logs to help finding the origin of the problem. > >>>> > >>> I'll see what I can do, but... I think this isn't "my" code snippets, > >>> but a thing that might have been present for a while... And I have a > >>> serious lack of time to spend on this ATM (worse than last time, > >>> before Xmas)... So no promises:-). > >>> > >>> > >>>> This is really a serious problem in this particular installation. But i > >>>> must say that we have dozens of other servers that are running > >>>> mailscanner/postfix, and we are very happy about thems :) > >>>> > >>> Does it help if you DO scan with MS, but skip things at the next > >>> level, for example: > >>> Scan Messages = yes > >>> Use SpamAssassin = no > >>> Dangerous Content Scanning = no > >>> ... and possibly a few more (do them with a ruleset, of course:-)? > >>> > >>> > >> BTW, do you have any milters enabled in Postfix? What version of Postfix? > >> > >> Cheers > >> > > > > I think we need Jules on this one, not only feeble lil' me:-). > > AFAICS, the locking/unlocking is handled _exactly_ the same regardless > > of the scanmail setting... But then, this is a rather complex bit of > > code, where the "execution path" isn't always as straightforward as it > > seems... Jules, could you spare a moment or two? Just to look at what > > could possibly be wrong with the message->scanmail = 0 scenario? > > > > > Can you *briefly* explain what the problem is, what the symptoms are and > where you think the problem might lie? This is a very long thread.... :-) > > Jules > In short: When using Postfix and setting Scan Messages = no (with a rulset, for some....), duplicates are "generated" by several MailScanner children picking up and delivering the same message. It seems to be something to do with timing, since not all generate this behavior, but rather under heavy load (as in situations where some form of mailing list or bulk mailer (presumably a legit newsletter) send large amounts of messages at once). Indications (so far) that it really is several children is that the log entries (the few we've seen) have been during the same few seconds, the "base queue ID" is the same, the entropy bits have differed, as has the PIDs. So far we've only seen reports of this for Postfix, which is why I've looked through my changes for p record handling (again)... AFAICS, those couldn't possibly have anything to do with this, since they behave exactly the same regardless of whether scanmail is set to 1 or 0... Which would lead to duplicates in the normal case too, if that was at the heart of it. Hope that was short enough...:-) Cheers (yeah, still tipsy...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Feb 8 19:07:04 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 8 19:08:33 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <22654565.7331202497624061.JavaMail.root@office.splatnix.net> No looking at code Glenn while drinking ;) You will end up seeing duplicate messages. If I have chance over the weekend will take a look at the code aswell. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 08/02/2008, Julian Field wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Fri Feb 8 19:37:51 2008 From: alex at nkpanama.com (Alex Neuman) Date: Fri Feb 8 19:38:30 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > When using Postfix and setting Scan Messages = no (with a rulset, for > some....), duplicates are "generated" by several MailScanner children > picking up and delivering the same message. It seems to be something > to do with timing, since not all generate this behavior, but rather > under heavy load (as in situations where some form of mailing list or > bulk mailer (presumably a legit newsletter) send large amounts of > messages at once). Could you reproduce the opposite of this behaviour by using "max children = 0"? From cde at alunys.com Fri Feb 8 19:40:53 2008 From: cde at alunys.com (Cedric Devillers) Date: Fri Feb 8 19:42:06 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47AC89B2.80906@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> Message-ID: <47ACB045.4090504@alunys.com> Julian Field wrote: > > > Glenn Steen wrote: >> On 08/02/2008, Glenn Steen wrote: > >>> On 08/02/2008, Glenn Steen wrote: >>> >>>> On 07/02/2008, Cedric Devillers wrote: >>>> >>>>> Hello, >>>>> >>>>> I'm trying to revive this thread from the last month because we are >>>>> observing the exact same behavior on one of our servers. >>>>> >>>> Thanks for doing that, and for providing some more info. >>>> >>>> >>>>> So to remember the facts : >>>>> >>>>> - We are using mailscanner with postfix, and duplicated messages are >>>>> generated by mailscanner. >>>>> >>>>> - This system is the only one where we are observing this behavior. It >>>>> have a little particularity : it mainly act as a mail relay, but >>>>> sometimes many mails are generated by the server itself (a script) and >>>>> injected in postfix queues via sendmail command. We can always reproduce >>>>> some duplicated messages with this script. >>>>> >>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>>> messages, but they are still entering the mailscanner logic (postix -> >>>>> hold queue -> mailscanner (no scan) -> active queue). >>>>> >>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>>> just out of curiosity:-)... >>>> >>>> >>>>> - Mailwatch is running on this server, and for each duplicates we see >>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>>> entry with the full body. Note that the recipient see the full body on >>>>> every duplicate. >>>>> >>>>> It looks like a locking problem, because all duplicates are with the >>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>>> lock some queue file when message is marked not to be scanned by >>>>> mailscanner ? >>>>> >>>> Yes, this seems plausible... Could you provide some log examples? Just >>>> to see that it really is separate children reading the same queue >>>> file... >>>> >>>> >>>> >>>>> I will not be very helpfull to debug perl code, but i can provide any >>>>> needed logs to help finding the origin of the problem. >>>>> >>>> I'll see what I can do, but... I think this isn't "my" code snippets, >>>> but a thing that might have been present for a while... And I have a >>>> serious lack of time to spend on this ATM (worse than last time, >>>> before Xmas)... So no promises:-). >>>> >>>> >>>>> This is really a serious problem in this particular installation. But i >>>>> must say that we have dozens of other servers that are running >>>>> mailscanner/postfix, and we are very happy about thems :) >>>>> >>>> Does it help if you DO scan with MS, but skip things at the next >>>> level, for example: >>>> Scan Messages = yes >>>> Use SpamAssassin = no >>>> Dangerous Content Scanning = no >>>> ... and possibly a few more (do them with a ruleset, of course:-)? >>>> >>>> >>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >>> >>> Cheers >>> >> I think we need Jules on this one, not only feeble lil' me:-). >> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >> of the scanmail setting... But then, this is a rather complex bit of >> code, where the "execution path" isn't always as straightforward as it >> seems... Jules, could you spare a moment or two? Just to look at what >> could possibly be wrong with the message->scanmail = 0 scenario? > > > Can you *briefly* explain what the problem is, what the symptoms are and > where you think the problem might lie? This is a very long thread.... :-) > > Jules > Hi Julian The problem is that when sending many messages from the mailscanner host (here via the sendmail command) and that this host is marked not to be scanned by mailscanner (via a ruleset for "Scan Messages"), some mails are duplicated by mailscanner. The ruleset in question is : From: 127.0.0.1 no It seems that when the server is under high load and/or the message sent is bigger, then the probability to have duplicates (sometimes 4 or 5 by messages) is higher. Note that this is only based on my impressions while trying to reproduce the problem :) I think the problem may be that in this particular case (locally sent messages, not to be scanned by mailscanner), the file locking is defective and multiple childs are reading the same postfix queue file. Note that i was not able to reproduce the problem with "Scan Messages = yes". You can have a look at this log extract that show duplicates for the ID 11D67CE47AC : Feb 8 19:44:21 mail postfix/pickup[20676]: 11D67CE47AC: uid=48 from= Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: hold: header Received: by mail.inforum.be (Postfix, from userid 48)??id 11D67CE47AC; Fri, 8 Feb 2008 19:44:20 +0100 (CET) from local; from= Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: message-id=<20080208184421.11D67CE47AC@mail.inforum.be> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 5B8AECE47A2.4FC7C to 08006CE47AB Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 342ACCE47B0.545F4 to E8253CE47A2 Feb 8 19:44:21 mail postfix/qmgr[19269]: 8382ECE473F: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail postfix/qmgr[19269]: E8253CE47A2: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail postfix/qmgr[19269]: 08006CE47AB: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail postfix/qmgr[19269]: 995D8CE47A5: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 5 messages Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: Starting Feb 8 19:44:21 mail MailScanner[16229]: Logging message 8F1BFCE47AC.62C1B to SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message C4702CE473F.14646 to SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 05006CE47AB.74D14 to SQL Feb 8 19:44:21 mail MailScanner[16596]: 8F1BFCE47AC.62C1B: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 5B8AECE47A2.4FC7C to SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 342ACCE47B0.545F4 to SQL Feb 8 19:44:21 mail MailScanner[16596]: C4702CE473F.14646: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16596]: 05006CE47AB.74D14: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16596]: 5B8AECE47A2.4FC7C: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16596]: 342ACCE47B0.545F4: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16264]: New Batch: Forwarding 1 unscanned messages, 23120 bytes Feb 8 19:44:21 mail postfix/pickup[20676]: 5B439CE47AF: uid=48 from= Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: hold: header Received: by mail.inforum.be (Postfix, from userid 48)??id 5B439CE47AF; Fri, 8 Feb 2008 19:44:21 +0100 (CET) from local; from= Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: message-id=<20080208184421.5B439CE47AF@mail.inforum.be> Feb 8 19:44:21 mail MailScanner[16264]: Requeue: 11D67CE47AC.DC14A to B0A22CE47B7 Feb 8 19:44:21 mail MailScanner[16264]: Unscanned: Delivered 1 messages Feb 8 19:44:21 mail MailScanner[16264]: Virus and Content Scanning: Starting Feb 8 19:44:21 mail MailScanner[16229]: New Batch: Forwarding 1 unscanned messages, 0 bytes Feb 8 19:44:21 mail postfix/qmgr[19269]: B0A22CE47B7: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 11D67CE47AC.3898C to 084DCCE47BA Feb 8 19:44:21 mail postfix/qmgr[19269]: 084DCCE47BA: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 1 messages Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: Starting Feb 8 19:44:21 mail MailScanner[16264]: Logging message 11D67CE47AC.DC14A to SQL Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.DC14A: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 11D67CE47AC.3898C to SQL Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.3898C: Logged to MailWatch SQL Feb 8 19:44:21 mail postfix/smtp[20778]: 9EDC5CE47B2: to=, relay=mail.alunys.com[212.35.119.247], delay=2, status=sent (250 O -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From cde at alunys.com Fri Feb 8 20:08:10 2008 From: cde at alunys.com (Cedric Devillers) Date: Fri Feb 8 20:09:17 2008 Subject: Mailscanner generated duplicate message In-Reply-To: References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <47ACB6AA.50804@alunys.com> Alex Neuman wrote: > > On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > >> When using Postfix and setting Scan Messages = no (with a rulset, for >> some....), duplicates are "generated" by several MailScanner children >> picking up and delivering the same message. It seems to be something >> to do with timing, since not all generate this behavior, but rather >> under heavy load (as in situations where some form of mailing list or >> bulk mailer (presumably a legit newsletter) send large amounts of >> messages at once). > > Could you reproduce the opposite of this behaviour by using "max > children = 0"? > With this parameter, i cannot reproduce any duplicates so far... So the childs really seems to matter. Note that the queue scan interval is pretty low on this server too (set to 2). But that should not cause any duplicates under normal circonstances i suppose. -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From ugob at lubik.ca Fri Feb 8 20:54:23 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Feb 8 20:54:48 2008 Subject: Anyone wrote a SpamAssassin rule for this one Message-ID: I got plenty of them, I was just wondering if someone had a rule before writing one: ================================== Just as we predicted! PERMANENT TECH ***PERT*** Recent: $0.53 90 days ago .03 52 W Range: $0.02- $0.58 What may make this the BEST INVESTMENT OPPORTUNITY OF 2008 is that [* PERT *] went public very quietly late last year. Hardly anyone knows about [* PERT *] yet or the AMAZINGLY HUGE POTENTIAL this company has for MONSTER REVENUE or a POTENTIAL Billi0n DOLLAR BUYOUT. With Yesterdays News we think this may Double in a very short time. The last time we featured a company in this position it went from .26 to 2.87 in just 2 weeks afert tests ended and contract was signed. The Goverment is a BIG Buyer. *************READ BELOW*************** United States Navy Tests Permanent Technologies' TineLok Fastening System Monday February 4, 8:00 am ET TineLok Vibration-Proof Fastening System is Currently Installed for Testing on the U.S. Navy's Newest Advanced Hovercraft HAUPPAUGE, N.Y., Feb. 4 /PRNewswire-FirstCall/ -- Permanent Technologies, Inc. (Pink Sheets: PERT - News) announced that the United States Navy is currently testing their TineLok Vibration-Proof Fastening System in their newest Hovercraft, the Landing Craft, Air Cushion (LCAC). The LCAC is a high-speed, over-the-beach, fully amphibious landing craft, used to transport heavy payloads of equipment (up to 75 tons), cargo and personnel from ship to shore for the Marine Air-Ground Task Force. The TineLok fasteners have been installed on the Hovercraft for almost a year and according to feedback from the Navy the fasteners have worked flawlessly to date. "We are confident that the TineLok will perform to the U.S. Navy's exacting high-vibration requirements for this strategic project," stated Loren Ball, President and CEO of Permanent Technologies, Inc. "In addition to the performance requirements, we believe TineLok also gives the Navy the ability to make repairs, adjustments and service the components in the field without any special tools -- a major feature of the TineLok System." About Permanent Technologies, Inc. Permanent Technologies is the inventor and manufacturer of the award winning TineLok Fastening System -- a family of fasteners that are designed to hold tight in the most demanding, extreme and harshest conditions, environments and applications. The TineLok Fastening System's vibration-proof, self-locking technology is an affordable alternative to traditional fasteners when increased safety, reliability, operating life and reduced maintenance is desired or required. The Company has been granted numerous patents both in the U.S. and internationally for the TineLok technology. ================================================== Regards, Ugo From glenn.steen at gmail.com Fri Feb 8 21:33:32 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 21:38:09 2008 Subject: Mailscanner generated duplicate message In-Reply-To: References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <223f97700802081333j54395f4ey3cc5a54bb331e975@mail.gmail.com> On 08/02/2008, Alex Neuman wrote: > > On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > > > When using Postfix and setting Scan Messages = no (with a rulset, for > > some....), duplicates are "generated" by several MailScanner children > > picking up and delivering the same message. It seems to be something > > to do with timing, since not all generate this behavior, but rather > > under heavy load (as in situations where some form of mailing list or > > bulk mailer (presumably a legit newsletter) send large amounts of > > messages at once). > > Could you reproduce the opposite of this behaviour by using "max > children = 0"? > The reports we had before Xmas indicate this, yes. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 21:32:21 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 21:39:20 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <22654565.7331202497624061.JavaMail.root@office.splatnix.net> References: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> <22654565.7331202497624061.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802081332m619069fk52117488ec5690e6@mail.gmail.com> On 08/02/2008, --[ UxBoD ]-- wrote: > No looking at code Glenn while drinking ;) You will end up seeing duplicate messages. If I have chance over the weekend will take a look at the code aswell. > > Regards, > Thanks... Any help appreciated! ... with code scrutiny that is....:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 21:39:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 21:39:24 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47ACB045.4090504@alunys.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> Message-ID: <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> On 08/02/2008, Cedric Devillers wrote: > Julian Field wrote: > > > > > > Glenn Steen wrote: > >> On 08/02/2008, Glenn Steen wrote: > > > >>> On 08/02/2008, Glenn Steen wrote: > >>> > >>>> On 07/02/2008, Cedric Devillers wrote: > >>>> > >>>>> Hello, > >>>>> > >>>>> I'm trying to revive this thread from the last month because we are > >>>>> observing the exact same behavior on one of our servers. > >>>>> > >>>> Thanks for doing that, and for providing some more info. > >>>> > >>>> > >>>>> So to remember the facts : > >>>>> > >>>>> - We are using mailscanner with postfix, and duplicated messages are > >>>>> generated by mailscanner. > >>>>> > >>>>> - This system is the only one where we are observing this behavior. It > >>>>> have a little particularity : it mainly act as a mail relay, but > >>>>> sometimes many mails are generated by the server itself (a script) and > >>>>> injected in postfix queues via sendmail command. We can always reproduce > >>>>> some duplicated messages with this script. > >>>>> > >>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses > >>>>> messages, but they are still entering the mailscanner logic (postix -> > >>>>> hold queue -> mailscanner (no scan) -> active queue). > >>>>> > >>>> What does the ruleset look like? I'm sure it doesn't matter, but ... > >>>> just out of curiosity:-)... > >>>> > >>>> > >>>>> - Mailwatch is running on this server, and for each duplicates we see > >>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final > >>>>> entry with the full body. Note that the recipient see the full body on > >>>>> every duplicate. > >>>>> > >>>>> It looks like a locking problem, because all duplicates are with the > >>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > >>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > >>>>> lock some queue file when message is marked not to be scanned by > >>>>> mailscanner ? > >>>>> > >>>> Yes, this seems plausible... Could you provide some log examples? Just > >>>> to see that it really is separate children reading the same queue > >>>> file... > >>>> > >>>> > >>>> > >>>>> I will not be very helpfull to debug perl code, but i can provide any > >>>>> needed logs to help finding the origin of the problem. > >>>>> > >>>> I'll see what I can do, but... I think this isn't "my" code snippets, > >>>> but a thing that might have been present for a while... And I have a > >>>> serious lack of time to spend on this ATM (worse than last time, > >>>> before Xmas)... So no promises:-). > >>>> > >>>> > >>>>> This is really a serious problem in this particular installation. But i > >>>>> must say that we have dozens of other servers that are running > >>>>> mailscanner/postfix, and we are very happy about thems :) > >>>>> > >>>> Does it help if you DO scan with MS, but skip things at the next > >>>> level, for example: > >>>> Scan Messages = yes > >>>> Use SpamAssassin = no > >>>> Dangerous Content Scanning = no > >>>> ... and possibly a few more (do them with a ruleset, of course:-)? > >>>> > >>>> > >>> BTW, do you have any milters enabled in Postfix? What version of Postfix? > >>> > >>> Cheers > >>> > >> I think we need Jules on this one, not only feeble lil' me:-). > >> AFAICS, the locking/unlocking is handled _exactly_ the same regardless > >> of the scanmail setting... But then, this is a rather complex bit of > >> code, where the "execution path" isn't always as straightforward as it > >> seems... Jules, could you spare a moment or two? Just to look at what > >> could possibly be wrong with the message->scanmail = 0 scenario? > > > > > > Can you *briefly* explain what the problem is, what the symptoms are and > > where you think the problem might lie? This is a very long thread.... :-) > > > > Jules > > > > Hi Julian > > The problem is that when sending many messages from the mailscanner host > (here via the sendmail command) and that this host is marked not to be > scanned by mailscanner (via a ruleset for "Scan Messages"), some mails > are duplicated by mailscanner. > > The ruleset in question is : > From: 127.0.0.1 no > > It seems that when the server is under high load and/or the message sent > is bigger, then the probability to have duplicates (sometimes 4 or 5 by > messages) is higher. Note that this is only based on my impressions > while trying to reproduce the problem :) > > I think the problem may be that in this particular case (locally sent > messages, not to be scanned by mailscanner), the file locking is > defective and multiple childs are reading the same postfix queue file. > Note that i was not able to reproduce the problem with "Scan Messages = > yes". > > You can have a look at this log extract that show duplicates for the ID > 11D67CE47AC : > > Feb 8 19:44:21 mail postfix/pickup[20676]: 11D67CE47AC: uid=48 > from= > Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: hold: header > Received: by mail.inforum.be (Postfix, from userid 48)??id 11D67CE47AC; > Fri, 8 Feb 2008 19:44:20 +0100 (CET) from local; from= > Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: > message-id=<20080208184421.11D67CE47AC@mail.inforum.be> > Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 5B8AECE47A2.4FC7C to > 08006CE47AB > Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 342ACCE47B0.545F4 to > E8253CE47A2 > Feb 8 19:44:21 mail postfix/qmgr[19269]: 8382ECE473F: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail postfix/qmgr[19269]: E8253CE47A2: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail postfix/qmgr[19269]: 08006CE47AB: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail postfix/qmgr[19269]: 995D8CE47A5: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 5 messages > Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: > Starting > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 8F1BFCE47AC.62C1B to SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > C4702CE473F.14646 to SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 05006CE47AB.74D14 to SQL > Feb 8 19:44:21 mail MailScanner[16596]: 8F1BFCE47AC.62C1B: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 5B8AECE47A2.4FC7C to SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 342ACCE47B0.545F4 to SQL > Feb 8 19:44:21 mail MailScanner[16596]: C4702CE473F.14646: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16596]: 05006CE47AB.74D14: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16596]: 5B8AECE47A2.4FC7C: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16596]: 342ACCE47B0.545F4: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16264]: New Batch: Forwarding 1 > unscanned messages, 23120 bytes > Feb 8 19:44:21 mail postfix/pickup[20676]: 5B439CE47AF: uid=48 > from= > Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: hold: header > Received: by mail.inforum.be (Postfix, from userid 48)??id 5B439CE47AF; > Fri, 8 Feb 2008 19:44:21 +0100 (CET) from local; from= > Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: > message-id=<20080208184421.5B439CE47AF@mail.inforum.be> > Feb 8 19:44:21 mail MailScanner[16264]: Requeue: 11D67CE47AC.DC14A to > B0A22CE47B7 > Feb 8 19:44:21 mail MailScanner[16264]: Unscanned: Delivered 1 messages > Feb 8 19:44:21 mail MailScanner[16264]: Virus and Content Scanning: > Starting > Feb 8 19:44:21 mail MailScanner[16229]: New Batch: Forwarding 1 > unscanned messages, 0 bytes > Feb 8 19:44:21 mail postfix/qmgr[19269]: B0A22CE47B7: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 11D67CE47AC.3898C to > 084DCCE47BA > Feb 8 19:44:21 mail postfix/qmgr[19269]: 084DCCE47BA: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 1 messages > Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: > Starting > Feb 8 19:44:21 mail MailScanner[16264]: Logging message > 11D67CE47AC.DC14A to SQL > Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.DC14A: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 11D67CE47AC.3898C to SQL > Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.3898C: Logged to > MailWatch SQL > Feb 8 19:44:21 mail postfix/smtp[20778]: 9EDC5CE47B2: > to=, relay=mail.alunys.com[212.35.119.247], delay=2, > status=sent (250 O > Thanks Cedric, this, and the child thing suggested by alex, corroborate the theory of what is going bad, limiting what need be scrutinized.... which is a good thing:-). Still,I've been looking and can't for the life of me see where it goes haywire....:-/ Hopefully Jules (or Phil... or me a bit more sober...:-) will find something. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Fri Feb 8 21:49:40 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Feb 8 21:50:14 2008 Subject: Anyone wrote a SpamAssassin rule for this one In-Reply-To: References: Message-ID: <47ACCE74.5040406@evi-inc.com> Ugo Bellavance wrote: > I got plenty of them, I was just wondering if someone had a rule before > writing one: > Your post matched these rules on my system: X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.082, required 5, FUZZY_BILLION 1.93, LOCAL_INVEST_OP 0.50, SARE_LWPINK 1.66, SPF_PASS -0.00) That's not enough to tag it, but it's a good start. LOCAL_INVEST_OP is one of my custom rules. It is potentially false positive prone on things like the motley fool newsletters, but I keep the score low.: body LOCAL_INVEST_OP /\binvestment opportunit(?:y|ies)\b/i score LOCAL_INVEST_OP 0.5 SARE_LWPINK is from 70_sare_stocks.cf. FUZZY_BILLION is from the default SA ruleset, although 3.2.x scores it at 0 due to low hit count in the test corpus. You could re-enable it by giving it a nonzero score. The 3.1.x defaults were: score FUZZY_BILLION 2.400 0.914 2.727 1.925 From cotharyus at gmail.com Sat Feb 9 03:02:14 2008 From: cotharyus at gmail.com (Drew) Date: Sat Feb 9 03:02:23 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> Message-ID: <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> Glenn, Thanks. Reading back over this, my last response probably sounded bad, I don't want you guys to think I don't appreciate the suggestions so far - it usually is the silly little things we overlook. That said, after deinstalling _all_ ports, cvsup'ing everything to a sycn'd state, and building back in the ports I need to make all this stuff run (indicated by previous experience), I'm still getting the same error on the mailwatch interface: /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol "PL_exit_flags" As postfix, I get this: root@colossus(/var/db/pkg)# whoami postfix root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: Undefined symbol "Perl_Tstack_sp_ptr" next, www: root@colossus(/var/db/pkg)# whoami www root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: Undefined symbol "Perl_Tstack_sp_ptr" And just for consistancy's sake: root@colossus(/var/db/pkg)# whoami root root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: Undefined symbol "Perl_Tstack_sp_ptr" So it's safe to say we can rule out the output we're getting from mailwatch, and assume we're getting different errors at this point. I may try to sort out this perl issue before I nuke this box and start over. Anyone got any off the cuff suggestions? On Feb 8, 2008 6:31 AM, Glenn Steen wrote: > On 08/02/2008, Drew wrote: > > Actually, the reason the bayes stuff shows up is because the system > hasn't > > processed any mail, and I haven't put any start dbs there. All > permissions > > should be fine, it was one of the first things I checked. Unfortunately, > at > > this time, I've basically ripped this system (which was originally 5.0, > and > > has been upgraded over time to 6.3) down to essentially nothing but a > bare > > install, and reinstalled everything. In the process a few things broke, > > which I should have fixed soon, in which case if things _still_ don't > work, > > I'll be more than happy to run all tests as postfix and www. Of course, > if > > this doesn't work, I may just nuke this install altogether and go with a > > fresh install, where I've set all of this software up and gotten it > working > > twice without having to do as much as scratch my head over it. > > > :-) > We'll be here, if you need us. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/d0ec7b50/attachment.html From mikea at mikea.ath.cx Sat Feb 9 03:53:03 2008 From: mikea at mikea.ath.cx (mikea) Date: Sat Feb 9 03:53:15 2008 Subject: [ot] internal ip address In-Reply-To: <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> Message-ID: <20080209035303.GB33694@mikea.ath.cx> On Thu, Feb 07, 2008 at 09:52:10PM +0100, Glenn Steen wrote: > On 07/02/2008, Matt Kettler wrote: > > Glenn Steen wrote: > > > For the > > > vast majority of organizations, this is a very minor threat, not worth > > > breaking RFC... > > > > Like.. gmail? > :-) > > > Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 > > > > Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a > > Received: header, but I don't see anything in 2821/2822/1123 requiring you to > > add a from clause. > Ah, but the "breakage" is in _removing_ a Received line added by > another SMTP server, be that internal or not... Hm, maybe I'm an > idiot, and the original question was just about the Received line > added by the MS gw... Sigh. Just goes to show one shouldn't try to do > more than three things simultaneously (I got my new DB servers today, > or rather the storage and racks... as a surprise "here we are, four > workdays early.... Where should we put them?" kind of thing, on a busy > day...). Sorry, might've be me typing without much afterthought. > > > > I'm not saying you're wrong, just that it is ... really minor... > > > compared to a lot of other email-related threats:-)... Yes, you can > > > counter with "your generalization is bigger than mine"... I know I do > > > it too...:-) > > > > > > On the whole, I see very little _real possibility_ of damages from this. > > > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). If it is _Vital_ to keep the shape of the internal network hidden, then the leakage is a problem. Otherwise, it's just another piece of the puzzle to be tacked up on the wall. Intelligence organizations make their livings by putting together such puzzles. You have to make a decision about how much of the puzzle you're comfortable having on the wall. It almost always is more than you know is on the wall. > > I would agree in most cases it is very minor or negligible. I never said this > > applied to most, or even very many people. > See above, me reading too fast:-). > I tend to react to "security by obscurity" or "the auditor said this > is bad for everyone" kind of arguments, where one hasn't done any form > of risk assessment... so that was probably what got me going:-). I lost absolutely all respect for the external auditors hired by our internal auditing group for an IT audit when one of them: o handed me a CDROM and told me to "boot" our very large IBM mainframe computer from it; and then o refused to believe that I couldn't "open" the NETBEUI port on the mainframe for him. The IBM mainframe doesn't "boot" from CDROM, but from very large disk. There is not an IBM-supplied listener for NETBEUI, and we don't run one. These, unfortunately, are the sorts of things that one gets from the run-of-the-mill auditors, who download a checklist and run down it, one question at a time, one size fits all. > > My only point was the "if it's unroutable, you can't hack it" argument isn't a > > very complete view of network security. > Quite true. As usual,I find we're in violent agreement (of a > sorts:-). I truly value your comments. OTOH, if you don't route it, they can't get to it directly, which may satisfy your needs. Preventing information leaks, whether direct or indirect, overt or covert, is a *much* knottier problem, and one that is in the general case insoluble. An air-gap firewall and TEMPEST shielding to NACSIM 5100A or better is -- or so the government hopes -- at least a good start. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From glenn.steen at gmail.com Sat Feb 9 09:32:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 9 09:32:54 2008 Subject: [ot] internal ip address In-Reply-To: <20080209035303.GB33694@mikea.ath.cx> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> <20080209035303.GB33694@mikea.ath.cx> Message-ID: <223f97700802090132g5580ed20le73bf68310bf3c42@mail.gmail.com> On 09/02/2008, mikea wrote: > On Thu, Feb 07, 2008 at 09:52:10PM +0100, Glenn Steen wrote: > > On 07/02/2008, Matt Kettler wrote: > > > Glenn Steen wrote: > > > > For the > > > > vast majority of organizations, this is a very minor threat, not worth > > > > breaking RFC... > > > > > > Like.. gmail? > > :-) > > > > > Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 > > > > > > Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a > > > Received: header, but I don't see anything in 2821/2822/1123 requiring you to > > > add a from clause. > > Ah, but the "breakage" is in _removing_ a Received line added by > > another SMTP server, be that internal or not... Hm, maybe I'm an > > idiot, and the original question was just about the Received line > > added by the MS gw... Sigh. Just goes to show one shouldn't try to do > > more than three things simultaneously (I got my new DB servers today, > > or rather the storage and racks... as a surprise "here we are, four > > workdays early.... Where should we put them?" kind of thing, on a busy > > day...). Sorry, might've be me typing without much afterthought. > > > > > > I'm not saying you're wrong, just that it is ... really minor... > > > > compared to a lot of other email-related threats:-)... Yes, you can > > > > counter with "your generalization is bigger than mine"... I know I do > > > > it too...:-) > > > > > > > > On the whole, I see very little _real possibility_ of damages from this. > > > > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). > > If it is _Vital_ to keep the shape of the internal network hidden, > then the leakage is a problem. Otherwise, it's just another piece of > the puzzle to be tacked up on the wall. Intelligence organizations > make their livings by putting together such puzzles. You have to make > a decision about how much of the puzzle you're comfortable having on > the wall. It almost always is more than you know is on the wall. True, but most of us do not contend with ... organizations that have a LOT of money to spend on things like these:-). But as the scout says..... :-) > > > I would agree in most cases it is very minor or negligible. I never said this > > > applied to most, or even very many people. > > See above, me reading too fast:-). > > I tend to react to "security by obscurity" or "the auditor said this > > is bad for everyone" kind of arguments, where one hasn't done any form > > of risk assessment... so that was probably what got me going:-). > > I lost absolutely all respect for the external auditors hired by our > internal auditing group for an IT audit when one of them: > o handed me a CDROM and told me to "boot" our very large IBM > mainframe computer from it; and then > o refused to believe that I couldn't "open" the NETBEUI port on the > mainframe for him. > The IBM mainframe doesn't "boot" from CDROM, but from very large disk. > There is not an IBM-supplied listener for NETBEUI, and we don't run > one. Been there, done that too. > These, unfortunately, are the sorts of things that one gets from > the run-of-the-mill auditors, who download a checklist and run down > it, one question at a time, one size fits all. Yeah, but OTOH some auditors actually know what they're about. It's just a bit frustrating that one cannot choose which auditor you get:-):-). We do internal audits about once a year, were we choose a trusted firm, with really good auditors. And once a year we get the other kind foisted on us "from above". Sigh. > > > My only point was the "if it's unroutable, you can't hack it" argument isn't a > > > very complete view of network security. > > Quite true. As usual,I find we're in violent agreement (of a > > sorts:-). I truly value your comments. > > OTOH, if you don't route it, they can't get to it directly, which may > satisfy your needs. Preventing information leaks, whether direct or > indirect, overt or covert, is a *much* knottier problem, and one that > is in the general case insoluble. An air-gap firewall and TEMPEST > shielding to NACSIM 5100A or better is -- or so the government hopes > -- at least a good start. Yeah, but still.... an insider with some knowledge (or equally bad, without....:-) will defeat most things...:-( Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Feb 9 10:27:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 9 10:27:41 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> Message-ID: <223f97700802090227q36e0cdb7rcf61cee86c71c691@mail.gmail.com> On 09/02/2008, Drew wrote: > Glenn, > Thanks. Reading back over this, my last response probably sounded bad, I > don't want you guys to think I don't appreciate the suggestions so far - it > usually is the silly little things we overlook. That said, after > deinstalling _all_ ports, cvsup'ing everything to a sycn'd state, and > building back in the ports I need to make all this stuff run (indicated by > previous experience), I'm still getting the same error on the mailwatch > interface: > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > "PL_exit_flags" > > As postfix, I get this: > > root@colossus(/var/db/pkg)# whoami > postfix > root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA > /libexec/ld-elf.so.1: > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: > Undefined symbol "Perl_Tstack_sp_ptr" > > next, www: > > root@colossus(/var/db/pkg)# whoami > www > root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA > /libexec/ld-elf.so.1: > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: > Undefined symbol "Perl_Tstack_sp_ptr" > > And just for consistancy's sake: > > root@colossus(/var/db/pkg)# whoami > root > root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA > /libexec/ld-elf.so.1: > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: > Undefined symbol "Perl_Tstack_sp_ptr" > > > So it's safe to say we can rule out the output we're getting from > mailwatch, and assume we're getting different errors at this point. I may > try to sort out this perl issue before I nuke this box and start over. > Anyone got any off the cuff suggestions? > Splendid, now we know that this is solely a perl (build) problem, and not really a problem with MS or MW. Good. Googling for similar problems, one can see that this is indicative.... Hm, start by rebuilding the base perl package, then every little pm...... Sounds fun? No. Perhaps faster/easier to just call it quits and start from scratch;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From drew.marshall at technologytiger.net Sat Feb 9 15:39:11 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sat Feb 9 15:39:23 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802090227q36e0cdb7rcf61cee86c71c691@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> <223f97700802090227q36e0cdb7rcf61cee86c71c691@mail.gmail.com> Message-ID: <33191D2B-B183-4ABB-AE23-2389D07140FC@technologytiger.net> On 9 Feb 2008, at 10:27, Glenn Steen wrote: > On 09/02/2008, Drew wrote: >> root@colossus(/var/db/pkg)# whoami >> root >> root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA >> /libexec/ld-elf.so.1: >> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: >> Undefined symbol "Perl_Tstack_sp_ptr" >> >> >> So it's safe to say we can rule out the output we're getting from >> mailwatch, and assume we're getting different errors at this point. >> I may >> try to sort out this perl issue before I nuke this box and start >> over. >> Anyone got any off the cuff suggestions? >> > Splendid, now we know that this is solely a perl (build) problem, and > not really a problem with MS or MW. Good. > Googling for similar problems, one can see that this is indicative.... > Hm, start by rebuilding the base perl package, then every little > pm...... Sounds fun? No. > Perhaps faster/easier to just call it quits and start from scratch;-). From one Drew to another (There aren't that many of us, certainly that I have come across) How did you build Perl? If it was from ports, did you make sure that you are building all your perl modules etc against the right perl (i.e. port not base) and that /usr/bin/perl points to the right version. This article might be of use http://freebsd.munk.me.uk/archives/160-Upgrading-Perl-On-FreeBSD.html (or be good fodder for /dev/null depending ;-) ) Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Tiger Mail www.technologytiger.net/tigermail from Technology Tiger. Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From v at vladville.com Sat Feb 9 20:14:11 2008 From: v at vladville.com (Vlad Mazek) Date: Sat Feb 9 20:14:20 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AC87AE.6010608@ecs.soton.ac.uk> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC7CD.5000505@sendit.nodak.edu> <47AC87AE.6010608@ecs.soton.ac.uk> Message-ID: Ok, that is so embarrassing. I am not sure how I didn't see that, particularly because it was 5 lines below the spam lists rule. :( Followup question - do the whitelist and blacklist rules still apply (mailscanner b/w list) if Spamassassin is skipped? -Vlad On 2/8/08, Julian Field wrote: > > But if you set > Check SpamAssassin If On Spam List = no > then it won't. > > Vlad Mazek wrote: > > Tried that earlier today, no difference in behavior. MailScanner finds > > it on SBL+XBL but proceeds to put it through SA anyhow. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080209/2a617a2e/attachment.html From ssilva at sgvwater.com Sat Feb 9 22:33:04 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 9 22:33:24 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: on 2/7/2008 5:40 PM Vlad Mazek spake the following: > Doesn't work like that in the business world... > > Remote Sender: I sent you the email. > Internal Recipient: We didn't get the email. > > Five minutes later, IT is getting chewed out for blocking customers > emails that almost always involve a $10 million dollar transaction for a > company that doesn't have any extra room in the budget to beef up the > security........ > I have had to show logs to exec's showing that we actually didn't see any activity from some senders. And then the next day the mail will show up with headers showing it sat in an exchange queue for 24 hours. But I know what you are talking about. Fortunately, I work for a water utility, so our customers can't "go somewhere else" without selling their property and moving. Nothing like a captive audience! 8-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080209/c7a3f162/signature.bin From cotharyus at gmail.com Sun Feb 10 02:46:15 2008 From: cotharyus at gmail.com (Drew) Date: Sun Feb 10 02:46:25 2008 Subject: perl clamav module - what does it do? Message-ID: <715841970802091846j2c7cc8c0k9cec764ee39ac321@mail.gmail.com> What does mailscanner use the perl clamav module for? I see it come up as missing when I do a mailscanner -v but everything seems to be working without it. I'll hazard a guess that this is specifically for the clamav module (which I'm not using), and so it won't affect me. Anyone care to confirm this or point out any errors in my assumption? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080209/9aef3171/attachment.html From shuttlebox at gmail.com Sun Feb 10 10:48:46 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sun Feb 10 10:48:55 2008 Subject: perl clamav module - what does it do? In-Reply-To: <715841970802091846j2c7cc8c0k9cec764ee39ac321@mail.gmail.com> References: <715841970802091846j2c7cc8c0k9cec764ee39ac321@mail.gmail.com> Message-ID: <625385e30802100248q1477b9c9necffed77d70c46b9@mail.gmail.com> On Feb 10, 2008 3:46 AM, Drew wrote: > What does mailscanner use the perl clamav module for? I see it come up as > missing when I do a mailscanner -v but everything seems to be working > without it. I'll hazard a guess that this is specifically for the clamav > module (which I'm not using), and so it won't affect me. Anyone care to > confirm this or point out any errors in my assumption? It's one of three ways to use Clam AV. Either you use clamscan, clamd or the clam perl module. It's listed under optional modules. -- /peter From kate at rheel.co.nz Sun Feb 10 20:57:07 2008 From: kate at rheel.co.nz (Kathryn Allan) Date: Sun Feb 10 20:56:55 2008 Subject: can you strip attachments to a folder Message-ID: <47AF6523.7080803@rheel.co.nz> Hi all, Have had a request to do this and was wondering if it is even possible. Can I set mailscanner up so that any emails from a specific address - if they have an attachment, the attachment gets stripped and dumped in a specific folder? Thanks Kate From MailScanner at ecs.soton.ac.uk Sun Feb 10 22:29:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 10 22:29:43 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF6523.7080803@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> Message-ID: <47AF7ABC.60805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MailScanner doesn't get involved in message delivery at all (that's your MTA's job) and so this isn't easily possible, no. Sorry. Kathryn Allan wrote: > Hi all, > > Have had a request to do this and was wondering if it is even possible. > > Can I set mailscanner up so that any emails from a specific address - > if they have an attachment, the attachment gets stripped and dumped in > a specific folder? > > Thanks > Kate Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHr3q+EfZZRxQVtlQRAgMDAJoDLHA1yJba15kRAZzMKhxmyoSw7ACgwHor BCwCcBX5q/i91iU2ACphf6Y= =q/9E -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Feb 10 22:49:43 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 10 22:50:53 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF7ABC.60805@ecs.soton.ac.uk> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> Message-ID: <47AF7F87.3010907@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | MailScanner doesn't get involved in message delivery at all (that's your | MTA's job) and so this isn't easily possible, no. Wouldn't it be possible to deliver the message without attachments and store the full message? That might be close enough. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHr3+GBvzDRVjxmYERAnQWAKCjCkmz2p1zNaQrc21yqncJwcTlnQCfbcXI ZqiGpkHm/VBMYx2JaAv5cao= =z5lQ -----END PGP SIGNATURE----- From kate at rheel.co.nz Mon Feb 11 01:43:54 2008 From: kate at rheel.co.nz (Kathryn Allan) Date: Mon Feb 11 01:43:42 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF7F87.3010907@vanderkooij.org> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> Message-ID: <47AFA85A.1040403@rheel.co.nz> Its not really message delivery I need though the email attachment doesn't ever go through to an email account but rather would be stored in a folder for another program to access. Kate Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > | MailScanner doesn't get involved in message delivery at all (that's > your > | MTA's job) and so this isn't easily possible, no. > > Wouldn't it be possible to deliver the message without attachments and > store the full message? That might be close enough. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFHr3+GBvzDRVjxmYERAnQWAKCjCkmz2p1zNaQrc21yqncJwcTlnQCfbcXI > ZqiGpkHm/VBMYx2JaAv5cao= > =z5lQ > -----END PGP SIGNATURE----- -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: kate@rheel.co.nz www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail. From devonharding at gmail.com Mon Feb 11 02:17:06 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Feb 11 02:17:15 2008 Subject: Outbound relay on 587 Message-ID: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> My ISP (Comcast) is of course blocking port 25 inbound and out. How can I configure MailScanner to relay all outbound mail to my easyDNS servers via port 587? Thanks, -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080210/385cbc0c/attachment.html From apu at nocservices.com Mon Feb 11 02:57:43 2008 From: apu at nocservices.com (Apu) Date: Mon Feb 11 02:58:04 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> Message-ID: <47AFB9A7.50804@nocservices.com> Devon Harding wrote, On 2/10/08 9:17 PM: > My ISP (Comcast) is of course blocking port 25 inbound and out. How can I > configure MailScanner to relay all outbound mail to my easyDNS servers via > port 587? Check your MTA (sendmail, postfix, etc.) to send via a "smart host." For sendmail, add a define(`SMART_HOST', `mail.isp.net') to your sendmail.mc and regenerate sendmail.cf -- Apu NOC Services Corp. www.nocservices.com From apu at nocservices.com Mon Feb 11 03:10:16 2008 From: apu at nocservices.com (Apu) Date: Mon Feb 11 03:10:30 2008 Subject: Outbound relay on 587 In-Reply-To: <47AFB9A7.50804@nocservices.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> Message-ID: <47AFBC98.9030403@nocservices.com> Apu wrote, On 2/10/08 9:57 PM: > Devon Harding wrote, On 2/10/08 9:17 PM: >> My ISP (Comcast) is of course blocking port 25 inbound and out. How >> can I >> configure MailScanner to relay all outbound mail to my easyDNS servers >> via >> port 587? > > Check your MTA (sendmail, postfix, etc.) to send via a "smart host." > > For sendmail, add a > > define(`SMART_HOST', `mail.isp.net') > > to your sendmail.mc and regenerate sendmail.cf Sorry to reply to myself... but to clarify my off-topic post... define(`SMART_HOST', `mail.isp.net') by itself will send via port 25 and is good if you want to send via Comcast's servers. If you want to send via another server and port 587, you want both define(`SMART_HOST', `mail.isp.net') define(`RELAY_MAILER_ARGS', `TCP $h 587') -- Apu NOC Services Corp. www.nocservices.com From devonharding at gmail.com Mon Feb 11 04:22:59 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Feb 11 04:23:08 2008 Subject: Outbound relay on 587 In-Reply-To: <47AFBC98.9030403@nocservices.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> Message-ID: <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> > > > > If you want to send via another server and port 587, you want both > > define(`SMART_HOST', `mail.isp.net') > define(`RELAY_MAILER_ARGS', `TCP $h 587') > > I wonder if I'm missing something. It looks like it's still using port 25. This is sendmail.mc file: dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # define(`SMART_HOST',`smtpout.secureserver.net') define(`RELAY_MAILER_ARGS', `TCP $h 587') dnl # And this is what I'm getting in /var/log/maillog: Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: timeout waiting for input from smtpout.secureserver.net during client greeting Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: to=, ctladdr= (0/0), delay=00:09:46, xdelay=00:05:00, mailer=relay, pri=120344, relay=smtpout.secureserver.net [64.202.165.58], dsn=4.0.0, stat=Deferred: Connection timed out with smtpout.secureserver.net Feb 10 23:09:43 mars update.bad.phishing.sites: Phishing bad sites list updated Feb 10 23:09:43 mars update.virus.scanners: Delaying cron job up to 600 seconds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080210/321769d7/attachment.html From goetz.reinicke at filmakademie.de Mon Feb 11 08:16:12 2008 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Mon Feb 11 08:16:25 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log Message-ID: <47B0044C.2030007@filmakademie.de> Hi, we will switch from f-secure to avira and I installed the workstation comandline scanner today. The license is installed, updates work. After that I changed the Mailscnner.conf to use the new scanner: "Virus Scanners = antivir". I send me the eicar testfile and the attachements got removed, the sysadmin (me) got the notification and the sender (me) was also informed :-) But in the mail-log on the server there is no "Found .... " line as it has been using f-secure: "Found F-Secure version 4.65=4.65" The Question: Is everything good or someting bad? Thanks for any hint or tip! Best regards G?tz -- G?tz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Gesch?ftsf?hrer: Prof. Thomas Schadt From uxbod at splatnix.net Mon Feb 11 08:31:26 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 11 08:31:44 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <47B0044C.2030007@filmakademie.de> Message-ID: <17860241.121202718686490.JavaMail.root@office.splatnix.net> What is the output from MailScanner --lint ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "G?tz Reinicke" wrote: > Hi, > > we will switch from f-secure to avira and I installed the workstation > > comandline scanner today. The license is installed, updates work. > > After that I changed the Mailscnner.conf to use the new scanner: > > "Virus Scanners = antivir". > > I send me the eicar testfile and the attachements got removed, the > sysadmin (me) got the notification and the sender (me) was also > informed :-) > > But in the mail-log on the server there is no "Found .... " line as it > > has been using f-secure: > > "Found F-Secure version 4.65=4.65" > > The Question: Is everything good or someting bad? > > Thanks for any hint or tip! > > Best regards > > G?tz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From goetz.reinicke at filmakademie.de Mon Feb 11 08:40:49 2008 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2U=?=) Date: Mon Feb 11 08:41:05 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <17860241.121202718686490.JavaMail.root@office.splatnix.net> References: <17860241.121202718686490.JavaMail.root@office.splatnix.net> Message-ID: <47B00A11.8010401@filmakademie.de> Hi, MailScanner --lint Trying to setlogsock(unix) Checking version numbers... Version number in MailScanner.conf (4.66.5) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-Filmakademie-MailScanner-From Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = f-secure antivir" Found these virus scanners installed: clamav, f-secure, antivir =========================================================================== =========================================================================== Virus Scanner test reports: F-Secure said "./1/eicar.com: Infected: EICAR_Test_File [Libra]" F-Secure said "./1/eicar.com: Infected: EICAR Test File [Orion]" F-Secure said "./1/eicar.com: Infected: EICAR-Test-File [AVP]" AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus" If any of your virus scanners (clamav,f-secure,antivir) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Seams O.K. for me ... butm :-) Regards, G?tz --[ UxBoD ]-- schrieb: > What is the output from MailScanner --lint ? > > Regards, > -- G?tz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Gesch?ftsf?hrer: Prof. Thomas Schadt From uxbod at splatnix.net Mon Feb 11 08:51:48 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 11 08:52:08 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <47B00A11.8010401@filmakademie.de> Message-ID: <18038616.151202719908924.JavaMail.root@office.splatnix.net> What happens if you set Virus Scanners = auto ? and then send a message with EICAR in it ? may be worth stopping MS and once you have sent the message run MailScaner --debug and see what is thrown up. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "G?tz Reinicke" wrote: > Hi, > > MailScanner --lint > Trying to setlogsock(unix) > Checking version numbers... > Version number in MailScanner.conf (4.66.5) is correct. > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match > X-Filmakademie-MailScanner-From > > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin reported no errors. > MailScanner.conf says "Virus Scanners = f-secure antivir" > Found these virus scanners installed: clamav, f-secure, antivir > =========================================================================== > =========================================================================== > Virus Scanner test reports: > F-Secure said "./1/eicar.com: Infected: EICAR_Test_File [Libra]" > F-Secure said "./1/eicar.com: Infected: EICAR Test File [Orion]" > F-Secure said "./1/eicar.com: Infected: EICAR-Test-File [AVP]" > AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains > > code of the Eicar-Test-Signature virus" > > If any of your virus scanners (clamav,f-secure,antivir) > are not listed there, you should check that they are installed > correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > > > Seams O.K. for me ... butm :-) > > Regards, > G?tz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gerard at seibercom.net Mon Feb 11 11:33:33 2008 From: gerard at seibercom.net (Gerard) Date: Mon Feb 11 11:33:54 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> Message-ID: <20080211063333.58ebf07d@scorpio> On Sun, 10 Feb 2008 23:22:59 -0500 "Devon Harding" wrote: > > If you want to send via another server and port 587, you want both > > > > define(`SMART_HOST', `mail.isp.net') > > define(`RELAY_MAILER_ARGS', `TCP $h 587') > > > > > I wonder if I'm missing something. It looks like it's still using > port 25. This is sendmail.mc file: > > dnl # Uncomment and edit the following line if your outgoing mail > needs to dnl # be sent out through an external mail server: > dnl # > define(`SMART_HOST',`smtpout.secureserver.net') > define(`RELAY_MAILER_ARGS', `TCP $h 587') > dnl # > > And this is what I'm getting in /var/log/maillog: > > Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: timeout waiting > for input from smtpout.secureserver.net during client greeting > Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: > to=, ctladdr= (0/0), > delay=00:09:46, xdelay=00:05:00, mailer=relay, pri=120344, > relay=smtpout.secureserver.net [64.202.165.58], dsn=4.0.0, > stat=Deferred: Connection timed out with smtpout.secureserver.net Feb > 10 23:09:43 mars update.bad.phishing.sites: Phishing bad sites list > updated Feb 10 23:09:43 mars update.virus.scanners: Delaying cron job > up to 600 seconds I am not sure if this is your problem or not; however, I use Postfix, and am forced to use port 587 when sending to 'GMAIL', as well as my own ISP. Anyway, to accomplish that, I have to have TLS working on my system. That is rather trivial in Postfix, though I understand it is a major PIA with Sendmail. In any case, you might want to investigate that possibility. -- Gerard gerard@seibercom.net pension: A federally insured chain letter. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/c9193d96/signature.bin From devonharding at gmail.com Mon Feb 11 12:44:40 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Feb 11 12:44:48 2008 Subject: Outbound relay on 587 In-Reply-To: <20080211063333.58ebf07d@scorpio> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> Message-ID: <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> > > > > I am not sure if this is your problem or not; however, I use Postfix, > and am forced to use port 587 when sending to 'GMAIL', as well as my > own ISP. Anyway, to accomplish that, I have to have TLS working on my > system. That is rather trivial in Postfix, though I understand it is a > major PIA with Sendmail. In any case, you might want to investigate > that possibility. > Well, from the prompt, I can telnet to Godaddy's SMTP servers on port 587, it's just that sendmail doesn't seem to be using that port. I'm wondering what other config do I need to do. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/880e88d2/attachment.html From uxbod at splatnix.net Mon Feb 11 12:48:53 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 11 12:49:21 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> Message-ID: <18908440.721202734133135.JavaMail.root@office.splatnix.net> I presume you did re-compile the .mc and reload the configuration ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Devon Harding" wrote: > I am not sure if this is your problem or not; however, I use Postfix, > and am forced to use port 587 when sending to 'GMAIL', as well as my > own ISP. Anyway, to accomplish that, I have to have TLS working on my > system. That is rather trivial in Postfix, though I understand it is a > major PIA with Sendmail. In any case, you might want to investigate > that possibility. > > Well, from the prompt, I can telnet to Godaddy's SMTP servers on port > 587, it's just that sendmail doesn't seem to be using that port. I'm > wondering what other config do I need to do. > > -Devon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gerard at seibercom.net Mon Feb 11 13:02:37 2008 From: gerard at seibercom.net (Gerard) Date: Mon Feb 11 13:03:03 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> Message-ID: <20080211080237.05f2d5d4@scorpio> On Mon, 11 Feb 2008 07:44:40 -0500 "Devon Harding" wrote: [snip] > Well, from the prompt, I can telnet to Godaddy's SMTP servers on port > 587, it's just that sendmail doesn't seem to be using that port. I'm > wondering what other config do I need to do. OK, using telnet, access the SMTP server and attempt to send a message. You will know immediately if it needs authorization or not to complete the process. You might want to post the output of that telnet session here also. BTW, have you recompiled the *.mc files (I think that is what they are in Sendmail) and then restarted it? -- Gerard gerard@seibercom.net A fool must now and then be right by chance. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/0c9094b6/signature.bin From Denis.Beauchemin at usherbrooke.ca Mon Feb 11 15:06:22 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Mon Feb 11 15:07:05 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AFA85A.1040403@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> <47AFA85A.1040403@rheel.co.nz> Message-ID: <47B0646E.1080606@USherbrooke.ca> Kathryn Allan a ?crit : > Its not really message delivery I need though the email attachment > doesn't ever go through to an email account but rather would be stored > in a folder for another program to access. > > Kathryn, Couldn't you use the following to store the emain on disk: Non Spam Actions = %rules-dir%/non.spam.action.rules where %rules-dir%/non.spam.action.rules contains: From: whoever@yourplace.com store-nonspam FromOrTo: Default deliver header "X-Spam-Status: No" That would store all emails from whoever@yourplace.com on disk and not deliver them. Would that be OK? If you really need to do this only for emails with attachments, then you would have to create a custom SpamAssassin rule that checks for your attachment (there are already some such rules in 20_body_tests.cf and 20_html_tests.cf) and instead use: SpamAssassin Rule Actions = your_rule=>store-nonspam Hope this helps. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From gborders at balanceconsult.com Mon Feb 11 16:20:36 2008 From: gborders at balanceconsult.com (Greg Borders) Date: Mon Feb 11 16:23:19 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF6523.7080803@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> Message-ID: <47B075D4.90103@balanceconsult.com> Kathryn Allan wrote: > Hi all, > > Have had a request to do this and was wondering if it is even possible. > > Can I set mailscanner up so that any emails from a specific address - > if they have an attachment, the attachment gets stripped and dumped in > a specific folder? > > Thanks > Kate I've used a pair of tools to extract attachments after delivery. http://www.pldaniels.com/ripmime/ http://www.procmail.org/ Use procmail and a create a recipe that pipes a copy of the delivered mail to ripmime. ripmime will extract the attachment to a specified folder. You can then use a script/cron job to detect the presence of the newly created attachment, and fire off your other program that needs it. Greg. -- This email message and any document accompanying it may contain information intended only for the person(s) named. Any use, distribution, copying or disclosure by another person is strictly prohibited. NOTICE TO PERSONS SUBJECT TO UNITED STATES TAXATION: DISCLOSURE UNDER TREASURY CIRCULAR 230: Any tax advice included in this written or electronic communication was not intended or written to be used, and it cannot be used by the taxpayer, for the purpose of avoiding any penalties that may be imposed on the taxpayer by any governmental taxing authority or agency. This written or electronic communication does not represent legal advice. Persons in need of a legal opinion should seek competent counsel. From kate at rheel.co.nz Mon Feb 11 21:07:27 2008 From: kate at rheel.co.nz (Kathryn Allan) Date: Mon Feb 11 21:07:14 2008 Subject: can you strip attachments to a folder In-Reply-To: <47B0646E.1080606@USherbrooke.ca> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> <47AFA85A.1040403@rheel.co.nz> <47B0646E.1080606@USherbrooke.ca> Message-ID: <47B0B90F.4040601@rheel.co.nz> Thanks Denis will give this a shot. Kate Denis Beauchemin wrote: > Kathryn Allan a ?crit : >> Its not really message delivery I need though the email attachment >> doesn't ever go through to an email account but rather would be >> stored in a folder for another program to access. >> >> > Kathryn, > > Couldn't you use the following to store the emain on disk: > > Non Spam Actions = %rules-dir%/non.spam.action.rules > > where %rules-dir%/non.spam.action.rules contains: > From: whoever@yourplace.com store-nonspam > FromOrTo: Default deliver header "X-Spam-Status: No" > > That would store all emails from whoever@yourplace.com on disk and not > deliver them. Would that be OK? If you really need to do this only > for emails with attachments, then you would have to create a custom > SpamAssassin rule that checks for your attachment (there are already > some such rules in 20_body_tests.cf and 20_html_tests.cf) and instead > use: > > SpamAssassin Rule Actions = your_rule=>store-nonspam > > Hope this helps. > > Denis > -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: kate@rheel.co.nz www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail. From edward at tdcs.com.au Mon Feb 11 21:07:37 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Feb 11 21:08:03 2008 Subject: Not scanning for spam? Message-ID: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> For the last three days or so I've noticed some spam getting through. Not huge amounts but it appears from my log they're not even getting looked at (addresses changed to protect the innocent): Feb 12 01:47:14 ubuntu postfix/smtpd[29715]: connect from unknown[219.139.33.58] Feb 12 01:47:17 ubuntu postfix/smtpd[29715]: 1A5F4C70273: client=unknown[219.139.33.58] Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: hold: header Received: from 219.139.33.58 (unknown [219.139.33.58])??by mydomain.com.au (Postfix) with ESMTP id 1A5F4C70273??for ; Tue, 12 Feb 2008 01:47:16 +0900 (WST) from unknown[219.139.33.58]; from= to= proto=ESMTP helo=<219.139.33.58> Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: message-id=<000a01c86ccd$0187cc62$bc517ba5@hugwbuoo> Feb 12 01:47:19 ubuntu MailScanner[24154]: New Batch: Scanning 1 messages, 2517 bytes Feb 12 01:47:19 ubuntu MailScanner[24154]: Spam Checks: Starting Feb 12 01:47:19 ubuntu MailScanner[24154]: Requeue: 1A5F4C70273.EDF38 to B65C4C7029D Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: from=, size=2002, nrcpt=1 (queue active) Feb 12 01:47:19 ubuntu MailScanner[24154]: Unscanned: Delivered 1 messages Feb 12 01:47:19 ubuntu MailScanner[24154]: Virus and Content Scanning: Starting Feb 12 01:47:19 ubuntu postfix/local[29721]: B65C4C7029D: to=, relay=local, delay=3.2, delays=3.2/0.02/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a $EXTENSION) Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: removed Feb 12 01:47:20 ubuntu postfix/smtpd[29715]: disconnect from unknown[219.139.33.58] Feb 12 01:47:21 ubuntu MailScanner[24154]: Virus Scanning completed at 1304 bytes per second Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch completed at 1299 bytes per second (2517 / 1) Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch (1 message) processed in 1.94 seconds Any ideas why it would say it's starting checks then delivers it unscanned? Theres no mention of goecities in my whitelists or anything. Regards, Ed. From edward at tdcs.com.au Mon Feb 11 21:07:37 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Feb 11 21:08:23 2008 Subject: Not scanning for spam? Message-ID: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> For the last three days or so I've noticed some spam getting through. Not huge amounts but it appears from my log they're not even getting looked at (addresses changed to protect the innocent): Feb 12 01:47:14 ubuntu postfix/smtpd[29715]: connect from unknown[219.139.33.58] Feb 12 01:47:17 ubuntu postfix/smtpd[29715]: 1A5F4C70273: client=unknown[219.139.33.58] Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: hold: header Received: from 219.139.33.58 (unknown [219.139.33.58])??by mydomain.com.au (Postfix) with ESMTP id 1A5F4C70273??for ; Tue, 12 Feb 2008 01:47:16 +0900 (WST) from unknown[219.139.33.58]; from= to= proto=ESMTP helo=<219.139.33.58> Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: message-id=<000a01c86ccd$0187cc62$bc517ba5@hugwbuoo> Feb 12 01:47:19 ubuntu MailScanner[24154]: New Batch: Scanning 1 messages, 2517 bytes Feb 12 01:47:19 ubuntu MailScanner[24154]: Spam Checks: Starting Feb 12 01:47:19 ubuntu MailScanner[24154]: Requeue: 1A5F4C70273.EDF38 to B65C4C7029D Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: from=, size=2002, nrcpt=1 (queue active) Feb 12 01:47:19 ubuntu MailScanner[24154]: Unscanned: Delivered 1 messages Feb 12 01:47:19 ubuntu MailScanner[24154]: Virus and Content Scanning: Starting Feb 12 01:47:19 ubuntu postfix/local[29721]: B65C4C7029D: to=, relay=local, delay=3.2, delays=3.2/0.02/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a $EXTENSION) Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: removed Feb 12 01:47:20 ubuntu postfix/smtpd[29715]: disconnect from unknown[219.139.33.58] Feb 12 01:47:21 ubuntu MailScanner[24154]: Virus Scanning completed at 1304 bytes per second Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch completed at 1299 bytes per second (2517 / 1) Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch (1 message) processed in 1.94 seconds Any ideas why it would say it's starting checks then delivers it unscanned? Theres no mention of goecities in my whitelists or anything. Regards, Ed. From hvdkooij at vanderkooij.org Mon Feb 11 22:22:33 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 11 22:23:02 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AFA85A.1040403@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> <47AFA85A.1040403@rheel.co.nz> Message-ID: <47B0CAA9.2050301@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kathryn Allan wrote: | Its not really message delivery I need though the email attachment | doesn't ever go through to an email account but rather would be stored | in a folder for another program to access. You do not need MailScanner for this. You definitly need to look into procmail to solve your email processing needs. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHsMqnBvzDRVjxmYERAhI+AJ91TYiOBKZyr+XcAfVlIlHdNeyzSQCgpDOm xroiKjdLtpajXnbo83PB1KQ= =OxGj -----END PGP SIGNATURE----- From edward at tdcs.com.au Mon Feb 11 23:08:10 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Feb 11 23:09:35 2008 Subject: Not scanning for spam? In-Reply-To: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> References: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> Message-ID: > Any ideas why it would say it's starting checks then delivers it > unscanned? > > Theres no mention of goecities in my whitelists or anything. > > Regards, > Ed. Sorry for replying to my own post, but this has been resolved. A few mails to the university of Berlin's echo server showed that mailscanner was completely ignoring scanning of ANY messages. This was due to me having the problem sending attachments last week, in which I played with a lot of rules files. One of which was scan.messages.rules. I had the default as no, which is what the other rules files seem to want. Of course, the default is supposed to be yes in this file. One follow up question (I'm using Ubuntu Gutsy server) if you don't mind. What is the correct way to re-load the MailScanner configuration? I'm using "/etc/init.d/mailscanner reload" When I sent my test message, there was no change to the result. A re-boot of the server DID load the new settings. So I must be trying to re-load the settings wrong. Could someone explain how to properly re-start MailScanner? Seems trivial, and I thought I was doing it correctly, but obviously not. Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Feb 11 23:25:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 11 23:26:07 2008 Subject: Not scanning for spam? In-Reply-To: References: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> Message-ID: on 2/11/2008 3:08 PM Edward Dekkers spake the following: >> Any ideas why it would say it's starting checks then delivers it >> unscanned? >> >> Theres no mention of goecities in my whitelists or anything. >> >> Regards, >> Ed. > > Sorry for replying to my own post, but this has been resolved. A few mails > to the university of Berlin's echo server showed that mailscanner was > completely ignoring scanning of ANY messages. > > This was due to me having the problem sending attachments last week, in > which I played with a lot of rules files. One of which was > scan.messages.rules. > > I had the default as no, which is what the other rules files seem to want. > Of course, the default is supposed to be yes in this file. > > One follow up question (I'm using Ubuntu Gutsy server) if you don't mind. > > What is the correct way to re-load the MailScanner configuration? > > I'm using "/etc/init.d/mailscanner reload" > > When I sent my test message, there was no change to the result. > > A re-boot of the server DID load the new settings. > > So I must be trying to re-load the settings wrong. > > Could someone explain how to properly re-start MailScanner? > > Seems trivial, and I thought I was doing it correctly, but obviously not. > > Regards, > Ed. > > > In an RPM based installation a reload usually does just that. Are you using an init script provided by Julian or from someone else? Julian has this init script for Debian based distros; http://www.mailscanner.info/files/4/mailscanner.debian.init.d Maybe if yours is from a packager, it is different. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/24f78135/signature.bin From ssilva at sgvwater.com Mon Feb 11 23:28:31 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 11 23:30:12 2008 Subject: Not scanning for spam? In-Reply-To: References: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> Message-ID: on 2/11/2008 3:08 PM Edward Dekkers spake the following: >> Any ideas why it would say it's starting checks then delivers it >> unscanned? >> >> Theres no mention of goecities in my whitelists or anything. >> >> Regards, >> Ed. > > Sorry for replying to my own post, but this has been resolved. A few mails > to the university of Berlin's echo server showed that mailscanner was > completely ignoring scanning of ANY messages. > > This was due to me having the problem sending attachments last week, in > which I played with a lot of rules files. One of which was > scan.messages.rules. > > I had the default as no, which is what the other rules files seem to want. > Of course, the default is supposed to be yes in this file. > > One follow up question (I'm using Ubuntu Gutsy server) if you don't mind. > > What is the correct way to re-load the MailScanner configuration? > > I'm using "/etc/init.d/mailscanner reload" > > When I sent my test message, there was no change to the result. > > A re-boot of the server DID load the new settings. > > So I must be trying to re-load the settings wrong. > > Could someone explain how to properly re-start MailScanner? > > Seems trivial, and I thought I was doing it correctly, but obviously not. > > Regards, > Ed. > > > And if a reload doesn't work, a "/etc/init.d/mailscanner restart" should. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/9596a13f/signature.bin From ravenpi at gmail.com Tue Feb 12 00:41:05 2008 From: ravenpi at gmail.com (ravenpi@gmail.com) Date: Tue Feb 12 00:41:15 2008 Subject: It done broke. "Returned 22 with signal 0". Message-ID: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Hey, all. Long-time MailScanner user, always been very happy with it. Have it installed on my month-old Ubuntu box, when, suddenly, it died this past Sunday. Syslog says: Mailscanner: Process did not exit cleanly, returned 22 with signal 0 Running in debug mode says: [...] max message size is '40k' max message size is '40k' Ignore errors about failing to find EOCD signature Can't use an undefined value as a symbol reference at /usr/share/MailScanner/MailScanner/Message.pm line 1495. Lines 1494 & 1495 are: $handle = IO::File->new_tmpfile; binmode($handle); The funny thing is, when I change 1494 to $handle = IO::File->new_tmpfile or die "It didn't work: $!" Sure enough, it dies. So, for the hell of it, I made a mini Perl standalone: #!/usr/bin/perl use IO::File; $handle = IO::File->new_tmpfile; binmode($handle); And that worked just fine, so Perl seems okay (no?). I did a full uninstall and re-install, including re-tweaking my config files, and it worked... for about 15 messages, then is doing the exact same thing all over again. ANY ideas? Or do I have to regen my damn box? (Note: I also poked around in all the usual places for signs of an intruder, but haven't found anything.) Thanks much, -Ken -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/db7dac5b/attachment.html From ugob at lubik.ca Tue Feb 12 03:53:06 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 12 04:03:50 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Message-ID: ravenpi@gmail.com wrote: > Hey, all. Long-time MailScanner user, always been very happy with it. > Have it installed on my month-old Ubuntu box, when, suddenly, it died > this past Sunday. Syslog says: > Mailscanner: Process did not exit cleanly, returned 22 with signal 0 > > Running in debug mode says: > [...] > max message size is '40k' > max message size is '40k' > Ignore errors about failing to find EOCD signature > Can't use an undefined value as a symbol reference at > /usr/share/MailScanner/MailScanner/Message.pm line 1495. > > Lines 1494 & 1495 are: > $handle = IO::File->new_tmpfile; > binmode($handle); > > The funny thing is, when I change 1494 to > $handle = IO::File->new_tmpfile or die "It didn't work: $!" > Sure enough, it dies. So, for the hell of it, I made a mini Perl > standalone: > #!/usr/bin/perl > use IO::File; > $handle = IO::File->new_tmpfile; > binmode($handle); > > And that worked just fine, so Perl seems okay (no?). > > I did a full uninstall and re-install, including re-tweaking my config > files, and it worked... for about 15 messages, then is doing the exact > same thing all over again. > > ANY ideas? Or do I have to regen my damn box? (Note: I also poked > around in all the usual places for signs of an intruder, but haven't > found anything.) Try using the internal TNEF decoder. Ugo From ugob at lubik.ca Tue Feb 12 04:13:13 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 12 04:13:43 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Message-ID: ravenpi@gmail.com wrote: > Hey, all. Long-time MailScanner user, always been very happy with it. > Have it installed on my month-old Ubuntu box, when, suddenly, it died > this past Sunday. Syslog says: > Mailscanner: Process did not exit cleanly, returned 22 with signal 0 > > Running in debug mode says: What does 'MailScanner --lint' and 'MailScanner -V' show? Ugo From Robert.Meurlin at se.fujitsu.com Tue Feb 12 08:37:34 2008 From: Robert.Meurlin at se.fujitsu.com (Meurlin Robert) Date: Tue Feb 12 08:38:41 2008 Subject: continue not asking DCC Message-ID: <797363C57EE0884786F428AAABCD469201490A68@sea0120sex2.nordic.x> Hello, I got this in my log after installing DCC: continue not asking DCC 506 seconds after failure and when I write in command line cdcc info # 02/11/08 16:43:35 CET /var/dcc/map # Re-resolve names after 17:48:47 # 12 total, 0 working servers # skipping asking DCC server 64 seconds more IPv6 off dcc1.dcc-servers.net,- RTT+1000 ms anon # 192.135.10.194,- # not answering # 208.201.249.233,- # not answering # 209.169.14.29,- # not answering dcc2.dcc-servers.net,- RTT+1000 ms anon # 71.246.8.99,- # not answering # 193.166.171.33,- # not answering dcc3.dcc-servers.net,- RTT+1000 ms anon # 64.124.52.232,- # not answering # 194.228.41.73,- # not answering dcc4.dcc-servers.net,- RTT+1000 ms anon # 137.208.8.26,- # not answering # 209.169.14.27,- # not answering dcc5.dcc-servers.net,- RTT+1000 ms anon # 208.201.249.232,- # not answering # 217.20.119.18,- # not answering I have open UDP port 6277 in/out. Do anyone have any id?e? Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/79d485f6/attachment.html From alxfrag at gmail.com Tue Feb 12 10:40:56 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 12 10:40:35 2008 Subject: No programs allowed Message-ID: <47B177B8.6000001@gmail.com> Hi all, I have a strange problem with mailscanner. I've configured it so as text files are allowed. A few of my users send emails but they are blocked by mailscanner. Mailscanner says: No programs allowed (msg-22222-12). These emails have no attachments. A few of these emails are generated by moodle php scripts and they contain greek characters. Any ideas? Thanks in advance, Alexandros From uxbod at splatnix.net Tue Feb 12 10:48:58 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 12 10:49:29 2008 Subject: No programs allowed In-Reply-To: <47B177B8.6000001@gmail.com> Message-ID: <11368610.151202813338565.JavaMail.root@office.splatnix.net> ----- "AlxFrag" wrote: > Hi all, > > I have a strange problem with mailscanner. I've configured it so as > text > files are allowed. A few of my users send emails but they are blocked > by > mailscanner. > Mailscanner says: > No programs allowed (msg-22222-12). > > These emails have no attachments. A few of these emails are generated > by > moodle php scripts and they contain greek characters. > > > Any ideas? > > Thanks in advance, > > Alexandros find the message in your quarantine and run 'file' against it. Post what that reports please ... Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Tue Feb 12 10:58:14 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 12 10:57:47 2008 Subject: No programs allowed In-Reply-To: <11368610.151202813338565.JavaMail.root@office.splatnix.net> References: <11368610.151202813338565.JavaMail.root@office.splatnix.net> Message-ID: <47B17BC6.6000005@gmail.com> --[ UxBoD ]-- wrote: > ----- "AlxFrag" wrote: > > >> Hi all, >> >> I have a strange problem with mailscanner. I've configured it so as >> text >> files are allowed. A few of my users send emails but they are blocked >> by >> mailscanner. >> Mailscanner says: >> No programs allowed (msg-22222-12). >> >> These emails have no attachments. A few of these emails are generated >> by >> moodle php scripts and they contain greek characters. >> >> >> Any ideas? >> >> Thanks in advance, >> >> Alexandros >> > find the message in your quarantine and run 'file' against it. Post what that reports please ... > > > Regards, > > i've found the quarantined email. It consists of two files called message and msg-5716-14.txt: message: RFC 822 mail text msg-5716-14.txt: PARIX executable -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/eebf7c93/attachment.html From martinh at solidstatelogic.com Tue Feb 12 11:04:56 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Feb 12 11:05:12 2008 Subject: No programs allowed In-Reply-To: <47B17BC6.6000005@gmail.com> Message-ID: <46e542c2de9d7a438e614662f9586a2e@solidstatelogic.com> Hi This is a problem with the file command getting confused with non English 'text' attachments. Latest beta has some things in it to help with this. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 12 February 2008 10:58 > To: MailScanner discussion > Subject: Re: No programs allowed > > --[ UxBoD ]-- wrote: > > ----- "AlxFrag" > wrote: > > > > Hi all, > > I have a strange problem with mailscanner. I've configured it > so as > text > files are allowed. A few of my users send emails but they are > blocked > by > mailscanner. > Mailscanner says: > No programs allowed (msg-22222-12). > > These emails have no attachments. A few of these emails are > generated > by > moodle php scripts and they contain greek characters. > > > Any ideas? > > Thanks in advance, > > Alexandros > > > find the message in your quarantine and run 'file' against it. Post > what that reports please ... > > > Regards, > > > > i've found the quarantined email. It consists of two files called message > and msg-5716-14.txt: > > message: RFC 822 mail text > > msg-5716-14.txt: PARIX executable > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Tue Feb 12 11:07:18 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 12 11:07:40 2008 Subject: No programs allowed In-Reply-To: <47B17BC6.6000005@gmail.com> Message-ID: <19508891.181202814438685.JavaMail.root@office.splatnix.net> Okay, could you do the same thing with file -i please ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Feb 12 11:10:55 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 12 11:11:17 2008 Subject: No programs allowed In-Reply-To: <46e542c2de9d7a438e614662f9586a2e@solidstatelogic.com> Message-ID: <18785887.211202814655221.JavaMail.root@office.splatnix.net> Doh! Good spot Martin, forgot all about that ... Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Martin.Hepworth" wrote: > Hi > > This is a problem with the file command getting confused with non > English 'text' attachments. > > Latest beta has some things in it to help with this. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Tue Feb 12 11:14:42 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 12 11:14:17 2008 Subject: No programs allowed In-Reply-To: <19508891.181202814438685.JavaMail.root@office.splatnix.net> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> Message-ID: <47B17FA2.4030703@gmail.com> --[ UxBoD ]-- wrote: > Okay, could you do the same thing with file -i please ? > > Regards, > > Thanks for your support :) file -i gives: message: message/rfc822 msg-5716-14.txt: text/plain; charset=utf-8 From devonharding at gmail.com Tue Feb 12 13:26:17 2008 From: devonharding at gmail.com (Devon Harding) Date: Tue Feb 12 13:26:25 2008 Subject: Outbound relay on 587 In-Reply-To: <20080211080237.05f2d5d4@scorpio> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> Message-ID: <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> > > > > OK, using telnet, access the SMTP server and attempt to send a message. > You will know immediately if it needs authorization or not to complete > the process. You might want to post the output of that telnet session > here also. > > BTW, have you recompiled the *.mc files (I think that is what they are > in Sendmail) and then restarted it? > > -- I ran a make -C /etc/mail and restarted the PC. I also change the provider to comcast and got a similar message. What is the format of the /etc/mail/authinfo file? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/61d2a9e2/attachment.html From Denis.Beauchemin at usherbrooke.ca Tue Feb 12 13:58:00 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue Feb 12 13:59:53 2008 Subject: continue not asking DCC In-Reply-To: <797363C57EE0884786F428AAABCD469201490A68@sea0120sex2.nordic.x> References: <797363C57EE0884786F428AAABCD469201490A68@sea0120sex2.nordic.x> Message-ID: <47B1A5E8.8080401@USherbrooke.ca> Meurlin Robert a ?crit : > > Hello, > > I got this in my log after installing DCC: > > continue not asking DCC 506 seconds after failure > > > > and when I write in command line > > cdcc info > > # 02/11/08 16:43:35 CET /var/dcc/map > > # Re-resolve names after 17:48:47 > > # 12 total, 0 working servers > > # skipping asking DCC server 64 seconds more > > IPv6 off > > > > dcc1.dcc-servers.net,- RTT+1000 ms anon > > # 192.135.10.194,- > > # not answering > > # 208.201.249.233,- > > # not answering > > # 209.169.14.29,- > > # not answering > > > > dcc2.dcc-servers.net,- RTT+1000 ms anon > > # 71.246.8.99,- > > # not answering > > # 193.166.171.33,- > > # not answering > > > > dcc3.dcc-servers.net,- RTT+1000 ms anon > > # 64.124.52.232,- > > # not answering > > # 194.228.41.73,- > > # not answering > > > > dcc4.dcc-servers.net,- RTT+1000 ms anon > > # 137.208.8.26,- > > # not answering > > # 209.169.14.27,- > > # not answering > > > > dcc5.dcc-servers.net,- RTT+1000 ms anon > > # 208.201.249.232,- > > # not answering > > # 217.20.119.18,- > > # not answering > > > > I have open UDP port 6277 in/out. > > > > Do anyone have any id?e? > > > > Robert > > > Robert, I'm not sure about the port number... my dccifd daemon is listening on 46416 : (output from netstat -tupan) udp 0 0 0.0.0.0:46416 0.0.0.0:* 3694/dccifd Since my iptables accepts established connexions I didn't open any port for it to work: ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED and cdcc info returns: cdcc info # 02/12/08 08:52:24 EST /var/dcc/map # Re-resolve names after 10:02:06 # 1652.01 ms threshold, 1495.53 ms average 12 total, 10 working servers IPv6 off dcc1.dcc-servers.net,- RTT+1000 ms anon # 192.135.10.194,- debian ID 1169 # protocol version 7 # 97% of 32 requests ok 552.01+1000 ms RTT 100 ms queue wait # 194.228.41.13,- CTc-dcc2 ID 1031 # protocol version 7 # 88% of 32 requests ok 613.71+1000 ms RTT 100 ms queue wait # 208.201.249.233,- sonic.net ID 1117 # 33% of 6 requests ok 2431.22+1000 ms RTT 500 ms queue wait dcc2.dcc-servers.net,- RTT+1000 ms anon # 194.119.212.6,- dcc1 ID 1182 # 88% of 32 requests ok 627.57+1000 ms RTT 300 ms queue wait # 203.81.36.6,- PacNet-SG ID 1358 # protocol version 7 # 88% of 32 requests ok 557.65+1000 ms RTT 100 ms queue wait dcc3.dcc-servers.net,- RTT+1000 ms anon # 137.208.8.26,- wuwien ID 1290 # 97% of 32 requests ok 1020.06+1000 ms RTT 300 ms queue wait # 152.20.253.5,- dcc.uncw.edu ID 1201 # 100% of 32 requests ok 807.54+1000 ms RTT 500 ms queue wait dcc4.dcc-servers.net,- RTT+1000 ms anon # 142.27.70.214,- CollegeOfNewCaledonia ID 1189 # protocol version 7 # not answering # 207.195.195.223,- SIHOPE-DCC-3 ID 1085 # 81% of 32 requests ok 1364.47+1000 ms RTT 100 ms queue wait dcc5.dcc-servers.net,- RTT+1000 ms anon # 71.246.8.99,- Misty ID 1170 # protocol version 7 # 94% of 32 requests ok 727.02+1000 ms RTT 200 ms queue wait # *195.20.8.232,- EATSERVER ID 1166 # 100% of 32 requests ok 171.74+1000 ms RTT 70 ms queue wait 127.0.0.1,- RTT-1000 ms 32768 3499495290y548 # 127.0.0.1,- # not answering ################ # 02/12/08 08:52:24 EST GreyList /var/dcc/map # Re-resolve names after 10:43:06 # 1 total, 0 working servers # skipping asking Greylist server 64 seconds more 127.0.0.1,- Greylist 32768 3499495290y548 # 127.0.0.1,6276 # not answering For yesterday's emails I got that many emails caught by DCC: sa-hits --log /var/log/old/maillog.20080211|grep -i dcc DCC_CHECK 3801 Hope this helps. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From campbell at cnpapers.com Tue Feb 12 15:17:19 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Feb 12 15:17:56 2008 Subject: Extreme OT - Thunderbird display problem. Message-ID: <47B1B87F.6020307@cnpapers.com> This is real OT, so I am accepting any spears thrown my way. I don't know where the problem really is - Sendmail, Thunderbird, or just what, so I ask here hoping others have run into this problem. It is definitely not a MailScanner problem. Google hasn't helped me, nor has the Thunderbird site. I use rkhunter to report the status of my systems every day by email. The output of the reports sometimes uses the older console control characters for formatting. This does not display very well on my email reports, as tabs show up as "[1;32m" Anyone know a fix for this either in SendMail, Thunderbird or any other place? I use Linux Sendmail servers and a PC with Thunderbird as a mail reader. Hopefully an add-on or something? Thanks, Steve Campbell From gerard at seibercom.net Tue Feb 12 15:34:08 2008 From: gerard at seibercom.net (Gerard) Date: Tue Feb 12 15:34:34 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> Message-ID: <20080212103408.77fd3e85@scorpio> On Tue, 12 Feb 2008 08:26:17 -0500 "Devon Harding" wrote: > I ran a make -C /etc/mail and restarted the PC. I also change the > provider to comcast and got a similar message. > > What is the format of the /etc/mail/authinfo file? If you mentioned the OS you are employing, I must have missed it. Anyway, that would not be the way to rebuild the *.mc files on a FreeBSD machine. Here, you would enter the /etc/mail directory and run: make all install restart I am not sure how to accomplish that on your OS however. I am probably wrong; however, I just do not think what you used will work. Just my 2?. -- Gerard gerard@seibercom.net A bug in the code is worth two in the documentation. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/a8568217/signature.bin From MailScanner at ecs.soton.ac.uk Tue Feb 12 16:16:38 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 12 16:17:16 2008 Subject: No programs allowed In-Reply-To: <47B17FA2.4030703@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> Message-ID: <47B1C666.9060900@ecs.soton.ac.uk> In which case the simplest thing for you to do is to upgrade to the latest beta release (4.67.something). This includes a new feature where you can match against the output of the "file -i" command as well as (or instead of) the "file" command, in the filetype.rules.conf file. Or else, create an "allow" rule for "PARIX executable" in filetype.rules.conf, and wait until the start of next month when I release the next stable release. AlxFrag wrote: > --[ UxBoD ]-- wrote: >> Okay, could you do the same thing with file -i please ? >> >> Regards, >> >> > Thanks for your support :) > > file -i gives: > > message: message/rfc822 > > msg-5716-14.txt: text/plain; charset=utf-8 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Feb 12 16:19:01 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 12 16:19:35 2008 Subject: No programs allowed In-Reply-To: <47B17FA2.4030703@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> Message-ID: <47B1C6F5.2060701@ecs.soton.ac.uk> Oh, here's the comment from the latest ChangeLog which tells you a bit about the new "file -i" feature: 3 Implemented file MIME type checking, as reported by the "file -i" command. This includees 3 new settings, which all work just like their non-MIME brothers: "Log Permitted File MIME Types", "Allow File MIME Types" and "Deny File MIME Types". The main use is via the filetype.rules.conf file, where a new optional field may be added just after the regular expression field (just after the 2nd field in each line). If this field is added, then the "file -i" command is run on every batch of messages and the output checked against the MIME types specified in the newly inserted 3rd field (out of fields 1-5 on each line of filetype.rules.conf files). AlxFrag wrote: > --[ UxBoD ]-- wrote: >> Okay, could you do the same thing with file -i please ? >> >> Regards, >> >> > Thanks for your support :) > > file -i gives: > > message: message/rfc822 > > msg-5716-14.txt: text/plain; charset=utf-8 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doc at maddoc.net Tue Feb 12 16:25:26 2008 From: doc at maddoc.net (Doc Schneider) Date: Tue Feb 12 16:26:04 2008 Subject: New ClamAV released Message-ID: <47B1C876.9070700@maddoc.net> ClamAV 0.92.1 This is a bugfix release, please refer to the ChangeLog for a complete list of changes. -- -Doc Lincoln, NE. http://www.fsl.com http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From ravenpi at gmail.com Tue Feb 12 17:41:36 2008 From: ravenpi at gmail.com (ravenpi@gmail.com) Date: Tue Feb 12 17:41:46 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Message-ID: <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> [For the record, I also set up to use the native TNEF decoder.] Thanks for the pointer; I hadn't thought to run that. --lint initially showed a bunch of permissions problems (including temporary files, which was tantalizing), but I fixed up the permissions, and it still fails with debug, etc.. Here is what I now get with --lint: root@elanor:/var/lib/MailScanner# MailScanner --lint Read 759 hostnames from the phishing whitelist MailScanner setting GID to (121) MailScanner setting UID to (112) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = flock MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav So, that looks pretty good to me. Then, I tried the -V: root@elanor:/var/lib/MailScanner# MailScanner -V Running on Linux elanor.jots.org 2.6.20-16-generic #2 SMP Tue Dec 18 05:45:12 UTC 2007 i686 GNU/Linux This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.57.6 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.55 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.74 Mail::Header 3.07 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.07 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.78 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.13 DBD::SQLite 1.53 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Inline missing Mail::ClamAV 3.001007 Mail::SpamAssassin 1.999001 Mail::SPF::Query 0.20 Net::CIDR::Lite 1.25 Net::IP 0.59 Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI 2.56 Test::Harness 0.62 Test::Simple 1.95 Text::Balanced 1.35 URI Don't see anything particularly awry. But thems as knows more than I might be able to point out something I'm overlooking. Thanks for your suggestions! On Feb 11, 2008 11:13 PM, Ugo Bellavance wrote: > ravenpi@gmail.com wrote: > > Hey, all. Long-time MailScanner user, always been very happy with it. > > Have it installed on my month-old Ubuntu box, when, suddenly, it died > > this past Sunday. Syslog says: > > Mailscanner: Process did not exit cleanly, returned 22 with signal 0 > > > > Running in debug mode says: > > What does 'MailScanner --lint' and 'MailScanner -V' show? > > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/5a8b8a8b/attachment.html From glenn.steen at gmail.com Tue Feb 12 18:09:45 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 18:10:01 2008 Subject: Extreme OT - Thunderbird display problem. In-Reply-To: <47B1B87F.6020307@cnpapers.com> References: <47B1B87F.6020307@cnpapers.com> Message-ID: <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> On 12/02/2008, Steve Campbell wrote: > This is real OT, so I am accepting any spears thrown my way. > > I don't know where the problem really is - Sendmail, Thunderbird, or > just what, so I ask here hoping others have run into this problem. It is > definitely not a MailScanner problem. Google hasn't helped me, nor has > the Thunderbird site. > > I use rkhunter to report the status of my systems every day by email. > The output of the reports sometimes uses the older console control > characters for formatting. This does not display very well on my email > reports, as tabs show up as "[1;32m" > > Anyone know a fix for this either in SendMail, Thunderbird or any other > place? I use Linux Sendmail servers and a PC with Thunderbird as a mail > reader. Hopefully an add-on or something? > > Thanks, > > Steve Campbell > The escape sequences are for colorisation of the outpu, try the --nocolor option for your cronjob;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From naolson at gmail.com Tue Feb 12 18:20:44 2008 From: naolson at gmail.com (Nathan Olson) Date: Tue Feb 12 18:20:53 2008 Subject: Outbound relay on 587 In-Reply-To: <20080212103408.77fd3e85@scorpio> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> Message-ID: <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> Try switching the order (remember to rebuild the *.cf files afterwards). define(`RELAY_MAILER_ARGS', `TCP $h 587') define(`SMART_HOST', `mail.isp.net') Nate From glenn.steen at gmail.com Tue Feb 12 18:32:37 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 18:32:48 2008 Subject: Extreme OT - Thunderbird display problem. In-Reply-To: <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> References: <47B1B87F.6020307@cnpapers.com> <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> Message-ID: <223f97700802121032m1012843an5e0d70af511a6a7b@mail.gmail.com> On 12/02/2008, Glenn Steen wrote: > On 12/02/2008, Steve Campbell wrote: > > This is real OT, so I am accepting any spears thrown my way. > > > > I don't know where the problem really is - Sendmail, Thunderbird, or > > just what, so I ask here hoping others have run into this problem. It is > > definitely not a MailScanner problem. Google hasn't helped me, nor has > > the Thunderbird site. > > > > I use rkhunter to report the status of my systems every day by email. > > The output of the reports sometimes uses the older console control > > characters for formatting. This does not display very well on my email > > reports, as tabs show up as "[1;32m" > > > > Anyone know a fix for this either in SendMail, Thunderbird or any other > > place? I use Linux Sendmail servers and a PC with Thunderbird as a mail > > reader. Hopefully an add-on or something? > > > > Thanks, > > > > Steve Campbell > > > The escape sequences are for colorisation of the outpu, try the > --nocolor option for your cronjob;-). > > Cheers ... --nocolors ... Pesky keyboard... But the --cronjob flag should make it skip the colors anyway... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 12 18:46:19 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 18:46:30 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> Message-ID: <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> On 12/02/2008, ravenpi@gmail.com wrote: > [For the record, I also set up to use the native TNEF decoder.] > > Thanks for the pointer; I hadn't thought to run that. --lint initially > showed a bunch of permissions problems (including temporary files, which was > tantalizing), but I fixed up the permissions, and it still fails with debug, > etc.. Here is what I now get with --lint: > > root@elanor:/var/lib/MailScanner# MailScanner --lint > Read 759 hostnames from the phishing whitelist > MailScanner setting GID to (121) > MailScanner setting UID to (112) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = flock > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamav > > So, that looks pretty good to me. Then, I tried the -V: > > root@elanor:/var/lib/MailScanner# MailScanner -V > Running on > Linux elanor.jots.org 2.6.20-16-generic #2 SMP Tue Dec 18 05:45:12 UTC 2007 > i686 GNU/Linux > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.57.6 Pretty old... is this via Ubuntu -deb/apt? (snip) > > Don't see anything particularly awry. But thems as knows more than I might > be able to point out something I'm overlooking. Thanks for your > suggestions! > I'd start by trying out a newer elease.... If all else fails, use the source (tarball) and the debianish init.d script from the download page. If it still missbehaves after that... Well, we'll see then:-). Postfix as MTA? Split maillog files? What do you have in the error file? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Tue Feb 12 19:17:27 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Feb 12 19:17:47 2008 Subject: Extreme OT - Thunderbird display problem. In-Reply-To: <223f97700802121032m1012843an5e0d70af511a6a7b@mail.gmail.com> References: <47B1B87F.6020307@cnpapers.com> <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> <223f97700802121032m1012843an5e0d70af511a6a7b@mail.gmail.com> Message-ID: <47B1F0C7.7040001@cnpapers.com> Thanks Glenn and Bill for the help. The --nocolor fixed it. Apparently, there must have been a difference in the defaults, as this is a new version from the version I run on all of the other servers. Just learning those are color codes may have been enough to prompt me, but I appreciate the direct nudge. Steve Glenn Steen wrote: > On 12/02/2008, Glenn Steen wrote: > >> On 12/02/2008, Steve Campbell wrote: >> >>> This is real OT, so I am accepting any spears thrown my way. >>> >>> I don't know where the problem really is - Sendmail, Thunderbird, or >>> just what, so I ask here hoping others have run into this problem. It is >>> definitely not a MailScanner problem. Google hasn't helped me, nor has >>> the Thunderbird site. >>> >>> I use rkhunter to report the status of my systems every day by email. >>> The output of the reports sometimes uses the older console control >>> characters for formatting. This does not display very well on my email >>> reports, as tabs show up as "[1;32m" >>> >>> Anyone know a fix for this either in SendMail, Thunderbird or any other >>> place? I use Linux Sendmail servers and a PC with Thunderbird as a mail >>> reader. Hopefully an add-on or something? >>> >>> Thanks, >>> >>> Steve Campbell >>> >>> >> The escape sequences are for colorisation of the outpu, try the >> --nocolor option for your cronjob;-). >> >> Cheers >> > ... --nocolors ... Pesky keyboard... But the --cronjob flag should > make it skip the colors anyway... > > Cheers > From ravenpi at gmail.com Tue Feb 12 19:25:50 2008 From: ravenpi at gmail.com (ravenpi@gmail.com) Date: Tue Feb 12 19:26:02 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> Message-ID: <909697ba0802121125l26eb984j20f250d53549e9dc@mail.gmail.com> I hate having to send e-mails like the one I'm typing right here, but here goes: I'm a nincompoop. Somehow -- and I have no idea how -- /tmp got owned by user 524 (perhaps a reflection of my uninstalling and re-installing MailScanner), with 700 permissions. Ummmm. Duh. And, yeah, I guess that that explains plenty well why creating a tempfile wasn't working. Anyway, thanks for all the suggestions. It's appreciated. -Ken On Feb 12, 2008 1:46 PM, Glenn Steen wrote: > On 12/02/2008, ravenpi@gmail.com wrote: > > [For the record, I also set up to use the native TNEF decoder.] > > > > Thanks for the pointer; I hadn't thought to run that. --lint initially > > showed a bunch of permissions problems (including temporary files, which > was > > tantalizing), but I fixed up the permissions, and it still fails with > debug, > > etc.. Here is what I now get with --lint: > > > > root@elanor:/var/lib/MailScanner# MailScanner --lint > > Read 759 hostnames from the phishing whitelist > > MailScanner setting GID to (121) > > MailScanner setting UID to (112) > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Using locktype = flock > > MailScanner.conf says "Virus Scanners = auto" > > Found these virus scanners installed: clamav > > > > So, that looks pretty good to me. Then, I tried the -V: > > > > root@elanor:/var/lib/MailScanner# MailScanner -V > > Running on > > Linux elanor.jots.org 2.6.20-16-generic #2 SMP Tue Dec 18 05:45:12 UTC > 2007 > > i686 GNU/Linux > > This is Perl version 5.008008 (5.8.8) > > > > This is MailScanner version 4.57.6 > Pretty old... is this via Ubuntu -deb/apt? > > (snip) > > > > Don't see anything particularly awry. But thems as knows more than I > might > > be able to point out something I'm overlooking. Thanks for your > > suggestions! > > > I'd start by trying out a newer elease.... If all else fails, use the > source (tarball) and the debianish init.d script from the download > page. > > If it still missbehaves after that... Well, we'll see then:-). > Postfix as MTA? Split maillog files? What do you have in the error file? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/68b08356/attachment.html From glenn.steen at gmail.com Tue Feb 12 19:35:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 19:35:54 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802121125l26eb984j20f250d53549e9dc@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> <909697ba0802121125l26eb984j20f250d53549e9dc@mail.gmail.com> Message-ID: <223f97700802121135u2fcfdcb8w7fa0d03b2ee55725@mail.gmail.com> On 12/02/2008, ravenpi@gmail.com wrote: > I hate having to send e-mails like the one I'm typing right here, but here > goes: I'm a nincompoop. Somehow -- and I have no idea how -- /tmp got owned > by user 524 (perhaps a reflection of my uninstalling and re-installing > MailScanner), with 700 permissions. > > Ummmm. Duh. And, yeah, I guess that that explains plenty well why creating > a tempfile wasn't working. > > Anyway, thanks for all the suggestions. It's appreciated. > > -Ken > It's actually not that uncommon an error.... One "accidentally" removes /tmp ... and "something" comes along and creates it again.... with completely botched perms:-). On a Mdv box close to me (resting on my lap:-) one can see the following: $ ls -ld /tmp drwxrwxrwt 10 root root 15680 2008-02-12 19:23 /tmp/ ... so ... remember to do the chmod 1777 thing;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From devonharding at gmail.com Wed Feb 13 03:19:49 2008 From: devonharding at gmail.com (Devon Harding) Date: Wed Feb 13 03:19:58 2008 Subject: Outbound relay on 587 In-Reply-To: <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> Message-ID: <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> On Tue, Feb 12, 2008 at 1:20 PM, Nathan Olson wrote: > Try switching the order (remember to rebuild the *.cf files afterwards). > > define(`RELAY_MAILER_ARGS', `TCP $h 587') > define(`SMART_HOST', `mail.isp.net') > > Got it working! Here's my settings: /etc/mail/sendmail.mc define(`SMART_HOST',`smtp.comcast.net')dnl define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl /etc/mail/authinfo AuthInfo:smtp.comcast.net "U:username@comcast.net" "P:password" "M:PLAIN" Thanks everyone! -Deovn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/1a89eaa0/attachment.html From alxfrag at gmail.com Wed Feb 13 09:12:01 2008 From: alxfrag at gmail.com (AlxFrag) Date: Wed Feb 13 09:11:22 2008 Subject: No programs allowed In-Reply-To: <47B1C666.9060900@ecs.soton.ac.uk> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> Message-ID: <47B2B461.2020203@gmail.com> Julian Field wrote: > In which case the simplest thing for you to do is to upgrade to the > latest beta release (4.67.something). This includes a new feature > where you can match against the output of the "file -i" command as > well as (or instead of) the "file" command, in the filetype.rules.conf > file. > > Or else, create an "allow" rule for "PARIX executable" in > filetype.rules.conf, and wait until the start of next month when I > release the next stable release. > > AlxFrag wrote: >> --[ UxBoD ]-- wrote: >>> Okay, could you do the same thing with file -i please ? >>> >>> Regards, >>> >>> >> Thanks for your support :) >> >> file -i gives: >> >> message: message/rfc822 >> >> msg-5716-14.txt: text/plain; charset=utf-8 >> > > Jules > if i insert the following line in filetype.rules.conf is it gonna work? allow PARIX - - Regards, Alex From MailScanner at ecs.soton.ac.uk Wed Feb 13 09:51:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 09:51:48 2008 Subject: No programs allowed In-Reply-To: <47B2B461.2020203@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> Message-ID: <47B2BD9D.8060804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AlxFrag wrote: > Julian Field wrote: >> In which case the simplest thing for you to do is to upgrade to the >> latest beta release (4.67.something). This includes a new feature >> where you can match against the output of the "file -i" command as >> well as (or instead of) the "file" command, in the >> filetype.rules.conf file. >> >> Or else, create an "allow" rule for "PARIX executable" in >> filetype.rules.conf, and wait until the start of next month when I >> release the next stable release. >> >> AlxFrag wrote: >>> --[ UxBoD ]-- wrote: >>>> Okay, could you do the same thing with file -i please ? >>>> >>>> Regards, >>>> >>>> >>> Thanks for your support :) >>> >>> file -i gives: >>> >>> message: message/rfc822 >>> >>> msg-5716-14.txt: text/plain; charset=utf-8 >>> >> >> Jules >> > if i insert the following line in filetype.rules.conf is it gonna work? > > allow PARIX - - That will solve the problem for this particular file, but you might hit similar problems with other files. Try it and see. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: UTF-8 wj8DBQFHsr2dEfZZRxQVtlQRApwmAKD+hihTvZ0ygN2T0i/q2r971ZmuEQCgtY7v EX64J1WlfDSmD/SKW2LhrLM= =1XLH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Wed Feb 13 10:17:25 2008 From: alxfrag at gmail.com (AlxFrag) Date: Wed Feb 13 10:16:39 2008 Subject: No programs allowed In-Reply-To: <47B2BD9D.8060804@ecs.soton.ac.uk> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> Message-ID: <47B2C3B5.7030409@gmail.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > AlxFrag wrote: > >> Julian Field wrote: >> >>> In which case the simplest thing for you to do is to upgrade to the >>> latest beta release (4.67.something). This includes a new feature >>> where you can match against the output of the "file -i" command as >>> well as (or instead of) the "file" command, in the >>> filetype.rules.conf file. >>> >>> Or else, create an "allow" rule for "PARIX executable" in >>> filetype.rules.conf, and wait until the start of next month when I >>> release the next stable release. >>> >>> AlxFrag wrote: >>> >>>> --[ UxBoD ]-- wrote: >>>> >>>>> Okay, could you do the same thing with file -i please ? >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>> Thanks for your support :) >>>> >>>> file -i gives: >>>> >>>> message: message/rfc822 >>>> >>>> msg-5716-14.txt: text/plain; charset=utf-8 >>>> >>>> >>> Jules >>> >>> >> if i insert the following line in filetype.rules.conf is it gonna work? >> >> allow PARIX - - >> > That will solve the problem for this particular file, but you might hit > similar problems with other files. Try it and see. > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: UTF-8 > > wj8DBQFHsr2dEfZZRxQVtlQRApwmAKD+hihTvZ0ygN2T0i/q2r971ZmuEQCgtY7v > EX64J1WlfDSmD/SKW2LhrLM= > =1XLH > -----END PGP SIGNATURE----- > > ok it works now. As you said i'm having problem with other files too. Running the file command on a text file gave "DOS executable (COM)". -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080213/3699ba60/attachment.html From prandal at herefordshire.gov.uk Wed Feb 13 11:52:30 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 13 11:52:44 2008 Subject: New ClamAV released In-Reply-To: <47B1C876.9070700@maddoc.net> References: <47B1C876.9070700@maddoc.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA02EEE1E6@HC-MBX02.herefordshire.gov.uk> >From a post of mine on the clamav-users mailing list: > clamscan --version behaves differently in 0.92.1 to 0.92 > > # clamscan --version > ClamAV 0.92.1 > > # clamscan --version > ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008 It looks like the checkin to fix bug 699 (https://wwws.clamav.net/bugzilla/show_bug.cgi?id=699) has broken things. There's been a report of segfaults with "clamscan --version" on Solaris. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Doc Schneider > Sent: 12 February 2008 16:25 > To: MailScanner discussion > Subject: New ClamAV released > > ClamAV 0.92.1 > > This is a bugfix release, please refer to the ChangeLog for a complete > list of changes. > > -- > -Doc > Lincoln, NE. > http://www.fsl.com > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Feb 13 13:08:04 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 13 13:08:13 2008 Subject: No programs allowed In-Reply-To: <47B2C3B5.7030409@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> <47B2C3B5.7030409@gmail.com> Message-ID: <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> On 13/02/2008, AlxFrag wrote: (snip) > > ok it works now. As you said i'm having problem with other files too. > Running the file command on a text file gave "DOS executable (COM)". > Those are usually very "optimistic" one byte magic codes in the magic file that the file command uses. How to comment them out and recompile the magic file has been covered several times on this list.... I suggest you look through the archives for that, unless you know how already;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Feb 13 15:38:45 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 15:39:08 2008 Subject: No programs allowed In-Reply-To: <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> <47B2C3B5.7030409@gmail.com> <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> Message-ID: <47B30F05.5040606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 13/02/2008, AlxFrag wrote: > (snip) > >> ok it works now. As you said i'm having problem with other files too. >> Running the file command on a text file gave "DOS executable (COM)". >> >> > Those are usually very "optimistic" one byte magic codes in the magic > file that the file command uses. How to comment them out and recompile > the magic file has been covered several times on this list.... I > suggest you look through the archives for that, unless you know how > already;-). > To save you having to mess with the "magic" files on your server(s), you can just wait till the start of next month when I'll do a stable release including all the "file -i" stuff for matching MIME types as well as what it can do now. > Cheers > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHsw8GEfZZRxQVtlQRAl92AJ4npcV0JwhQzlAHK9iqds7jM4IxlwCfQllx nPGaJN3Z8xNuYxU4Lo2hX5I= =PBoi -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From devonharding at gmail.com Wed Feb 13 16:34:23 2008 From: devonharding at gmail.com (Devon Harding) Date: Wed Feb 13 16:34:32 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> Message-ID: <2baac6140802130834v2adfd692x40058a60aea09560@mail.gmail.com> > > > > > Got it working! Here's my settings: > > /etc/mail/sendmail.mc > define(`SMART_HOST',`smtp.comcast.net')dnl > define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl > FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl > > /etc/mail/authinfo > AuthInfo:smtp.comcast.net "U:username@comcast.net" "P:password" "M:PLAIN" > > Thanks everyone! > > I just noticed that sendmail is now using the SMART_HOST for my incoming hosts as well. How can I tell it to use the SMART_HOST only for outbound mail? -Deovn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080213/2c3ce790/attachment.html From alxfrag at gmail.com Wed Feb 13 16:36:49 2008 From: alxfrag at gmail.com (AlxFrag) Date: Wed Feb 13 16:35:48 2008 Subject: No programs allowed In-Reply-To: <47B30F05.5040606@ecs.soton.ac.uk> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> <47B2C3B5.7030409@gmail.com> <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> <47B30F05.5040606@ecs.soton.ac.uk> Message-ID: <47B31CA1.1030509@gmail.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > >> On 13/02/2008, AlxFrag wrote: >> (snip) >> >> >>> ok it works now. As you said i'm having problem with other files too. >>> Running the file command on a text file gave "DOS executable (COM)". >>> >>> >>> >> Those are usually very "optimistic" one byte magic codes in the magic >> file that the file command uses. How to comment them out and recompile >> the magic file has been covered several times on this list.... I >> suggest you look through the archives for that, unless you know how >> already;-). >> >> > To save you having to mess with the "magic" files on your server(s), you > can just wait till the start of next month when I'll do a stable release > including all the "file -i" stuff for matching MIME types as well as > what it can do now. > > >> Cheers >> >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHsw8GEfZZRxQVtlQRAl92AJ4npcV0JwhQzlAHK9iqds7jM4IxlwCfQllx > nPGaJN3Z8xNuYxU4Lo2hX5I= > =PBoi > -----END PGP SIGNATURE----- > > ok thank you. :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080213/d8297d9f/attachment.html From rpoe at plattesheriff.org Wed Feb 13 16:51:33 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Feb 13 16:52:06 2008 Subject: Office 2007 Documents Message-ID: <47B2CBB3.65ED.00A2.0@plattesheriff.org> Having issues with MailScanner rejecting Office2007 document attachments, because they're zip files AFAICT - and inside them are things with multiple extensions From MailScanner at ecs.soton.ac.uk Wed Feb 13 17:57:57 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 17:58:22 2008 Subject: Office 2007 Documents In-Reply-To: <47B2CBB3.65ED.00A2.0@plattesheriff.org> References: <47B2CBB3.65ED.00A2.0@plattesheriff.org> Message-ID: <47B32FA5.9010903@ecs.soton.ac.uk> Add these lines to /etc/MailScanner/filename.rules.conf, somewhere near the top. And note that each of the "words" on each line must be separated with tab characters and not spaces! # These are in the archives which are Microsoft Office 2007 files (e.g. docx) allow \.xml\d*\.rel$ - - allow \.x\d+\.rel$ - - Then "service MailScanner reload" or just wait a few hours and it will start using the new configuration. Rob Poe wrote: > Having issues with MailScanner rejecting Office2007 document attachments, because they're zip files AFAICT - and inside them are things with multiple extensions > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Feb 13 21:15:31 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 13 21:16:02 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802130834v2adfd692x40058a60aea09560@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> <2baac6140802130834v2adfd692x40058a60aea09560@mail.gmail.com> Message-ID: Devon Harding wrote: > > > Got it working! Here's my settings: > > /etc/mail/sendmail.mc > define(`SMART_HOST',`smtp.comcast.net')dnl > define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl > FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl > > /etc/mail/authinfo > AuthInfo:smtp.comcast.net > "U:username@comcast.net " > "P:password" "M:PLAIN" > > Thanks everyone! > > > I just noticed that sendmail is now using the SMART_HOST for my incoming > hosts as well. How can I tell it to use the SMART_HOST only for > outbound mail? I don' undrestand what you mean? It will send everything through the smart host, unless it is local. For other domains, I guess you must use mailertable. Ugo From MailScanner at ecs.soton.ac.uk Wed Feb 13 22:47:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 22:47:47 2008 Subject: New ClamAV released In-Reply-To: <47B1C876.9070700@maddoc.net> References: <47B1C876.9070700@maddoc.net> Message-ID: <47B37366.6000407@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just updated my easy-to-install ClamAV & SpamAssassin package to include ClamAV 0.92.1. Let me know if you have any problems with it, I have just dropped in the new version. Doc Schneider wrote: > ClamAV 0.92.1 > > This is a bugfix release, please refer to the ChangeLog for a complete > list of changes. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHs3NtEfZZRxQVtlQRAp/RAKCF6cR/gq2wn6Btt7qcZfIpSh0nEACg+i7w qXRvBYKDU3N0WyFYXxJxnM0= =3JgG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Feb 13 22:54:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 22:54:57 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> Message-ID: <47B3751B.90001@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just release a new beta 4.67.4 to attempt to fix this problem. It's very awkward to find, as it only occurs on busy systems. I have found a possible reason and have fixed that. Please can you give this new version a try and let me know if it helps solve the duplication problem at all. Thanks folks! Jules. Glenn Steen wrote: > On 08/02/2008, Cedric Devillers wrote: > >> Julian Field wrote: >> >>> Glenn Steen wrote: >>> >>>> On 08/02/2008, Glenn Steen wrote: >>>> >>>>> On 08/02/2008, Glenn Steen wrote: >>>>> >>>>> >>>>>> On 07/02/2008, Cedric Devillers wrote: >>>>>> >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm trying to revive this thread from the last month because we are >>>>>>> observing the exact same behavior on one of our servers. >>>>>>> >>>>>>> >>>>>> Thanks for doing that, and for providing some more info. >>>>>> >>>>>> >>>>>> >>>>>>> So to remember the facts : >>>>>>> >>>>>>> - We are using mailscanner with postfix, and duplicated messages are >>>>>>> generated by mailscanner. >>>>>>> >>>>>>> - This system is the only one where we are observing this behavior. It >>>>>>> have a little particularity : it mainly act as a mail relay, but >>>>>>> sometimes many mails are generated by the server itself (a script) and >>>>>>> injected in postfix queues via sendmail command. We can always reproduce >>>>>>> some duplicated messages with this script. >>>>>>> >>>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>>>>> messages, but they are still entering the mailscanner logic (postix -> >>>>>>> hold queue -> mailscanner (no scan) -> active queue). >>>>>>> >>>>>>> >>>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>>>>> just out of curiosity:-)... >>>>>> >>>>>> >>>>>> >>>>>>> - Mailwatch is running on this server, and for each duplicates we see >>>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>>>>> entry with the full body. Note that the recipient see the full body on >>>>>>> every duplicate. >>>>>>> >>>>>>> It looks like a locking problem, because all duplicates are with the >>>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>>>>> lock some queue file when message is marked not to be scanned by >>>>>>> mailscanner ? >>>>>>> >>>>>>> >>>>>> Yes, this seems plausible... Could you provide some log examples? Just >>>>>> to see that it really is separate children reading the same queue >>>>>> file... >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I will not be very helpfull to debug perl code, but i can provide any >>>>>>> needed logs to help finding the origin of the problem. >>>>>>> >>>>>>> >>>>>> I'll see what I can do, but... I think this isn't "my" code snippets, >>>>>> but a thing that might have been present for a while... And I have a >>>>>> serious lack of time to spend on this ATM (worse than last time, >>>>>> before Xmas)... So no promises:-). >>>>>> >>>>>> >>>>>> >>>>>>> This is really a serious problem in this particular installation. But i >>>>>>> must say that we have dozens of other servers that are running >>>>>>> mailscanner/postfix, and we are very happy about thems :) >>>>>>> >>>>>>> >>>>>> Does it help if you DO scan with MS, but skip things at the next >>>>>> level, for example: >>>>>> Scan Messages = yes >>>>>> Use SpamAssassin = no >>>>>> Dangerous Content Scanning = no >>>>>> ... and possibly a few more (do them with a ruleset, of course:-)? >>>>>> >>>>>> >>>>>> >>>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >>>>> >>>>> Cheers >>>>> >>>>> >>>> I think we need Jules on this one, not only feeble lil' me:-). >>>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >>>> of the scanmail setting... But then, this is a rather complex bit of >>>> code, where the "execution path" isn't always as straightforward as it >>>> seems... Jules, could you spare a moment or two? Just to look at what >>>> could possibly be wrong with the message->scanmail = 0 scenario? >>>> >>> Can you *briefly* explain what the problem is, what the symptoms are and >>> where you think the problem might lie? This is a very long thread.... :-) >>> >>> Jules >>> >>> >> Hi Julian >> >> The problem is that when sending many messages from the mailscanner host >> (here via the sendmail command) and that this host is marked not to be >> scanned by mailscanner (via a ruleset for "Scan Messages"), some mails >> are duplicated by mailscanner. >> >> The ruleset in question is : >> From: 127.0.0.1 no >> >> It seems that when the server is under high load and/or the message sent >> is bigger, then the probability to have duplicates (sometimes 4 or 5 by >> messages) is higher. Note that this is only based on my impressions >> while trying to reproduce the problem :) >> >> I think the problem may be that in this particular case (locally sent >> messages, not to be scanned by mailscanner), the file locking is >> defective and multiple childs are reading the same postfix queue file. >> Note that i was not able to reproduce the problem with "Scan Messages = >> yes". >> >> You can have a look at this log extract that show duplicates for the ID >> 11D67CE47AC : >> >> Feb 8 19:44:21 mail postfix/pickup[20676]: 11D67CE47AC: uid=48 >> from= >> Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: hold: header >> Received: by mail.inforum.be (Postfix, from userid 48)??id 11D67CE47AC; >> Fri, 8 Feb 2008 19:44:20 +0100 (CET) from local; from= >> Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: >> message-id=<20080208184421.11D67CE47AC@mail.inforum.be> >> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 5B8AECE47A2.4FC7C to >> 08006CE47AB >> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 342ACCE47B0.545F4 to >> E8253CE47A2 >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 8382ECE473F: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail postfix/qmgr[19269]: E8253CE47A2: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 08006CE47AB: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 995D8CE47A5: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 5 messages >> Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: >> Starting >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 8F1BFCE47AC.62C1B to SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> C4702CE473F.14646 to SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 05006CE47AB.74D14 to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 8F1BFCE47AC.62C1B: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 5B8AECE47A2.4FC7C to SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 342ACCE47B0.545F4 to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: C4702CE473F.14646: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 05006CE47AB.74D14: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 5B8AECE47A2.4FC7C: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 342ACCE47B0.545F4: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16264]: New Batch: Forwarding 1 >> unscanned messages, 23120 bytes >> Feb 8 19:44:21 mail postfix/pickup[20676]: 5B439CE47AF: uid=48 >> from= >> Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: hold: header >> Received: by mail.inforum.be (Postfix, from userid 48)??id 5B439CE47AF; >> Fri, 8 Feb 2008 19:44:21 +0100 (CET) from local; from= >> Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: >> message-id=<20080208184421.5B439CE47AF@mail.inforum.be> >> Feb 8 19:44:21 mail MailScanner[16264]: Requeue: 11D67CE47AC.DC14A to >> B0A22CE47B7 >> Feb 8 19:44:21 mail MailScanner[16264]: Unscanned: Delivered 1 messages >> Feb 8 19:44:21 mail MailScanner[16264]: Virus and Content Scanning: >> Starting >> Feb 8 19:44:21 mail MailScanner[16229]: New Batch: Forwarding 1 >> unscanned messages, 0 bytes >> Feb 8 19:44:21 mail postfix/qmgr[19269]: B0A22CE47B7: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 11D67CE47AC.3898C to >> 084DCCE47BA >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 084DCCE47BA: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 1 messages >> Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: >> Starting >> Feb 8 19:44:21 mail MailScanner[16264]: Logging message >> 11D67CE47AC.DC14A to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.DC14A: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 11D67CE47AC.3898C to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.3898C: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail postfix/smtp[20778]: 9EDC5CE47B2: >> to=, relay=mail.alunys.com[212.35.119.247], delay=2, >> status=sent (250 O >> >> > Thanks Cedric, this, and the child thing suggested by alex, > corroborate the theory of what is going bad, limiting what need be > scrutinized.... which is a good thing:-). Still,I've been looking and > can't for the life of me see where it goes haywire....:-/ > Hopefully Jules (or Phil... or me a bit more sober...:-) will find something. > > Cheers > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHs3UoEfZZRxQVtlQRAlg/AJ0cUHoD3g+yvdoDdCtvLjbAU5z/9wCeJ1aE 3zdYbrt+f44K0D/wPXq6l08= =Rdy4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Feb 13 23:14:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 23:14:57 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <47B379D2.6090202@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 08/02/2008, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> >>> On 08/02/2008, Glenn Steen wrote: >>> >>> >>>> On 08/02/2008, Glenn Steen wrote: >>>> >>>> >>>>> On 07/02/2008, Cedric Devillers wrote: >>>>> >>>>> >>>>>> Hello, >>>>>> >>>>>> I'm trying to revive this thread from the last month because we are >>>>>> observing the exact same behavior on one of our servers. >>>>>> >>>>>> >>>>> Thanks for doing that, and for providing some more info. >>>>> >>>>> >>>>> >>>>>> So to remember the facts : >>>>>> >>>>>> - We are using mailscanner with postfix, and duplicated messages are >>>>>> generated by mailscanner. >>>>>> >>>>>> - This system is the only one where we are observing this behavior. It >>>>>> have a little particularity : it mainly act as a mail relay, but >>>>>> sometimes many mails are generated by the server itself (a script) and >>>>>> injected in postfix queues via sendmail command. We can always reproduce >>>>>> some duplicated messages with this script. >>>>>> >>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>>>> messages, but they are still entering the mailscanner logic (postix -> >>>>>> hold queue -> mailscanner (no scan) -> active queue). >>>>>> >>>>>> >>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>>>> just out of curiosity:-)... >>>>> >>>>> >>>>> >>>>>> - Mailwatch is running on this server, and for each duplicates we see >>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>>>> entry with the full body. Note that the recipient see the full body on >>>>>> every duplicate. >>>>>> >>>>>> It looks like a locking problem, because all duplicates are with the >>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>>>> lock some queue file when message is marked not to be scanned by >>>>>> mailscanner ? >>>>>> >>>>>> >>>>> Yes, this seems plausible... Could you provide some log examples? Just >>>>> to see that it really is separate children reading the same queue >>>>> file... >>>>> >>>>> >>>>> >>>>> >>>>>> I will not be very helpfull to debug perl code, but i can provide any >>>>>> needed logs to help finding the origin of the problem. >>>>>> >>>>>> >>>>> I'll see what I can do, but... I think this isn't "my" code snippets, >>>>> but a thing that might have been present for a while... And I have a >>>>> serious lack of time to spend on this ATM (worse than last time, >>>>> before Xmas)... So no promises:-). >>>>> >>>>> >>>>> >>>>>> This is really a serious problem in this particular installation. But i >>>>>> must say that we have dozens of other servers that are running >>>>>> mailscanner/postfix, and we are very happy about thems :) >>>>>> >>>>>> >>>>> Does it help if you DO scan with MS, but skip things at the next >>>>> level, for example: >>>>> Scan Messages = yes >>>>> Use SpamAssassin = no >>>>> Dangerous Content Scanning = no >>>>> ... and possibly a few more (do them with a ruleset, of course:-)? >>>>> >>>>> >>>>> >>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >>>> >>>> Cheers >>>> >>>> >>> I think we need Jules on this one, not only feeble lil' me:-). >>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >>> of the scanmail setting... But then, this is a rather complex bit of >>> code, where the "execution path" isn't always as straightforward as it >>> seems... Jules, could you spare a moment or two? Just to look at what >>> could possibly be wrong with the message->scanmail = 0 scenario? >>> >>> >>> >> Can you *briefly* explain what the problem is, what the symptoms are and >> where you think the problem might lie? This is a very long thread.... :-) >> >> Jules >> >> > In short: > When using Postfix and setting Scan Messages = no (with a rulset, for > some....), duplicates are "generated" by several MailScanner children > picking up and delivering the same message. Is the whole message being delivered multiple times, or are the duplicates truncated at all? P.S. Sorry for top-posting on this thread a few minutes ago :-( Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHs3nZEfZZRxQVtlQRAgtmAKDyt+y+fafkRvZQURVQajXKUBPCEACglEOV N3ZN77/lKwzizAeWVhpbGkQ= =3CSz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Feb 14 00:06:33 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 00:13:56 2008 Subject: MailScanner consuming 100% CPU Message-ID: <22967703.151202947592999.JavaMail.root@office.splatnix.net> This evening my home server went crazy and when MS starts scanning a message it consumes 100% CPU :( top shows :- 20692 postfix 25 0 234m 67m 3968 R 99.7 2.2 3:20.57 MailScanner if I run a message through using MS --debug it goes through SA fine :- [20692] dbg: shortcircuit: s/c ham due to SC_HAM, using score of -100 [20692] dbg: check: is spam? score=-20.001 required=5 [20692] dbg: check: tests=NO_RELAYS,SC_HAM [20692] dbg: check: subtests= [20692] dbg: plugin: Mail::SpamAssassin::Plugin::Shortcircuit=HASH(0x6d2be20) implements 'compile_now_finish', priority 0 max message size is '30k' then it just hangs. I have set Virus Scanners = none but it still does the same. If I try and attach using strace nothing ever shows. Any ideas I am really stuck :( Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net From uxbod at splatnix.net Thu Feb 14 00:39:56 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 00:40:11 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <22967703.151202947592999.JavaMail.root@office.splatnix.net> Message-ID: <13124449.01202949596358.JavaMail.root@office.splatnix.net> Hmmm ... Something not right me thinks ... the incoming directory only has headers and no content :( [root@mailhub MailScanner]# cd incoming/ [root@mailhub incoming]# ls -lR .: total 12 drwxrwx--- 5 postfix clamav 4096 Feb 14 00:31 24771 drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24818 drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24853 ./24771: total 24 drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 882C8D02BA.66EC9 -rw-rw---- 1 postfix clamav 1135 Feb 14 00:31 882C8D02BA.66EC9.header drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 9A670D02B8.069CB -rw-rw---- 1 postfix clamav 3938 Feb 14 00:31 9A670D02B8.069CB.header drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 C8EBFD02B9.1978E -rw-rw---- 1 postfix clamav 3031 Feb 14 00:31 C8EBFD02B9.1978E.header ./24771/882C8D02BA.66EC9: total 0 ./24771/9A670D02B8.069CB: total 0 ./24771/C8EBFD02B9.1978E: total 0 ./24818: total 0 ./24853: total 0 Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > This evening my home server went crazy and when MS starts scanning a > message it consumes 100% CPU :( > > top shows :- > > 20692 postfix 25 0 234m 67m 3968 R 99.7 2.2 3:20.57 > MailScanner > > if I run a message through using MS --debug it goes through SA fine > :- > > [20692] dbg: shortcircuit: s/c ham due to SC_HAM, using score of -100 > [20692] dbg: check: is spam? score=-20.001 required=5 > [20692] dbg: check: tests=NO_RELAYS,SC_HAM > [20692] dbg: check: subtests= > [20692] dbg: plugin: > Mail::SpamAssassin::Plugin::Shortcircuit=HASH(0x6d2be20) implements > 'compile_now_finish', priority 0 > max message size is '30k' > > then it just hangs. I have set Virus Scanners = none but it still > does the same. If I try and attach using strace nothing ever shows. > Any ideas I am really stuck :( > > > Regards, From MailScanner at ecs.soton.ac.uk Thu Feb 14 08:30:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 14 08:32:46 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <13124449.01202949596358.JavaMail.root@office.splatnix.net> References: <13124449.01202949596358.JavaMail.root@office.splatnix.net> Message-ID: <47B3FC30.7000105@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Start by checking things like the SpamAssassin cache db has not got corrupted. It's in /var/spool/MailScanner/incoming. Just delete the database files and they will rapidly be recreated. It costs you a bit in processing speed for a couple of minutes but does no other harm than that. Screwed cache DB files can cause all sorts of weird symptoms. - --[ UxBoD ]-- wrote: > Hmmm ... > > Something not right me thinks ... the incoming directory only has headers and no content :( > > [root@mailhub MailScanner]# cd incoming/ > [root@mailhub incoming]# ls -lR > .: > total 12 > drwxrwx--- 5 postfix clamav 4096 Feb 14 00:31 24771 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24818 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24853 > > ./24771: > total 24 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 882C8D02BA.66EC9 > -rw-rw---- 1 postfix clamav 1135 Feb 14 00:31 882C8D02BA.66EC9.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 9A670D02B8.069CB > -rw-rw---- 1 postfix clamav 3938 Feb 14 00:31 9A670D02B8.069CB.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 C8EBFD02B9.1978E > -rw-rw---- 1 postfix clamav 3031 Feb 14 00:31 C8EBFD02B9.1978E.header > > ./24771/882C8D02BA.66EC9: > total 0 > > ./24771/9A670D02B8.069CB: > total 0 > > ./24771/C8EBFD02B9.1978E: > total 0 > > ./24818: > total 0 > > ./24853: > total 0 > > > Regards, > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: UTF-8 wj8DBQFHs/w2EfZZRxQVtlQRAh8LAKDkG+vzQ8lT6qrn3him0SVatHJhTgCfcIxU vNIHUATIIvvTXkeMab16H3w= =N5u1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Feb 14 08:39:07 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 08:39:24 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <47B3FC30.7000105@ecs.soton.ac.uk> Message-ID: <21712422.61202978347947.JavaMail.root@office.splatnix.net> Hi Jules, one step ahead ;) tried that at 1am this morning and still the same problem :( a spamassassin -D --lint works just fine, but when I run MS through debug it does appear to complete the SA checks but then hangs when it says "message size 30k". What is happening after this bit ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Start by checking things like the SpamAssassin cache db has not got corrupted. It's in /var/spool/MailScanner/incoming. Just delete the database files and they will rapidly be recreated. It costs you a bit in processing speed for a couple of minutes but does no other harm than that. Screwed cache DB files can cause all sorts of weird symptoms. - --[ UxBoD ]-- wrote: > Hmmm ... > > Something not right me thinks ... the incoming directory only has headers and no content :( > > [root@mailhub MailScanner]# cd incoming/ > [root@mailhub incoming]# ls -lR > .: > total 12 > drwxrwx--- 5 postfix clamav 4096 Feb 14 00:31 24771 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24818 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24853 > > ./24771: > total 24 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 882C8D02BA.66EC9 > -rw-rw---- 1 postfix clamav 1135 Feb 14 00:31 882C8D02BA.66EC9.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 9A670D02B8.069CB > -rw-rw---- 1 postfix clamav 3938 Feb 14 00:31 9A670D02B8.069CB.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 C8EBFD02B9.1978E > -rw-rw---- 1 postfix clamav 3031 Feb 14 00:31 C8EBFD02B9.1978E.header > > ./24771/882C8D02BA.66EC9: > total 0 > > ./24771/9A670D02B8.069CB: > total 0 > > ./24771/C8EBFD02B9.1978E: > total 0 > > ./24818: > total 0 > > ./24853: > total 0 > > > Regards, > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: UTF-8 wj8DBQFHs/w2EfZZRxQVtlQRAh8LAKDkG+vzQ8lT6qrn3him0SVatHJhTgCfcIxU vNIHUATIIvvTXkeMab16H3w= =N5u1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Feb 14 09:33:01 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 09:33:11 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B379D2.6090202@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> <47B379D2.6090202@ecs.soton.ac.uk> Message-ID: <223f97700802140133k60093df0r439be4296311e2e3@mail.gmail.com> On 14/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 08/02/2008, Julian Field wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> > >> Glenn Steen wrote: > >> > >>> On 08/02/2008, Glenn Steen wrote: > >>> > >>> > >>>> On 08/02/2008, Glenn Steen wrote: > >>>> > >>>> > >>>>> On 07/02/2008, Cedric Devillers wrote: > >>>>> > >>>>> > >>>>>> Hello, > >>>>>> > >>>>>> I'm trying to revive this thread from the last month because we are > >>>>>> observing the exact same behavior on one of our servers. > >>>>>> > >>>>>> > >>>>> Thanks for doing that, and for providing some more info. > >>>>> > >>>>> > >>>>> > >>>>>> So to remember the facts : > >>>>>> > >>>>>> - We are using mailscanner with postfix, and duplicated messages are > >>>>>> generated by mailscanner. > >>>>>> > >>>>>> - This system is the only one where we are observing this behavior. It > >>>>>> have a little particularity : it mainly act as a mail relay, but > >>>>>> sometimes many mails are generated by the server itself (a script) and > >>>>>> injected in postfix queues via sendmail command. We can always reproduce > >>>>>> some duplicated messages with this script. > >>>>>> > >>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses > >>>>>> messages, but they are still entering the mailscanner logic (postix -> > >>>>>> hold queue -> mailscanner (no scan) -> active queue). > >>>>>> > >>>>>> > >>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... > >>>>> just out of curiosity:-)... > >>>>> > >>>>> > >>>>> > >>>>>> - Mailwatch is running on this server, and for each duplicates we see > >>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final > >>>>>> entry with the full body. Note that the recipient see the full body on > >>>>>> every duplicate. > >>>>>> > >>>>>> It looks like a locking problem, because all duplicates are with the > >>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > >>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > >>>>>> lock some queue file when message is marked not to be scanned by > >>>>>> mailscanner ? > >>>>>> > >>>>>> > >>>>> Yes, this seems plausible... Could you provide some log examples? Just > >>>>> to see that it really is separate children reading the same queue > >>>>> file... > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> I will not be very helpfull to debug perl code, but i can provide any > >>>>>> needed logs to help finding the origin of the problem. > >>>>>> > >>>>>> > >>>>> I'll see what I can do, but... I think this isn't "my" code snippets, > >>>>> but a thing that might have been present for a while... And I have a > >>>>> serious lack of time to spend on this ATM (worse than last time, > >>>>> before Xmas)... So no promises:-). > >>>>> > >>>>> > >>>>> > >>>>>> This is really a serious problem in this particular installation. But i > >>>>>> must say that we have dozens of other servers that are running > >>>>>> mailscanner/postfix, and we are very happy about thems :) > >>>>>> > >>>>>> > >>>>> Does it help if you DO scan with MS, but skip things at the next > >>>>> level, for example: > >>>>> Scan Messages = yes > >>>>> Use SpamAssassin = no > >>>>> Dangerous Content Scanning = no > >>>>> ... and possibly a few more (do them with a ruleset, of course:-)? > >>>>> > >>>>> > >>>>> > >>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? > >>>> > >>>> Cheers > >>>> > >>>> > >>> I think we need Jules on this one, not only feeble lil' me:-). > >>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless > >>> of the scanmail setting... But then, this is a rather complex bit of > >>> code, where the "execution path" isn't always as straightforward as it > >>> seems... Jules, could you spare a moment or two? Just to look at what > >>> could possibly be wrong with the message->scanmail = 0 scenario? > >>> > >>> > >>> > >> Can you *briefly* explain what the problem is, what the symptoms are and > >> where you think the problem might lie? This is a very long thread.... :-) > >> > >> Jules > >> > >> > > In short: > > When using Postfix and setting Scan Messages = no (with a rulset, for > > some....), duplicates are "generated" by several MailScanner children > > picking up and delivering the same message. > > Is the whole message being delivered multiple times, or are the > duplicates truncated at all? AFAIU, the messages are delivered seemingly whole (but seem slightly truncated in MW, at least according to Cedric). > P.S. Sorry for top-posting on this thread a few minutes ago :-( It's your list, you are forgiven:-). And with that type of info... We'd pretty much forgive anything (even bad language... not that it'd ever happen with you:-):-). I'll try find some time, but I think that the ones who have reported this problem (Cedric in particular) are the ones that need test this... So, Cedric... Pretty please try this beta on your production host and then report back... So that the fix can be included in the next stable release! Just out of curiosity (I'll at least DL and read the beta...)... Where should I look for the fix? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Feb 14 09:43:47 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 09:43:57 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <21712422.61202978347947.JavaMail.root@office.splatnix.net> References: <47B3FC30.7000105@ecs.soton.ac.uk> <21712422.61202978347947.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802140143n2bbd28f9y7130ae80eecd898f@mail.gmail.com> On 14/02/2008, --[ UxBoD ]-- wrote: > Hi Jules, > > one step ahead ;) tried that at 1am this morning and still the same problem :( a spamassassin -D --lint works just fine, but when I run MS through debug it does appear to complete the SA checks but then hangs when it says "message size 30k". What is happening after this bit ? > > > Regards, > What does your PF logs show? What does a ps listing of the children show? Your not short on disk for tmp/tmpfs? What messages do you have waiting? Something massive? What does a postcat of them look like? .... and probably a few other questions...:-) I'm sure you've looked already, but it doesn't hurt checking:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Thu Feb 14 10:07:14 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 10:07:30 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802140143n2bbd28f9y7130ae80eecd898f@mail.gmail.com> Message-ID: <1433407.241202983634886.JavaMail.root@office.splatnix.net> Hi Glenn, pf logs are fine, I even ran a postfix check and set-permissions just in case. Three messages are in the queue and are about 2k in size each. I even dropped the tmpfs and ran it directly to the file system. No change. For the time being I am routing messages directly, as the PostFix checks are blocking most things. I will take a deeper look at it this evening when I am back home. Any other suggestions are greatly appreciated. Any other ways I can debug the code Jules to find where it is stalling ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 14/02/2008, --[ UxBoD ]-- wrote: From cde at alunys.com Thu Feb 14 10:19:01 2008 From: cde at alunys.com (Cedric Devillers) Date: Thu Feb 14 10:20:23 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B3751B.90001@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> <47B3751B.90001@ecs.soton.ac.uk> Message-ID: <47B41595.2070104@alunys.com> Julian Field wrote: > I have just release a new beta 4.67.4 to attempt to fix this problem. > It's very awkward to find, as it only occurs on busy systems. I have > found a possible reason and have fixed that. > > Please can you give this new version a try and let me know if it helps > solve the duplication problem at all. > > Thanks folks! > Jules. > Thanks for your attention on this problem. Is it possible to just copy some files from the tarball to the production system to test this ? I just ask this because we use home packaged rpm versions of mailscanner (with just custom prefs files and defaults location), so do i need to repackage the whole stuff to test it ? As it is production system, i need to wait after office hours to test it. So i'll try to do it later today or tommorow. -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From cde at alunys.com Thu Feb 14 10:23:55 2008 From: cde at alunys.com (Cedric Devillers) Date: Thu Feb 14 10:25:15 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802140133k60093df0r439be4296311e2e3@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> <47B379D2.6090202@ecs.soton.ac.uk> <223f97700802140133k60093df0r439be4296311e2e3@mail.gmail.com> Message-ID: <47B416BB.5080600@alunys.com> Glenn Steen wrote: > On 14/02/2008, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> > On 08/02/2008, Julian Field wrote: >> > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA1 >> >> >> >> >> >> >> >> Glenn Steen wrote: >> >> >> >>> On 08/02/2008, Glenn Steen wrote: >> >>> >> >>> >> >>>> On 08/02/2008, Glenn Steen wrote: >> >>>> >> >>>> >> >>>>> On 07/02/2008, Cedric Devillers wrote: >> >>>>> >> >>>>> >> >>>>>> Hello, >> >>>>>> >> >>>>>> I'm trying to revive this thread from the last month because we are >> >>>>>> observing the exact same behavior on one of our servers. >> >>>>>> >> >>>>>> >> >>>>> Thanks for doing that, and for providing some more info. >> >>>>> >> >>>>> >> >>>>> >> >>>>>> So to remember the facts : >> >>>>>> >> >>>>>> - We are using mailscanner with postfix, and duplicated messages are >> >>>>>> generated by mailscanner. >> >>>>>> >> >>>>>> - This system is the only one where we are observing this behavior. It >> >>>>>> have a little particularity : it mainly act as a mail relay, but >> >>>>>> sometimes many mails are generated by the server itself (a script) and >> >>>>>> injected in postfix queues via sendmail command. We can always reproduce >> >>>>>> some duplicated messages with this script. >> >>>>>> >> >>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >> >>>>>> messages, but they are still entering the mailscanner logic (postix -> >> >>>>>> hold queue -> mailscanner (no scan) -> active queue). >> >>>>>> >> >>>>>> >> >>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >> >>>>> just out of curiosity:-)... >> >>>>> >> >>>>> >> >>>>> >> >>>>>> - Mailwatch is running on this server, and for each duplicates we see >> >>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >> >>>>>> entry with the full body. Note that the recipient see the full body on >> >>>>>> every duplicate. >> >>>>>> >> >>>>>> It looks like a locking problem, because all duplicates are with the >> >>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >> >>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >> >>>>>> lock some queue file when message is marked not to be scanned by >> >>>>>> mailscanner ? >> >>>>>> >> >>>>>> >> >>>>> Yes, this seems plausible... Could you provide some log examples? Just >> >>>>> to see that it really is separate children reading the same queue >> >>>>> file... >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>>> I will not be very helpfull to debug perl code, but i can provide any >> >>>>>> needed logs to help finding the origin of the problem. >> >>>>>> >> >>>>>> >> >>>>> I'll see what I can do, but... I think this isn't "my" code snippets, >> >>>>> but a thing that might have been present for a while... And I have a >> >>>>> serious lack of time to spend on this ATM (worse than last time, >> >>>>> before Xmas)... So no promises:-). >> >>>>> >> >>>>> >> >>>>> >> >>>>>> This is really a serious problem in this particular installation. But i >> >>>>>> must say that we have dozens of other servers that are running >> >>>>>> mailscanner/postfix, and we are very happy about thems :) >> >>>>>> >> >>>>>> >> >>>>> Does it help if you DO scan with MS, but skip things at the next >> >>>>> level, for example: >> >>>>> Scan Messages = yes >> >>>>> Use SpamAssassin = no >> >>>>> Dangerous Content Scanning = no >> >>>>> ... and possibly a few more (do them with a ruleset, of course:-)? >> >>>>> >> >>>>> >> >>>>> >> >>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >> >>>> >> >>>> Cheers >> >>>> >> >>>> >> >>> I think we need Jules on this one, not only feeble lil' me:-). >> >>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >> >>> of the scanmail setting... But then, this is a rather complex bit of >> >>> code, where the "execution path" isn't always as straightforward as it >> >>> seems... Jules, could you spare a moment or two? Just to look at what >> >>> could possibly be wrong with the message->scanmail = 0 scenario? >> >>> >> >>> >> >>> >> >> Can you *briefly* explain what the problem is, what the symptoms are and >> >> where you think the problem might lie? This is a very long thread.... :-) >> >> >> >> Jules >> >> >> >> >> > In short: >> > When using Postfix and setting Scan Messages = no (with a rulset, for >> > some....), duplicates are "generated" by several MailScanner children >> > picking up and delivering the same message. >> >> Is the whole message being delivered multiple times, or are the >> duplicates truncated at all? > AFAIU, the messages are delivered seemingly whole (but seem slightly > truncated in MW, at least according to Cedric). > That's true, here messages are delivered as complete, but in mailwatch we can't see the body (only headers) and the size is marked as null (only a "b" in the size column). >> P.S. Sorry for top-posting on this thread a few minutes ago :-( > It's your list, you are forgiven:-). And with that type of info... > We'd pretty much forgive anything (even bad language... not that it'd > ever happen with you:-):-). > > I'll try find some time, but I think that the ones who have reported > this problem (Cedric in particular) are the ones that need test > this... So, Cedric... Pretty please try this beta on your production > host and then report back... So that the fix can be included in the > next stable release! > > Just out of curiosity (I'll at least DL and read the beta...)... Where > should I look for the fix? > > Cheers As is just replied to Jules, i'll try to test it today. But i won't have much time to play with mailscanner tonight :) Anyway, if i can't today, i will surely try tommorow. -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From MailScanner at ecs.soton.ac.uk Thu Feb 14 10:48:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 14 10:48:59 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B41595.2070104@alunys.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> <47B3751B.90001@ecs.soton.ac.uk> <47B41595.2070104@alunys.com> Message-ID: <47B41C7E.9060303@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cedric Devillers wrote: > Julian Field wrote: > >> I have just release a new beta 4.67.4 to attempt to fix this problem. >> It's very awkward to find, as it only occurs on busy systems. I have >> found a possible reason and have fixed that. >> >> Please can you give this new version a try and let me know if it helps >> solve the duplication problem at all. >> >> Thanks folks! >> Jules. >> >> > > Thanks for your attention on this problem. > > Is it possible to just copy some files from the tarball to the > production system to test this ? > New copies of Message.pm and MessageBatch.pm should be enough. > I just ask this because we use home packaged rpm versions of mailscanner > (with just custom prefs files and defaults location), so do i need to > repackage the whole stuff to test it ? > > As it is production system, i need to wait after office hours to test > it. So i'll try to do it later today or tommorow. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-15 wj8DBQFHtBx/EfZZRxQVtlQRAklrAKC2Sk/loX1tEstk01vHc1b/vsiJswCgqhOC yJebHTHkl4rT58fnfrQTE24= =Mjjp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Thu Feb 14 08:40:06 2008 From: alxfrag at gmail.com (AlxFrag) Date: Thu Feb 14 13:49:00 2008 Subject: Mailscanner warnings Message-ID: <47B3FE66.9050504@gmail.com> Hi, i'm using mailscanner v. 4.66.5-3. My logs file is full of warnings like shown below: Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content Scanning: Starting Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --unzip Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --jar Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --tar Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --tgz Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --deb Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --max-ratio Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --tempdir Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --recursive (-r) Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --unrar Is there any way i can stop that? Thanks, Alex From MailScanner at ecs.soton.ac.uk Thu Feb 14 14:04:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 14 14:11:17 2008 Subject: Mailscanner warnings In-Reply-To: <47B3FE66.9050504@gmail.com> References: <47B3FE66.9050504@gmail.com> Message-ID: <47B44A78.7080407@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What does MailScanner --lint say? AlxFrag wrote: > Hi, > > i'm using mailscanner v. 4.66.5-3. My logs file is full of warnings > like shown below: > > Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content > Scanning: Starting > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --unzip > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --jar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --tar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --tgz > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --deb > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --max-ratio > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --tempdir > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --recursive (-r) > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK 3Hg59laQALA1YGkA4DDZoVc= =lWdI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:12:03 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:05:46 2008 Subject: Question for the Experts Message-ID: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Dear all I recently made some changes to a domains mx record. It use to be, mx = serverA, which relays clean mail to Exchange Server Because this domain was really getting hammered, I moved it to a more powerful spam filtering server. MX Record is now ServerB, which fwds clean mail to ServerA, which relays it to the Exchange Server. My Problem now is that some spammers are still sending mail direct to my ServerA for this Domain. So I am looking at a way to configure the ServerA, so it only excepts mail for this domain if it comes from server (The more powerful one) So it drops the spammers on ServerA Thanks Kevin This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080214/3f750487/attachment.html From bpirie at rma.edu Thu Feb 14 16:10:03 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Feb 14 16:09:58 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <47B467DB.10204@rma.edu> I just went through a similar process here. I firewalled port 25 on ServerA so ServerA could only receive email from ServerB. Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our systems > free from viruses, you should check this e-mail and any attachments to > it for viruses as we cannot accept any liability for viruses > inadvertently transmitted by use. > From mailscanner at slackadelic.com Thu Feb 14 16:13:21 2008 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Feb 14 16:13:32 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <47B468A1.2000800@slackadelic.com> Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > Kevin, This would more than likely be something you would have to configure at your MTA level and not within MailScanner itself. -Matt From alvaro at hostalia.com Thu Feb 14 16:23:08 2008 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Thu Feb 14 16:23:18 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <47B46AEC.203@hostalia.com> Hi, > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA Just, configure firewall rules to avoid that situation and ServerB's port 25 only accept connections from ServerA. Client's authenticated mails should be sent through the submission port (587). Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From list-mailscanner at linguaphone.com Thu Feb 14 16:23:14 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Feb 14 16:23:28 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <1203006194.7860.31.camel@gblades-suse.linguaphone-intranet.co.uk> Configure the firewall on serverA to only accept connections on port 25 coming from serverB On Thu, 2008-02-14 at 16:12, Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx > = serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which > relays it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to > my ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) > So it drops the spammers on ServerA > > > > Thanks > > > > Kevin > > > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our > systems free from viruses, you should check this e-mail and any > attachments to it for viruses as we cannot accept any liability for > viruses inadvertently transmitted by use. > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:30:16 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:24:00 2008 Subject: Question for the Experts In-Reply-To: <47B467DB.10204@rma.edu> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> Message-ID: <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> Hi Brendan I cannot firewall port 25, as it receives mail for many other Domains. Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan Pirie Sent: 14 February 2008 16:10 To: MailScanner discussion Subject: Re: Question for the Experts I just went through a similar process here. I firewalled port 25 on ServerA so ServerA could only receive email from ServerB. Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our systems > free from viruses, you should check this e-mail and any attachments to > it for viruses as we cannot accept any liability for viruses > inadvertently transmitted by use. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:31:53 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:25:35 2008 Subject: Question for the Experts In-Reply-To: <47B468A1.2000800@slackadelic.com> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> Message-ID: <009401c86f27$1bd4d5c0$537e8140$@Murphy@midland-ics.ie> Right - It's a sendmail issue so Ok thanks for pointing this out -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Hayes Sent: 14 February 2008 16:13 To: MailScanner discussion Subject: Re: Question for the Experts Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > Kevin, This would more than likely be something you would have to configure at your MTA level and not within MailScanner itself. -Matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From bpirie at rma.edu Thu Feb 14 16:44:54 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Feb 14 16:44:52 2008 Subject: Question for the Experts In-Reply-To: <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> Message-ID: <47B47006.6000909@rma.edu> Are you saying ServerA is no longer the MX for this particular domain, but it is still the MX for several other domains? Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Hi Brendan > I cannot firewall port 25, as it receives mail for many other Domains. > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan > Pirie > Sent: 14 February 2008 16:10 > To: MailScanner discussion > Subject: Re: Question for the Experts > > I just went through a similar process here. I firewalled port 25 on > ServerA so ServerA could only receive email from ServerB. > > Brendan Pirie > Manager of Information Technology > Randolph-Macon Academy > bpirie@rma.edu > > Kevin MURPHY wrote: >> Dear all >> >> >> >> I recently made some changes to a domains mx record. It use to be, mx = >> serverA, which relays clean mail to Exchange Server >> >> Because this domain was really getting hammered, I moved it to a more >> powerful spam filtering server. >> >> MX Record is now ServerB, which fwds clean mail to ServerA, which relays >> it to the Exchange Server. >> >> >> >> My Problem now is that some spammers are still sending mail direct to my >> ServerA for this Domain. >> >> >> >> So I am looking at a way to configure the ServerA, so it only excepts >> mail for this domain if it comes from server (The more powerful one) So >> it drops the spammers on ServerA >> >> >> >> Thanks >> >> >> >> Kevin ** >> >> >> >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our systems >> free from viruses, you should check this e-mail and any attachments to >> it for viruses as we cannot accept any liability for viruses >> inadvertently transmitted by use. >> > From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:58:28 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:52:11 2008 Subject: Question for the Experts In-Reply-To: <47B47006.6000909@rma.edu> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> <47B47006.6000909@rma.edu> Message-ID: <00a001c86f2a$d2b165d0$78143170$@Murphy@midland-ics.ie> Yeah that's the scenario. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan Pirie Sent: 14 February 2008 16:45 To: MailScanner discussion Subject: Re: Question for the Experts Are you saying ServerA is no longer the MX for this particular domain, but it is still the MX for several other domains? Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Hi Brendan > I cannot firewall port 25, as it receives mail for many other Domains. > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan > Pirie > Sent: 14 February 2008 16:10 > To: MailScanner discussion > Subject: Re: Question for the Experts > > I just went through a similar process here. I firewalled port 25 on > ServerA so ServerA could only receive email from ServerB. > > Brendan Pirie > Manager of Information Technology > Randolph-Macon Academy > bpirie@rma.edu > > Kevin MURPHY wrote: >> Dear all >> >> >> >> I recently made some changes to a domains mx record. It use to be, mx = >> serverA, which relays clean mail to Exchange Server >> >> Because this domain was really getting hammered, I moved it to a more >> powerful spam filtering server. >> >> MX Record is now ServerB, which fwds clean mail to ServerA, which relays >> it to the Exchange Server. >> >> >> >> My Problem now is that some spammers are still sending mail direct to my >> ServerA for this Domain. >> >> >> >> So I am looking at a way to configure the ServerA, so it only excepts >> mail for this domain if it comes from server (The more powerful one) So >> it drops the spammers on ServerA >> >> >> >> Thanks >> >> >> >> Kevin ** >> >> >> >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our systems >> free from viruses, you should check this e-mail and any attachments to >> it for viruses as we cannot accept any liability for viruses >> inadvertently transmitted by use. >> > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From ugob at lubik.ca Thu Feb 14 17:26:27 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 14 17:27:06 2008 Subject: Question for the Experts In-Reply-To: <45354.7920370058$1203007154@news.gmane.org> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: Kevin MURPHY wrote: > Right - It's a sendmail issue so > Ok thanks for pointing this out This should be solved with a sendmail ruleset. I wouldn't know how to write it, though. Maybe ask fsl? www.fsl.com. Regards, Ugo From shuttlebox at gmail.com Thu Feb 14 17:28:51 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Feb 14 17:29:00 2008 Subject: Question for the Experts In-Reply-To: <4250301665523923982@unknownmsgid> References: <47B467DB.10204@rma.edu> <47B47006.6000909@rma.edu> <4250301665523923982@unknownmsgid> Message-ID: <625385e30802140928x38246a0fr40b910b0d3ffcbc5@mail.gmail.com> On Thu, Feb 14, 2008 at 5:58 PM, Kevin MURPHY wrote: > Yeah that's the scenario. But if it's not an official server for that domain anymore it shouldn't be configured as one either and therefor reject all attempts to send mail to that domain through it. Sorry if I missed something from your earlier posts. -- /peter From mkercher at nfsmith.com Thu Feb 14 17:42:28 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Feb 14 17:42:51 2008 Subject: Question for the Experts In-Reply-To: <00a001c86f2a$d2b165d0$78143170$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie><47B47006.6000909@rma.edu> <00a001c86f2a$d2b165d0$78143170$@Murphy@midland-ics.ie> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F7750E4@HOUPEX01.nfsmith.info> Give Server A it's own IP address and firewall that single IP to accept SMTP from Server B only. Then, you can allow all SMTP to the other IP address(es) on Server A. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kevin MURPHY Sent: Thursday, February 14, 2008 10:58 AM To: 'MailScanner discussion' Subject: RE: Question for the Experts Yeah that's the scenario. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan Pirie Sent: 14 February 2008 16:45 To: MailScanner discussion Subject: Re: Question for the Experts Are you saying ServerA is no longer the MX for this particular domain, but it is still the MX for several other domains? Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Hi Brendan > I cannot firewall port 25, as it receives mail for many other Domains. > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Brendan Pirie > Sent: 14 February 2008 16:10 > To: MailScanner discussion > Subject: Re: Question for the Experts > > I just went through a similar process here. I firewalled port 25 on > ServerA so ServerA could only receive email from ServerB. > > Brendan Pirie > Manager of Information Technology > Randolph-Macon Academy > bpirie@rma.edu > > Kevin MURPHY wrote: >> Dear all >> >> >> >> I recently made some changes to a domains mx record. It use to be, mx >> = serverA, which relays clean mail to Exchange Server >> >> Because this domain was really getting hammered, I moved it to a more >> powerful spam filtering server. >> >> MX Record is now ServerB, which fwds clean mail to ServerA, which >> relays it to the Exchange Server. >> >> >> >> My Problem now is that some spammers are still sending mail direct to >> my ServerA for this Domain. >> >> >> >> So I am looking at a way to configure the ServerA, so it only excepts >> mail for this domain if it comes from server (The more powerful one) >> So it drops the spammers on ServerA >> >> >> >> Thanks >> >> >> >> Kevin ** >> >> >> >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our >> systems free from viruses, you should check this e-mail and any >> attachments to it for viruses as we cannot accept any liability for >> viruses inadvertently transmitted by use. >> > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Feb 14 18:38:25 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 14 18:38:45 2008 Subject: Question for the Experts In-Reply-To: References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > Kevin MURPHY wrote: >> Right - It's a sendmail issue so >> Ok thanks for pointing this out > > This should be solved with a sendmail ruleset. I wouldn't know how to > write it, though. Maybe ask fsl? www.fsl.com. > > Regards, > > Ugo > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" and remake the access file. Or you can change reject to discard if you want it silently dropped. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080214/707dde3e/signature.bin From mkercher at nfsmith.com Thu Feb 14 18:44:33 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Feb 14 18:44:55 2008 Subject: Question for the Experts In-Reply-To: References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> -----Original Message----- on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > Kevin MURPHY wrote: >> Right - It's a sendmail issue so >> Ok thanks for pointing this out > > This should be solved with a sendmail ruleset. I wouldn't know how to > write it, though. Maybe ask fsl? www.fsl.com. > > Regards, > > Ugo > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" and remake the access file. Or you can change reject to discard if you want it silently dropped. -- I think that would reject/discard the emails from Server B as well. Mike From glenn.steen at gmail.com Thu Feb 14 19:55:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 19:55:50 2008 Subject: Question for the Experts In-Reply-To: References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: <223f97700802141155w1d8bc445pbf9a48fc57d86fa4@mail.gmail.com> On 14/02/2008, Scott Silva wrote: > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > > > Kevin MURPHY wrote: > >> Right - It's a sendmail issue so > >> Ok thanks for pointing this out > > > > This should be solved with a sendmail ruleset. I wouldn't know how to > > write it, though. Maybe ask fsl? www.fsl.com. > > > > Regards, > > > > Ugo > > > > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > and remake the access file. > Or you can change reject to discard if you want it silently dropped. > > Not being a Sendmail chap at all.... Couldn't one (in the same access file on serverA) explicitly accept severB to the specific domain and REJECT the rest? Surely should be possible...? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From richard.frovarp at sendit.nodak.edu Thu Feb 14 19:59:36 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Feb 14 19:59:47 2008 Subject: Question for the Experts In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> Message-ID: <47B49DA8.8080401@sendit.nodak.edu> Mike Kercher wrote: > > > -----Original Message----- > > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > >> Kevin MURPHY wrote: >> >>> Right - It's a sendmail issue so >>> Ok thanks for pointing this out >>> >> This should be solved with a sendmail ruleset. I wouldn't know how to >> > > >> write it, though. Maybe ask fsl? www.fsl.com. >> >> Regards, >> >> Ugo >> >> > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > and remake the access file. > Or you can change reject to discard if you want it silently dropped. > > -- > > I think that would reject/discard the emails from Server B as well. > > Mike Why not just have Server B pass the message onto Exchange? Seems like a waste to pass it onto a middle man. From glenn.steen at gmail.com Thu Feb 14 20:19:03 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 20:19:14 2008 Subject: Question for the Experts In-Reply-To: <47B49DA8.8080401@sendit.nodak.edu> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> Message-ID: <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> On 14/02/2008, Richard Frovarp wrote: > Mike Kercher wrote: > > > > > > -----Original Message----- > > > > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > > > >> Kevin MURPHY wrote: > >> > >>> Right - It's a sendmail issue so > >>> Ok thanks for pointing this out > >>> > >> This should be solved with a sendmail ruleset. I wouldn't know how to > >> > > > > > >> write it, though. Maybe ask fsl? www.fsl.com. > >> > >> Regards, > >> > >> Ugo > >> > >> > > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > > and remake the access file. > > Or you can change reject to discard if you want it silently dropped. > > > > -- > > > > I think that would reject/discard the emails from Server B as well. > > > > Mike > > Why not just have Server B pass the message onto Exchange? Seems like a > waste to pass it onto a middle man. > I agree in principle... but Kevin might have... topologocal considerations.... we're not aware of:-). Since I'm no guru on the access file of Sendmail, I did some googling and found this very friendly (albeit long) article that might be a help: http://blue-labs.org/howto/access_hints.php ... If I'm not mistaken, one could have something like To:exmaple.net REJECT [IP.of.server.B] RELAY ... in the access file on serverA, and then (since the IP thing should be more specific(?)) example.net relayed from serverB should get through.... but nothing else. The big disclaimer here is that what I remember of Sendmail is ... easily enumerated:-). I know this could be done with Postfix access though;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Fri Feb 15 02:55:52 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 02:56:12 2008 Subject: Mailscanner generated duplicate message. In-Reply-To: <223f97700801240433h7d52ba68xe374d5efe7cdc1e4@mail.gmail.com> Message-ID: Glenn Steen wrote on Thu Jan 24 12:33:45 2008 >On 24/12/2007, Mark Sapiro wrote: >> >> The nature of the server is that outgoing mail is virtually all Mailman >> list posts or forwards of mail, all of which was scanned on the way in. >> I would just as soon not have Postfix hold mail from localhost at all, >> but I haven't figured out how to do that. >> >Bypassing MailScanner for outgoing mail is easily done... All you need >is an smtpd listening on another port .... and have that smtpd _not_ >use the header_check... Then see to it that mailman use that port to >submit mails... Set SMTPPORT in your config, IIRC... There are some >examples littering the net, on how to setup a "secondary" smtpd >listener, and you usually have a stub in your master.cf ... Also look >at the wiki, I have some howto there where I use a trick like that to >do multi-recipient splitting (one mail/recipient, so that MailScanner >rules don't work on just the first recipient...). Or give a holler and >I'll dig something out. Glenn, I've been away for a while; thus the delayed response. Thank you for the above advice. It's very helpful. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 15 03:23:42 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 03:23:54 2008 Subject: Mailscanner generated duplicate message In-Reply-To: Message-ID: Alex Neuman wrote: > >On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > >> When using Postfix and setting Scan Messages = no (with a rulset, for >> some....), duplicates are "generated" by several MailScanner children >> picking up and delivering the same message. It seems to be something >> to do with timing, since not all generate this behavior, but rather >> under heavy load (as in situations where some form of mailing list or >> bulk mailer (presumably a legit newsletter) send large amounts of >> messages at once). > >Could you reproduce the opposite of this behaviour by using "max >children = 0"? Sorry for being absent from this thread. I was away and set my subscription to nomail, and hadn't bothered to look at the archives. My bad. Anyway, In my case, on Jan 3, I set "Max Children = 2". It had been 5. I so no more dups until one on Jan 19. I then set "Max Children = 1" and have seen no further dups. I expect that I would never see any dups of this kind when "Max Children = 1", since dups apparently only occurred when two separate children picked up the same entry. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 15 03:25:58 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 03:26:12 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B3751B.90001@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > >I have just release a new beta 4.67.4 to attempt to fix this problem. >It's very awkward to find, as it only occurs on busy systems. I have >found a possible reason and have fixed that. > >Please can you give this new version a try and let me know if it helps >solve the duplication problem at all. I will try to install this beta within the next few days and set "Max Children = 5" again and see what happens. Thanks. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 15 04:44:10 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 04:44:22 2008 Subject: Mailscanner generated duplicate message In-Reply-To: Message-ID: Mark Sapiro wrote: >Julian Field wrote: >> >>I have just release a new beta 4.67.4 to attempt to fix this problem. >>It's very awkward to find, as it only occurs on busy systems. I have >>found a possible reason and have fixed that. >> >>Please can you give this new version a try and let me know if it helps >>solve the duplication problem at all. > > >I will try to install this beta within the next few days and set "Max >Children = 5" again and see what happens. I'm ahead of schedule. I've just installed the 4.67.4 beta and set Max Children = 5. I'll be monitoring my logs for dups. I'll post my findings to the list. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From uxbod at splatnix.net Fri Feb 15 09:24:34 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 09:24:51 2008 Subject: MS hanging and 100% CPU Message-ID: <12733159.51203067474144.JavaMail.root@office.splatnix.net> Hi Jules, I am back home now so can take a look a bit deeper at my problem. Any thoughts on what to look at first ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net From alxfrag at gmail.com Fri Feb 15 09:31:34 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 09:31:43 2008 Subject: Mailscanner warnings In-Reply-To: <47B44A78.7080407@ecs.soton.ac.uk> References: <47B3FE66.9050504@gmail.com> <47B44A78.7080407@ecs.soton.ac.uk> Message-ID: <47B55BF6.2010708@gmail.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > >> Hi, >> >> i'm using mailscanner v. 4.66.5-3. My logs file is full of warnings >> like shown below: >> >> Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content >> Scanning: Starting >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --unzip >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --jar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --tar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --tgz >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --deb >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --max-ratio >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --tempdir >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --recursive (-r) >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --unrar >> >> >> Is there any way i can stop that? >> >> Thanks, >> >> Alex >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > where should i give MailScanner --lint? :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/67294add/attachment.html From martinh at solidstatelogic.com Fri Feb 15 09:41:47 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 09:42:04 2008 Subject: Mailscanner warnings In-Reply-To: <47B55BF6.2010708@gmail.com> Message-ID: <08c83b70917ecd41bbddb1774ccbedfa@solidstatelogic.com> Hi Looks like mailscanner is sending parameters the clamscan it doesn't understand. You may wish to switch to clamd or clammodule as a faster alternative which should also solve this problem. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:32 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > > > Hi, > > i'm using mailscanner v. 4.66.5-3. My logs file is full of > warnings > like shown below: > > Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content > Scanning: Starting > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --unzip > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --jar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --tar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --tgz > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --deb > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --max-ratio > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --tempdir > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --recursive (-r) > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > > > where should i give > > MailScanner --lint? > > :) ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 09:42:01 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 09:43:24 2008 Subject: Mailscanner warnings In-Reply-To: <47B55BF6.2010708@gmail.com> Message-ID: <5190593.01203068521399.JavaMail.root@office.splatnix.net> yes Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: > Julian Field wrote: From alxfrag at gmail.com Fri Feb 15 09:46:26 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 09:46:35 2008 Subject: Mailscanner warnings In-Reply-To: <08c83b70917ecd41bbddb1774ccbedfa@solidstatelogic.com> References: <08c83b70917ecd41bbddb1774ccbedfa@solidstatelogic.com> Message-ID: <47B55F72.5050705@gmail.com> Martin.Hepworth wrote: > Hi > > Looks like mailscanner is sending parameters the clamscan it doesn't understand. > > You may wish to switch to clamd or clammodule as a faster alternative which should also solve this problem. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 09:32 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Julian Field wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> What does >> MailScanner --lint >> say? >> >> AlxFrag wrote: >> >> >> Hi, >> >> i'm using mailscanner v. 4.66.5-3. My logs file is full of >> warnings >> like shown below: >> >> Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content >> Scanning: Starting >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --unzip >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --jar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --tar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --tgz >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --deb >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --max-ratio >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --tempdir >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --recursive (-r) >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --unrar >> >> >> Is there any way i can stop that? >> >> Thanks, >> >> Alex >> >> >> >> Jules >> >> - -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your >> boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.8.0 (Build 2158) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK >> 3Hg59laQALA1YGkA4DDZoVc= >> =lWdI >> -----END PGP SIGNATURE----- >> >> >> >> where should i give >> >> MailScanner --lint? >> >> :) >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > i'm using clamd. Regards, Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/dc95a309/attachment.html From martinh at solidstatelogic.com Fri Feb 15 10:06:01 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 10:06:16 2008 Subject: Mailscanner warnings In-Reply-To: <47B55F72.5050705@gmail.com> Message-ID: <03035c2c26161f45a425d72397088fc1@solidstatelogic.com> Alex Sounds like clamd's not happy with the 'normal' parameter list of things to scan. What happens if you call clamd --tar from the command line? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:46 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Hi > > Looks like mailscanner is sending parameters the clamscan it doesn't > understand. > > You may wish to switch to clamd or clammodule as a faster > alternative which should also solve this problem. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:32 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > > > Hi, > > i'm using mailscanner v. 4.66.5-3. My logs file is > full of > warnings > like shown below: > > Feb 14 10:36:45 posidon MailScanner[27874]: Virus > and Content > Scanning: Starting > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --unzip > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --jar > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --tar > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --tgz > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --deb > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --max-ratio > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --tempdir > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --recursive (-r) > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements > from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > > > where should i give > > MailScanner --lint? > > :) > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > > > i'm using clamd. > > Regards, > Alex ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alxfrag at gmail.com Fri Feb 15 10:11:36 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 10:11:43 2008 Subject: Mailscanner warnings In-Reply-To: <03035c2c26161f45a425d72397088fc1@solidstatelogic.com> References: <03035c2c26161f45a425d72397088fc1@solidstatelogic.com> Message-ID: <47B56558.5060301@gmail.com> It says: /usr/local/sbin/clamd: unrecognized option `--tar' ERROR: Unknown option passed. ERROR: Can't parse the command line Martin.Hepworth wrote: > Alex > > Sounds like clamd's not happy with the 'normal' parameter list of things to scan. > > What happens if you call > > clamd --tar > > from the command line? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 09:46 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Martin.Hepworth wrote: >> >> Hi >> >> Looks like mailscanner is sending parameters the clamscan it doesn't >> understand. >> >> You may wish to switch to clamd or clammodule as a faster >> alternative which should also solve this problem. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 09:32 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Julian Field wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> What does >> MailScanner --lint >> say? >> >> AlxFrag wrote: >> >> >> Hi, >> >> i'm using mailscanner v. 4.66.5-3. My logs file is >> full of >> warnings >> like shown below: >> >> Feb 14 10:36:45 posidon MailScanner[27874]: Virus >> and Content >> Scanning: Starting >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --unzip >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --jar >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --tar >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --tgz >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --deb >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --max-ratio >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --tempdir >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --recursive (-r) >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --unrar >> >> >> Is there any way i can stop that? >> >> Thanks, >> >> Alex >> >> >> >> Jules >> >> - -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements >> from your >> boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 >> 1415 B654 >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.8.0 (Build 2158) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> >> wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK >> 3Hg59laQALA1YGkA4DDZoVc= >> =lWdI >> -----END PGP SIGNATURE----- >> >> >> >> where should i give >> >> MailScanner --lint? >> >> :) >> >> >> >> >> >> >> ******************************************************************** >> ** >> Confidentiality : This e-mail and any attachments are intended for >> the >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show >> them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those >> of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We >> advise >> that you consider this fact when e-mailing us. >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ******************************************************************** >> ** >> >> >> >> i'm using clamd. >> >> Regards, >> Alex >> > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/5359a5a2/attachment.html From uxbod at splatnix.net Fri Feb 15 10:13:44 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:13:57 2008 Subject: Mailscanner warnings In-Reply-To: <47B56558.5060301@gmail.com> Message-ID: <3460604.31203070424335.JavaMail.root@office.splatnix.net> clamd --version ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: > It says: > > /usr/local/sbin/clamd: unrecognized option `--tar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > > > Martin.Hepworth wrote: > > Alex > > Sounds like clamd's not happy with the 'normal' parameter list of > things to scan. > > What happens if you call > > clamd --tar > > from the command line? From alxfrag at gmail.com Fri Feb 15 10:18:49 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 10:19:10 2008 Subject: Mailscanner warnings In-Reply-To: <3460604.31203070424335.JavaMail.root@office.splatnix.net> References: <3460604.31203070424335.JavaMail.root@office.splatnix.net> Message-ID: <47B56709.5070003@gmail.com> --[ UxBoD ]-- wrote: > clamd --version ? > > Regards, > > ClamAV 0.91.2/5829/Fri Feb 15 06:00:17 2008 From Kevin.Murphy at midland-ics.ie Fri Feb 15 10:26:14 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Fri Feb 15 10:19:58 2008 Subject: Question for the Experts In-Reply-To: <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> Message-ID: <010701c86fbd$31a33220$94e99660$@Murphy@midland-ics.ie> Hi Everyone Thanks for so many replies. It's the first time I have used this list and its really great to see how the community helps each other. Glen - I have tried that access file REJECT , but it rejects all mail even from server To:domain.com REJECT [IP Address of Server B] RELAY ----- Transcript of session follows ----- ... while talking to serverA: >>> DATA <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY 550 5.1.1 ... User unknown <<< 503 5.0.0 Need RCPT (recipient) Regards Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 14 February 2008 20:19 To: MailScanner discussion Subject: Re: Question for the Experts On 14/02/2008, Richard Frovarp wrote: > Mike Kercher wrote: > > > > > > -----Original Message----- > > > > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > > > >> Kevin MURPHY wrote: > >> > >>> Right - It's a sendmail issue so > >>> Ok thanks for pointing this out > >>> > >> This should be solved with a sendmail ruleset. I wouldn't know how to > >> > > > > > >> write it, though. Maybe ask fsl? www.fsl.com. > >> > >> Regards, > >> > >> Ugo > >> > >> > > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > > and remake the access file. > > Or you can change reject to discard if you want it silently dropped. > > > > -- > > > > I think that would reject/discard the emails from Server B as well. > > > > Mike > > Why not just have Server B pass the message onto Exchange? Seems like a > waste to pass it onto a middle man. > I agree in principle... but Kevin might have... topologocal considerations.... we're not aware of:-). Since I'm no guru on the access file of Sendmail, I did some googling and found this very friendly (albeit long) article that might be a help: http://blue-labs.org/howto/access_hints.php ... If I'm not mistaken, one could have something like To:exmaple.net REJECT [IP.of.server.B] RELAY ... in the access file on serverA, and then (since the IP thing should be more specific(?)) example.net relayed from serverB should get through.... but nothing else. The big disclaimer here is that what I remember of Sendmail is ... easily enumerated:-). I know this could be done with Postfix access though;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From martinh at solidstatelogic.com Fri Feb 15 10:21:26 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 10:21:42 2008 Subject: Mailscanner warnings In-Reply-To: <47B56558.5060301@gmail.com> Message-ID: <30df0b68ecefe142b3acf274bff3b315@solidstatelogic.com> OK I'm getting confused.... In MailScanner.conf what have you got set for "Virus Scanners"??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 10:12 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > It says: > > /usr/local/sbin/clamd: unrecognized option `--tar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > > > Martin.Hepworth wrote: > > Alex > > Sounds like clamd's not happy with the 'normal' parameter list of > things to scan. > > What happens if you call > > clamd --tar > > from the command line? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:46 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Hi > > Looks like mailscanner is sending parameters the > clamscan it doesn't > understand. > > You may wish to switch to clamd or clammodule as a > faster > alternative which should also solve this problem. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of > AlxFrag > Sent: 15 February 2008 09:32 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > > > Hi, > > i'm using mailscanner v. 4.66.5-3. My > logs file is > full of > warnings > like shown below: > > Feb 14 10:36:45 posidon > MailScanner[27874]: Virus > and Content > Scanning: Starting > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --unzip > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --jar > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --tar > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --tgz > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --deb > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --max-ratio > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --tempdir > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --recursive (-r) > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at > www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new > requirements > from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 > 11F6 5947 > 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > > > where should i give > > MailScanner --lint? > > :) > > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are > intended for > the > addressee only and may be confidential. If they come to > you in error > you must take no action based on them, nor must you copy > or show > them > to anyone. Please advise the sender by replying to this > e-mail > immediately and then delete the original from your > computer. > Opinion : Any opinions expressed in this e-mail are > entirely those > of > the author and unless specifically stated to the > contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a > secure > communications medium and can be subject to data > corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail > and any > attachments are free from known viruses but in keeping > with good > computing practice, you should ensure that they are > virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 1RU, > United Kingdom > > ******************************************************************** > ** > > > > i'm using clamd. > > Regards, > Alex > > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 10:29:03 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:29:16 2008 Subject: Mailscanner warnings In-Reply-To: <47B56709.5070003@gmail.com> Message-ID: <33275.61203071343873.JavaMail.root@office.splatnix.net> would you please run the MailScanner --lint it will either be in /usr/sbin or /usr/local/bin and both should be in your path anyway. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: --[ UxBoD ]-- wrote: > clamd --version ? > > Regards, > > ClamAV 0.91.2/5829/Fri Feb 15 06:00:17 2008 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alxfrag at gmail.com Fri Feb 15 10:42:48 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 10:42:58 2008 Subject: Mailscanner warnings In-Reply-To: <33275.61203071343873.JavaMail.root@office.splatnix.net> References: <33275.61203071343873.JavaMail.root@office.splatnix.net> Message-ID: <47B56CA8.8090501@gmail.com> --[ UxBoD ]-- wrote: > would you please run the MailScanner --lint > > it will either be in /usr/sbin or /usr/local/bin and both should be in your path anyway. > > Regards, > > Read 817 hostnames from the phishing whitelist MailScanner setting GID to (1002) MailScanner setting UID to (1004) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied SpamAssassin reported an error. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav From uxbod at splatnix.net Fri Feb 15 10:49:17 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:49:30 2008 Subject: Mailscanner warnings In-Reply-To: <47B56CA8.8090501@gmail.com> Message-ID: <374929.91203072557945.JavaMail.root@office.splatnix.net> change Virus Scanners to clamd instead of clamav Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: --[ UxBoD ]-- wrote: > would you please run the MailScanner --lint > > it will either be in /usr/sbin or /usr/local/bin and both should be in your path anyway. > > Regards, > > Read 817 hostnames from the phishing whitelist MailScanner setting GID to (1002) MailScanner setting UID to (1004) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied SpamAssassin reported an error. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Fri Feb 15 10:50:05 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 10:50:40 2008 Subject: Mailscanner warnings In-Reply-To: <47B56CA8.8090501@gmail.com> Message-ID: <29f56b3dcdc4e44987b8b6cb1a0715a2@solidstatelogic.com> Ah there you go.. Change the Virus Scanners to Virus Scanners = clamd And make sure the clamd settings are sensible further down the file. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 10:43 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > --[ UxBoD ]-- wrote: > > would you please run the MailScanner --lint > > > > it will either be in /usr/sbin or /usr/local/bin and both should be in > your path anyway. > > > > Regards, > > > > > Read 817 hostnames from the phishing whitelist > MailScanner setting GID to (1002) > MailScanner setting UID to (1004) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid > for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor > bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > SpamAssassin reported an error. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 10:52:41 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:52:53 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <1433407.241202983634886.JavaMail.root@office.splatnix.net> Message-ID: <17712783.121203072761250.JavaMail.root@office.splatnix.net> Man this is doing my head in :( Have checked all the directories and the permissions are just fine. It seems that only the header is being extracted from the emails, and not the message body at all. Perhaps my MIME::Tools is corrupt ? But I have download the latest MS and recompiled everything. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > Hi Glenn, > > pf logs are fine, I even ran a postfix check and set-permissions just > in case. Three messages are in the queue and are about 2k in size > each. I even dropped the tmpfs and ran it directly to the file > system. No change. > > For the time being I am routing messages directly, as the PostFix > checks are blocking most things. I will take a deeper look at it this > evening when I am back home. > > Any other suggestions are greatly appreciated. Any other ways I can > debug the code Jules to find where it is stalling ? > > Regards, From alxfrag at gmail.com Fri Feb 15 11:11:42 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 11:11:44 2008 Subject: Mailscanner warnings In-Reply-To: <29f56b3dcdc4e44987b8b6cb1a0715a2@solidstatelogic.com> References: <29f56b3dcdc4e44987b8b6cb1a0715a2@solidstatelogic.com> Message-ID: <47B5736E.8030007@gmail.com> Martin.Hepworth wrote: > Ah there you go.. > > Change the Virus Scanners to > > Virus Scanners = clamd > > And make sure the clamd settings are sensible further down the file. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 10:43 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> --[ UxBoD ]-- wrote: >> >>> would you please run the MailScanner --lint >>> >>> it will either be in /usr/sbin or /usr/local/bin and both should be in >>> >> your path anyway. >> >>> Regards, >>> >>> >>> >> Read 817 hostnames from the phishing whitelist >> MailScanner setting GID to (1002) >> MailScanner setting UID to (1004) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid >> for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor >> bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> SpamAssassin reported an error. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > This gives the error: Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner "clamd" not found in virus.scanners.conf file. Please check your spelling in "Virus Scanners =" line of MailScanner.conf It must be clamd running because in etc/local/clamd.conf i have: LocalSocket /tmp/clamd Also, if i type ps -A i get: 2319 ? 00:36:32 clamd Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/c8362cad/attachment.html From martinh at solidstatelogic.com Fri Feb 15 11:19:41 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 11:19:58 2008 Subject: Mailscanner warnings In-Reply-To: <47B5736E.8030007@gmail.com> Message-ID: <4e78482ecb82a745835658b53c352ed1@solidstatelogic.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 11:12 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Ah there you go.. > > Change the Virus Scanners to > > Virus Scanners = clamd > > And make sure the clamd settings are sensible further down the file. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 10:43 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > --[ UxBoD ]-- wrote: > > > would you please run the MailScanner --lint > > it will either be in /usr/sbin or /usr/local/bin and > both should be in > > > your path anyway. > > > Regards, > > > > > Read 817 hostnames from the phishing whitelist > MailScanner setting GID to (1002) > MailScanner setting UID to (1004) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is > not valid > for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > SpamAssassin reported an error. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > This gives the error: > > Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner "clamd" not found > in virus.scanners.conf file. Please check your spelling in "Virus Scanners > =" line of MailScanner.conf > > > It must be clamd running because in etc/local/clamd.conf i have: > > LocalSocket /tmp/clamd > > Also, if i type ps -A i get: > > 2319 ? 00:36:32 clamd > > Regards > > > Hmm looks there's a problem with the install then. Is this a fresh install or upgrade from an earlier version, as the clamd info in virus.scanners.conf has been present for quite a few releases now. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 11:33:03 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 11:33:17 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <17712783.121203072761250.JavaMail.root@office.splatnix.net> Message-ID: <27966505.151203075183846.JavaMail.root@office.splatnix.net> What I think is happening is that due to the message body not being there, MS is getting itself into a loop trying to read to the end of the file. still does not answer why the body is not being extracted :( Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > Man this is doing my head in :( Have checked all the directories and > the permissions are just fine. It seems that only the header is being > extracted from the emails, and not the message body at all. > > Perhaps my MIME::Tools is corrupt ? But I have download the latest MS > and recompiled everything. > > Regards, From alxfrag at gmail.com Fri Feb 15 11:39:18 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 11:39:21 2008 Subject: Mailscanner warnings In-Reply-To: <4e78482ecb82a745835658b53c352ed1@solidstatelogic.com> References: <4e78482ecb82a745835658b53c352ed1@solidstatelogic.com> Message-ID: <47B579E6.8090602@gmail.com> Martin.Hepworth wrote: > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 11:12 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Martin.Hepworth wrote: >> >> Ah there you go.. >> >> Change the Virus Scanners to >> >> Virus Scanners = clamd >> >> And make sure the clamd settings are sensible further down the file. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 10:43 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> --[ UxBoD ]-- wrote: >> >> >> would you please run the MailScanner --lint >> >> it will either be in /usr/sbin or /usr/local/bin and >> both should be in >> >> >> your path anyway. >> >> >> Regards, >> >> >> >> >> Read 817 hostnames from the phishing whitelist >> MailScanner setting GID to (1002) >> MailScanner setting UID to (1004) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is >> not valid >> for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> SpamAssassin reported an error. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> >> >> This gives the error: >> >> Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner "clamd" not found >> in virus.scanners.conf file. Please check your spelling in "Virus Scanners >> =" line of MailScanner.conf >> >> >> It must be clamd running because in etc/local/clamd.conf i have: >> >> LocalSocket /tmp/clamd >> >> Also, if i type ps -A i get: >> >> 2319 ? 00:36:32 clamd >> >> Regards >> >> >> >> > > Hmm looks there's a problem with the install then. Is this a fresh install or upgrade from an earlier version, as the clamd info in virus.scanners.conf has been present for quite a few releases now. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > it's fresh install. I have two machines running Mailscanner. The first uses the version 4.57.6 while the second one uses 4.66.5. Both show the warnings in the log file. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/9d4a44a0/attachment.html From martinh at solidstatelogic.com Fri Feb 15 11:48:06 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 11:48:25 2008 Subject: Mailscanner warnings In-Reply-To: <47B579E6.8090602@gmail.com> Message-ID: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> > Martin.Hepworth wrote: > > > > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 11:12 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Ah there you go.. > > Change the Virus Scanners to > > Virus Scanners = clamd > > And make sure the clamd settings are sensible further > down the file. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of > AlxFrag > Sent: 15 February 2008 10:43 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > --[ UxBoD ]-- wrote: > > > would you please run the MailScanner --lint > > it will either be in /usr/sbin or > /usr/local/bin and > both should be in > > > your path anyway. > > > Regards, > > > > > Read 817 hostnames from the phishing whitelist > MailScanner setting GID to (1002) > MailScanner setting UID to (1004) > > Checking for SpamAssassin errors (if you use > it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: SpamAssassin failed to parse line, > "/usr/bin/pyzor" is > not valid > for "pyzor_path", skipping: pyzor_path > /usr/bin/pyzor > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > SpamAssassin reported an error. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > This gives the error: > > Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner > "clamd" not found > in virus.scanners.conf file. Please check your spelling in > "Virus Scanners > =" line of MailScanner.conf > > > It must be clamd running because in etc/local/clamd.conf i > have: > > LocalSocket /tmp/clamd > > Also, if i type ps -A i get: > > 2319 ? 00:36:32 clamd > > Regards > > > Hmm looks there's a problem with the install then. Is this a fresh > install or upgrade from an earlier version, as the clamd info in > virus.scanners.conf has been present for quite a few releases now. > > -- > Martin Hepworth > > it's fresh install. > > I have two machines running Mailscanner. The first uses the version 4.57.6 > while the second one uses 4.66.5. > Both show the warnings in the log file. > > > Hmm what does virus.scanners.conf say for the clamd line?? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Fri Feb 15 11:56:28 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 11:56:44 2008 Subject: Mailscanner warnings In-Reply-To: <47B579E6.8090602@gmail.com> Message-ID: Also The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 11:39 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > > it's fresh install. > > I have two machines running Mailscanner. The first uses the version 4.57.6 > while the second one uses 4.66.5. > Both show the warnings in the log file. > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Fri Feb 15 11:59:00 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 11:59:11 2008 Subject: Mailscanner generated duplicate message In-Reply-To: References: Message-ID: <223f97700802150359p23a75cb5o8edbfe1d44ab459e@mail.gmail.com> On 15/02/2008, Mark Sapiro wrote: > Mark Sapiro wrote: > > >Julian Field wrote: > >> > >>I have just release a new beta 4.67.4 to attempt to fix this problem. > >>It's very awkward to find, as it only occurs on busy systems. I have > >>found a possible reason and have fixed that. > >> > >>Please can you give this new version a try and let me know if it helps > >>solve the duplication problem at all. > > > > > >I will try to install this beta within the next few days and set "Max > >Children = 5" again and see what happens. > > > > I'm ahead of schedule. I've just installed the 4.67.4 beta and set Max > Children = 5. > > I'll be monitoring my logs for dups. I'll post my findings to the list. > Thanks a bundle, Mark! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 15 12:00:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:00:58 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <27966505.151203075183846.JavaMail.root@office.splatnix.net> References: <17712783.121203072761250.JavaMail.root@office.splatnix.net> <27966505.151203075183846.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802150400o254ab926u43fa48c247bb26ae@mail.gmail.com> On 15/02/2008, --[ UxBoD ]-- wrote: > What I think is happening is that due to the message body not being there, MS is getting itself into a loop trying to read to the end of the file. > > still does not answer why the body is not being extracted :( > > > Regards, > Have you enabled any milters in PF lately? Like ... dkim-milter?:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alxfrag at gmail.com Fri Feb 15 12:08:54 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 12:08:59 2008 Subject: Mailscanner warnings In-Reply-To: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> References: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> Message-ID: <47B580D6.7040609@gmail.com> Martin.Hepworth wrote: >> Martin.Hepworth wrote: >> >> >> >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 11:12 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Martin.Hepworth wrote: >> >> Ah there you go.. >> >> Change the Virus Scanners to >> >> Virus Scanners = clamd >> >> And make sure the clamd settings are sensible further >> down the file. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of >> AlxFrag >> Sent: 15 February 2008 10:43 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> --[ UxBoD ]-- wrote: >> >> >> would you please run the MailScanner --lint >> >> it will either be in /usr/sbin or >> /usr/local/bin and >> both should be in >> >> >> your path anyway. >> >> >> Regards, >> >> >> >> >> Read 817 hostnames from the phishing whitelist >> MailScanner setting GID to (1002) >> MailScanner setting UID to (1004) >> >> Checking for SpamAssassin errors (if you use >> it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> config: SpamAssassin failed to parse line, >> "/usr/bin/pyzor" is >> not valid >> for "pyzor_path", skipping: pyzor_path >> /usr/bin/pyzor >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> SpamAssassin reported an error. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> >> >> This gives the error: >> >> Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner >> "clamd" not found >> in virus.scanners.conf file. Please check your spelling in >> "Virus Scanners >> =" line of MailScanner.conf >> >> >> It must be clamd running because in etc/local/clamd.conf i >> have: >> >> LocalSocket /tmp/clamd >> >> Also, if i type ps -A i get: >> >> 2319 ? 00:36:32 clamd >> >> Regards >> >> >> Hmm looks there's a problem with the install then. Is this a fresh >> install or upgrade from an earlier version, as the clamd info in >> virus.scanners.conf has been present for quite a few releases now. >> >> -- >> Martin Hepworth >> >> it's fresh install. >> >> I have two machines running Mailscanner. The first uses the version 4.57.6 >> while the second one uses 4.66.5. >> Both show the warnings in the log file. >> >> >> >> > > > Hmm what does virus.scanners.conf say for the clamd line?? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > It says: clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local and , in /usr/lib/MailScanner/clamav-wrapper i have: ClamScan=$1/bin/clamdscan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/2a71a284/attachment.html From uxbod at splatnix.net Fri Feb 15 12:11:37 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 12:11:50 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <5132374.01203077446935.JavaMail.root@office.splatnix.net> Message-ID: <26498669.21203077497039.JavaMail.root@office.splatnix.net> yes :) but I have also disabled them Glenn ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 15/02/2008, --[ UxBoD ]-- wrote: From glenn.steen at gmail.com Fri Feb 15 12:15:17 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:15:27 2008 Subject: Mailscanner warnings In-Reply-To: References: <47B579E6.8090602@gmail.com> Message-ID: <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> On 15/02/2008, Martin.Hepworth wrote: > Also > > The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. > Not to mention that no facility of MailScanner would ever run trhe clamd _command_ ... Not whatsoever. What seems to have happened here is that someone has followed a bothced instruction on enabling clamdscan support by futzing the clamav-* wrapper scripts. This of course hasn't worked, since clamd is the server part, not the client. This would explain the bogus log entries on both hosts. What Alex should do is to follow the spirit of the wiki article http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd to get things going on the newer install (4.66.5 was it?), and upgrade the other one to a version later than 4.62.something (just as you say Martin), and do the same there. Only other really viable option would be to run clamavmodule on the old one. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Feb 15 12:17:17 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 12:18:20 2008 Subject: Mailscanner warnings In-Reply-To: <47B580D6.7040609@gmail.com> Message-ID: <23138316.51203077837747.JavaMail.root@office.splatnix.net> what does type clamd show ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: > Martin.Hepworth wrote: > > > > Martin.Hepworth wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 15 12:21:15 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:21:25 2008 Subject: Mailscanner warnings In-Reply-To: <47B580D6.7040609@gmail.com> References: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> <47B580D6.7040609@gmail.com> Message-ID: <223f97700802150421q1db3beafv512da14a40308fac@mail.gmail.com> On 15/02/2008, AlxFrag wrote: > (snip) > > It says: > > clamav /usr/lib/MailScanner/clamav-wrapper > /usr/local > clamd /bin/false > /usr/local > > > > and , in /usr/lib/MailScanner/clamav-wrapper i have: > > ClamScan=$1/bin/clamdscan > > That is _not_ the recommended and supported way of using clamd in MailScanner. You will pay an unnecessary fork/exec penalty for this, compared to the very nice direct call thing Rick Cooper implemented. The reason to not use clamavmodule (mainly, apart from some possible build issues) and use Rick's clamd thing instead is that the individual MS child memory footprint is decreased (using clamd)... Since clamavmodule will have to load the signatures into every child. Please undo those mods and look at implementing clamd the right way instead;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 15 12:24:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:24:58 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <26498669.21203077497039.JavaMail.root@office.splatnix.net> References: <5132374.01203077446935.JavaMail.root@office.splatnix.net> <26498669.21203077497039.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> On 15/02/2008, --[ UxBoD ]-- wrote: > yes :) but I have also disabled them Glenn ;) > > > Regards, > Are there p records present in any of the queue files? Could you send me a sample? You just might have hit a bug in my p record handling ... which just might get very confused by a broken file in the body part... If that got broken _after_ ReadQf is done verifying it, but _before_ the body gets read/written to the new file. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alxfrag at gmail.com Fri Feb 15 12:35:03 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 12:35:02 2008 Subject: Mailscanner warnings In-Reply-To: <223f97700802150421q1db3beafv512da14a40308fac@mail.gmail.com> References: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> <47B580D6.7040609@gmail.com> <223f97700802150421q1db3beafv512da14a40308fac@mail.gmail.com> Message-ID: <47B586F7.2030504@gmail.com> Glenn Steen wrote: > On 15/02/2008, AlxFrag wrote: > > (snip) > >> It says: >> >> clamav /usr/lib/MailScanner/clamav-wrapper >> /usr/local >> clamd /bin/false >> /usr/local >> >> >> >> and , in /usr/lib/MailScanner/clamav-wrapper i have: >> >> ClamScan=$1/bin/clamdscan >> >> >> > That is _not_ the recommended and supported way of using clamd in > MailScanner. You will pay an unnecessary fork/exec penalty for this, > compared to the very nice direct call thing Rick Cooper implemented. > The reason to not use clamavmodule (mainly, apart from some possible > build issues) and use Rick's clamd thing instead is that the > individual MS child memory footprint is decreased (using clamd)... > Since clamavmodule will have to load the signatures into every child. > > Please undo those mods and look at implementing clamd the right way instead;-). > > Cheers > ok thank you! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/edf8ce56/attachment.html From uxbod at splatnix.net Fri Feb 15 12:51:35 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 12:52:05 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> Message-ID: <6021038.81203079895743.JavaMail.root@office.splatnix.net> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 15/02/2008, --[ UxBoD ]-- wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 15 13:44:17 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 13:44:27 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <6021038.81203079895743.JavaMail.root@office.splatnix.net> References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> On 15/02/2008, --[ UxBoD ]-- wrote: > yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. > > > Regards, > Phew, another suspected p record problem bites the dust! Good, since I'm seriously out of time, if I'm to be able go downhill skiing next week:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Feb 15 19:13:29 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 15 19:13:50 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> Message-ID: on 2/15/2008 5:44 AM Glenn Steen spake the following: > On 15/02/2008, --[ UxBoD ]-- wrote: >> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. >> >> >> Regards, >> > Phew, another suspected p record problem bites the dust! Good, since > I'm seriously out of time, if I'm to be able go downhill skiing next > week:-). > > Cheers Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P Safe trip!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/aa3095e7/signature.bin From glenn.steen at gmail.com Fri Feb 15 22:09:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 22:09:36 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> Message-ID: <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> On 15/02/2008, Scott Silva wrote: > on 2/15/2008 5:44 AM Glenn Steen spake the following: > > On 15/02/2008, --[ UxBoD ]-- wrote: > >> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. > >> > >> > >> Regards, > >> > > Phew, another suspected p record problem bites the dust! Good, since > > I'm seriously out of time, if I'm to be able go downhill skiing next > > week:-). > > > > Cheers > Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P > Safe trip!! > Ehm, two years ago.... and that was riding the kids bob-like-sleigh (classic STIGA snow racer, for those in the know:-). Have "bitten the dust" numeroustimesin the past, downhill skiing, never so much as sprained a finger....:-). So it should be safe....:-) But thanks for the thought Scott! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Feb 15 23:08:53 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 15 23:09:21 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> Message-ID: on 2/15/2008 2:09 PM Glenn Steen spake the following: > On 15/02/2008, Scott Silva wrote: >> on 2/15/2008 5:44 AM Glenn Steen spake the following: >>> On 15/02/2008, --[ UxBoD ]-- wrote: >>>> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. >>>> >>>> >>>> Regards, >>>> >>> Phew, another suspected p record problem bites the dust! Good, since >>> I'm seriously out of time, if I'm to be able go downhill skiing next >>> week:-). >>> >>> Cheers >> Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P >> Safe trip!! >> > Ehm, two years ago.... and that was riding the kids bob-like-sleigh > (classic STIGA snow racer, for those in the know:-). Have "bitten the > dust" numerous times in the past, downhill skiing, never so much as > sprained a finger....:-). So it should be safe....:-) > But thanks for the thought Scott! > > Cheers How time flies when you are having fun! Seems like just last winter. I guess the memory is the second thing to go ... can't seem to recollect the first! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/4c2d4f70/signature.bin From glenn.steen at gmail.com Fri Feb 15 23:53:56 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 23:54:07 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> Message-ID: <223f97700802151553v153dd18fr5e2f4b960d645fb0@mail.gmail.com> On 16/02/2008, Scott Silva wrote: > on 2/15/2008 2:09 PM Glenn Steen spake the following: > > On 15/02/2008, Scott Silva wrote: > >> on 2/15/2008 5:44 AM Glenn Steen spake the following: > >>> On 15/02/2008, --[ UxBoD ]-- wrote: > >>>> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. > >>>> > >>>> > >>>> Regards, > >>>> > >>> Phew, another suspected p record problem bites the dust! Good, since > >>> I'm seriously out of time, if I'm to be able go downhill skiing next > >>> week:-). > >>> > >>> Cheers > >> Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P > >> Safe trip!! > >> > > Ehm, two years ago.... and that was riding the kids bob-like-sleigh > > (classic STIGA snow racer, for those in the know:-). Have "bitten the > > dust" numerous times in the past, downhill skiing, never so much as > > sprained a finger....:-). So it should be safe....:-) > > But thanks for the thought Scott! > > > > Cheers > How time flies when you are having fun! > Seems like just last winter. :-) Time flies...:-) > I guess the memory is the second thing to go ... can't seem to recollect the > first! ;-) What was that.... eh.... I think I agree... Can't remember why though...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Feb 16 00:02:20 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 16 00:02:30 2008 Subject: Question for the Experts In-Reply-To: <3275845634303952132@unknownmsgid> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> <3275845634303952132@unknownmsgid> Message-ID: <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> On 15/02/2008, Kevin MURPHY wrote: > Hi Everyone > > Thanks for so many replies. It's the first time I have used this list and > its really great to see how the community helps each other. > Glen - I have tried that access file REJECT , but it rejects all mail even > from server > > To:domain.com REJECT [IP Address of Server B] RELAY > > ----- Transcript of session follows ----- > ... while talking to serverA: > >>> DATA > <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY > 550 5.1.1 ... User unknown > <<< 503 5.0.0 Need RCPT (recipient) > > Regards > > Kevin > Hm, I think you did that wrong somehow...;) I got a friendly nudge from our old friend Noel (Res... Well, he's my friend anyway:-), who told me basically: ---- Quote To:exmaple.net REJECT [IP.of.server.B] RELAY --------------------------- All he needs is the first line, his relaying ip range should already be in relay-domains file, which takes the local IP range as well as non forging domain names. /etc/mail/access has not been the recommended way to relay for local stuff for some years :) ---- /Quote Which just go to show exactly how rusty my rendmaul... eh, sendmail... skills are:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Sat Feb 16 06:55:46 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Feb 16 06:56:03 2008 Subject: 4.67.4 beta syntax warning - /etc/MailScanner/filename.rules.conf Message-ID: Since installing MailScanner 4.67.4 beta yesterday, I have been seeing this warning in my maillog every time a child starts. MailScanner[26148]: Possible syntax error on line 33 of /etc/MailScanner/filename.rules.conf Line 33 in the file is: allow \.x\d+\.rel$ - - The 'problem' appears to be that on line 33, the whitespace following 'allow' is *3, whereas the front matter says # NOTE: Fields are separated by TAB characters --- Important! I changed it to and the warnings went away. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From glenn.steen at gmail.com Sat Feb 16 09:57:52 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 16 09:58:02 2008 Subject: 4.67.4 beta syntax warning - /etc/MailScanner/filename.rules.conf In-Reply-To: References: Message-ID: <223f97700802160157m126d8694kc0fde3cc35780a64@mail.gmail.com> On 16/02/2008, Mark Sapiro wrote: > Since installing MailScanner 4.67.4 beta yesterday, I have been seeing > this warning in my maillog every time a child starts. > > MailScanner[26148]: Possible syntax error on line 33 of > /etc/MailScanner/filename.rules.conf > > Line 33 in the file is: > > allow \.x\d+\.rel$ - - > > The 'problem' appears to be that on line 33, the whitespace following > 'allow' is *3, whereas the front matter says > > # NOTE: Fields are separated by TAB characters --- Important! > > I changed it to and the warnings went away. > Exactly right.... Even the sun (Jules) seems to have spots....:-):-) I know it is a short-ish test period, but ... any dups? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Sat Feb 16 15:45:13 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Feb 16 15:45:24 2008 Subject: Duplicate Messages - was: 4.67.4 beta syntax warning -/etc/MailScanner/filename.rules.conf In-Reply-To: <223f97700802160157m126d8694kc0fde3cc35780a64@mail.gmail.com> Message-ID: Glenn Steen wrote: >On 16/02/2008, Mark Sapiro wrote: >> >> I changed it to and the warnings went away. >> >Exactly right.... Even the sun (Jules) seems to have spots....:-):-) >I know it is a short-ish test period, but ... any dups? Yes, it is short, but so far, so good. No dups to date. Previously, with similar settings, I never went more that two days without at least one dup, so it's promising. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Sat Feb 16 16:40:05 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Feb 16 16:40:37 2008 Subject: 4.67.4 beta syntax warning - /etc/MailScanner/filename.rules.conf In-Reply-To: References: Message-ID: <47B711E5.2080004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well spotted! Fixed for the next release. Mark Sapiro wrote: > Since installing MailScanner 4.67.4 beta yesterday, I have been seeing > this warning in my maillog every time a child starts. > > MailScanner[26148]: Possible syntax error on line 33 of > /etc/MailScanner/filename.rules.conf > > Line 33 in the file is: > > allow \.x\d+\.rel$ - - > > The 'problem' appears to be that on line 33, the whitespace following > 'allow' is *3, whereas the front matter says > > # NOTE: Fields are separated by TAB characters --- Important! > > I changed it to and the warnings went away. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHtxHvEfZZRxQVtlQRAv84AJ4hNJp0FfuUv9hwAGJZjbDMurn2uQCgugYM RGGW4eOLNLD8x845+GmmsLo= =X4nf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Sat Feb 16 19:26:46 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 16 19:27:05 2008 Subject: Question for the Experts In-Reply-To: <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> <3275845634303952132@unknownmsgid> <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> Message-ID: on 2/15/2008 4:02 PM Glenn Steen spake the following: > On 15/02/2008, Kevin MURPHY wrote: >> Hi Everyone >> >> Thanks for so many replies. It's the first time I have used this list and >> its really great to see how the community helps each other. >> Glen - I have tried that access file REJECT , but it rejects all mail even >> from server >> >> To:domain.com REJECT [IP Address of Server B] RELAY >> >> ----- Transcript of session follows ----- >> ... while talking to serverA: >>>>> DATA >> <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY >> 550 5.1.1 ... User unknown >> <<< 503 5.0.0 Need RCPT (recipient) >> >> Regards >> >> Kevin >> > Hm, I think you did that wrong somehow...;) > > I got a friendly nudge from our old friend Noel (Res... Well, he's my > friend anyway:-), who told me basically: > ---- Quote > To:exmaple.net REJECT > [IP.of.server.B] RELAY > I would call Noel a friend also. I know he is watching, but staying silent since the "incident". I gotta dig in my inbox and find his address and say hi! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080216/6b8b5cf4/signature.bin From garry at glendown.de Sat Feb 16 19:27:33 2008 From: garry at glendown.de (Garry) Date: Sat Feb 16 19:27:44 2008 Subject: Archive as mqueue files? Message-ID: <47B73925.1080301@glendown.de> In order to test some rules and stuff with a fixed set of mails, I was wondering: Is it possible to automatically archive all incoming mail messages as mqueue files with some settings of MailScanner, or do I need to hack something myself? Tnx, -garry From shuttlebox at gmail.com Sat Feb 16 20:05:56 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Feb 16 20:06:05 2008 Subject: Archive as mqueue files? In-Reply-To: <47B73925.1080301@glendown.de> References: <47B73925.1080301@glendown.de> Message-ID: <625385e30802161205n169a72b5y1493001b6f2a3a99@mail.gmail.com> On Feb 16, 2008 8:27 PM, Garry wrote: > In order to test some rules and stuff with a fixed set of mails, I was > wondering: Is it possible to automatically archive all incoming mail > messages as mqueue files with some settings of MailScanner, or do I need > to hack something myself? Look at "Archive Mail" in MailScanner.conf. ;-) -- /peter From glenn.steen at gmail.com Sat Feb 16 20:59:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 16 20:59:36 2008 Subject: Question for the Experts In-Reply-To: References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> <3275845634303952132@unknownmsgid> <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> Message-ID: <223f97700802161259m4db4126bga334e08075330f4f@mail.gmail.com> On 16/02/2008, Scott Silva wrote: > on 2/15/2008 4:02 PM Glenn Steen spake the following: > > On 15/02/2008, Kevin MURPHY wrote: > >> Hi Everyone > >> > >> Thanks for so many replies. It's the first time I have used this list and > >> its really great to see how the community helps each other. > >> Glen - I have tried that access file REJECT , but it rejects all mail even > >> from server > >> > >> To:domain.com REJECT [IP Address of Server B] RELAY > >> > >> ----- Transcript of session follows ----- > >> ... while talking to serverA: > >>>>> DATA > >> <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY > >> 550 5.1.1 ... User unknown > >> <<< 503 5.0.0 Need RCPT (recipient) > >> > >> Regards > >> > >> Kevin > >> > > Hm, I think you did that wrong somehow...;) > > > > I got a friendly nudge from our old friend Noel (Res... Well, he's my > > friend anyway:-), who told me basically: > > ---- Quote > > To:exmaple.net REJECT > > [IP.of.server.B] RELAY > > > I would call Noel a friend also. I know he is watching, but staying silent > since the "incident". > I gotta dig in my inbox and find his address and say hi! > Bug me off-list and I'll dig out a few:-). One need not be a genius to reconstruct the "secret" one... the one that doesn't block everything:-):-). Am busy packing, might be able to get it to you tomorrow evening (when I'm in the mountains.... Yohooo!!!:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From garry at glendown.de Sat Feb 16 21:14:08 2008 From: garry at glendown.de (Garry) Date: Sat Feb 16 21:14:18 2008 Subject: Archive as mqueue files? In-Reply-To: <625385e30802161205n169a72b5y1493001b6f2a3a99@mail.gmail.com> References: <47B73925.1080301@glendown.de> <625385e30802161205n169a72b5y1493001b6f2a3a99@mail.gmail.com> Message-ID: <47B75220.40800@glendown.de> shuttlebox wrote: > Look at "Archive Mail" in MailScanner.conf. ;-) > Tnx, I saw the mbox-line in the comments, and assumed it only created those types of files ... just tried, looks good ... -gg From hvdkooij at vanderkooij.org Sun Feb 17 10:07:59 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 10:08:08 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 Message-ID: <47B8077F.90004@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I upgraded MailScanner 4.66.5 and it now bugs me with the Perl IO thing: **** ERROR: You must upgrade your perl IO module to at least **** ERROR: version 1.2301 or MailScanner will not work! But if I try to recompile the module provided by Jules I get bogged down with: RPM build errors: ~ Installed (but unpackaged) file(s) found: ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/.packlist ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod So it seems the package provided is not clean. And the package from rpmforge seems to conflict with perl itself: Transaction Check Error: ~ file /usr/share/man/man3/IO.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Dir.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::File.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Handle.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Pipe.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Poll.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Seekable.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Select.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::INET.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::UNIX.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 For the moment I have to bypass MailScanner in postfix to make it work. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuAd9BvzDRVjxmYERAimAAJ4mvu2pEoRNrh9b/7708HckmDUbTACfeAto v6T2V0XldyLQ8d4hJPMIQWI= =myyX -----END PGP SIGNATURE----- From uxbod at splatnix.net Sun Feb 17 10:22:24 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Feb 17 10:22:49 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B8077F.90004@vanderkooij.org> Message-ID: <68713.31203243744239.JavaMail.root@office.splatnix.net> ----- "Hugo van der Kooij" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I upgraded MailScanner 4.66.5 and it now bugs me with the Perl IO thing: **** ERROR: You must upgrade your perl IO module to at least **** ERROR: version 1.2301 or MailScanner will not work! But if I try to recompile the module provided by Jules I get bogged down with: RPM build errors: ~ Installed (but unpackaged) file(s) found: ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/.packlist ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod So it seems the package provided is not clean. And the package from rpmforge seems to conflict with perl itself: Transaction Check Error: ~ file /usr/share/man/man3/IO.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Dir.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::File.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Handle.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Pipe.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Poll.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Seekable.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Select.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::INET.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::UNIX.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 For the moment I have to bypass MailScanner in postfix to make it work. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuAd9BvzDRVjxmYERAimAAJ4mvu2pEoRNrh9b/7708HckmDUbTACfeAto v6T2V0XldyLQ8d4hJPMIQWI= =myyX -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! What does rpm -qa | grep -i socket show ? I have just built to CentOS 5.1 servers with both latest stable and beta without any problems. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Feb 17 10:35:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 10:35:24 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B8077F.90004@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> Message-ID: <47B80DD4.2050609@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How did you upgrade? Did you run install.sh? Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 10:07:57 > > Hi, > > I upgraded MailScanner 4.66.5 and it now bugs me with the Perl IO thing: > > **** ERROR: You must upgrade your perl IO module to at least > **** ERROR: version 1.2301 or MailScanner will not work! > > But if I try to recompile the module provided by Jules I get bogged down > with: > > RPM build errors: > ~ Installed (but unpackaged) file(s) found: > ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/.packlist > ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod > > So it seems the package provided is not clean. > > And the package from rpmforge seems to conflict with perl itself: > > Transaction Check Error: > ~ file /usr/share/man/man3/IO.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Dir.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::File.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Handle.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Pipe.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Poll.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Seekable.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Select.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Socket.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Socket::INET.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Socket::UNIX.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > > For the moment I have to bypass MailScanner in postfix to make it work. > > Hugo > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > * Hugo van der Kooij > * 0x58F19981 - Unverified(L) > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-15 wj8DBQFHuA3WEfZZRxQVtlQRAsE6AKCjdZpev/XgIJtSAh0HQemtJUVBAgCfSavi X+Sz5A71e1LBwLoSq1oACUY= =w5va -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Feb 17 10:51:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 10:51:13 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B80DD4.2050609@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> Message-ID: <47B81196.8060104@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | How did you upgrade? | Did you run install.sh? I upgraded the packages through yum and installed the MailScanner RPM with rpm -Uvh manually. I do not use that script as I have found that I do not wish to screw up yet another system with the --force option. I have paid too high a price to accept that option ever again with rpm. And to answer the other question: ]# rpm -qa | grep -i socket perl-Socket6-0.19-3.fc6 perl-IO-Socket-INET6-2.51-2.fc6 perl-IO-Socket-SSL-1.12-1.el5.rf The only thing left untested is to take the source RPM of MailScanner 4.67.4 and rebuild it. But I do not think it will make that much of a difference. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation.]# rpm -qa | grep -i socket perl-Socket6-0.19-3.fc6 perl-IO-Socket-INET6-2.51-2.fc6 perl-IO-Socket-SSL-1.12-1.el5.rf >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuBGVBvzDRVjxmYERAifuAJ44pWH3qnwnB7koA/X0rhn7eWXj4ACfXGi1 /eD97kPiauDFudNFq2jhdtA= =lucT -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Feb 17 11:14:24 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 11:14:34 2008 Subject: Bounce increase Message-ID: <47B81710.5020909@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I seem to have an increase in bounces from content scanners that seem to fully ignore my SPF record and resend garbage. I have not yet identified the system that is doing this but I have seen it in various places like ISP's and educational institutions. Does someone recognize the system using these unwanted bounces? It looks a tid bit like a Barracuda but those can be easily identified by the sheer number of added headers in the bounces and the fact that the reference code in these messages is not at all present. I guess it is a postfix + amavisd + ...... setup. What I get back looks something like: BANNED CONTENTS ALERT Our content checker found ~ banned name: multipart/mixed | application/octet-stream,.zip,file.zip | ~ .exe,.exe-ms,file.htm ... .pif in email presumably from you to the following recipient: - -> admissions@aquinas.edu Our internal reference code for your message is 64027-04/eRk+KEAvTGY2 First upstream SMTP client IP address: [211.5.2.75] nm01omta06.auone-net.jp According to a 'Received:' trace, the message originated at: [220.217.50.1], ~ vanderkooij.org ([220.217.50.1]) Return-Path: Message-ID: <200802110849565173190001MAC9@nm01mta.auone-net.jp> Subject: Delivery reports about your e-mail Delivery of the email was stopped! The message has been blocked because it contains a component (as a MIME part or nested within) with declared name or MIME type or contents type violating our access policy. To transfer contents that may be considered risky or unwanted by site policies, or simply too large for mailing, please consider publishing your content on the web, and only sending an URL of the document to the recipient. Depending on the recipient and sender site policies, with a little effort it might still be possible to send any contents (including viruses) using one of the following methods: - - encrypted using pgp, gpg or other encryption methods; - - wrapped in a password-protected or scrambled container or archive ~ (e.g.: zip -e, arj -g, arc g, rar -p, or other methods) Note that if the contents is not intended to be secret, the encryption key or password may be included in the same message for recipient's convenience. We are sorry for inconvenience if the contents was not malicious. The purpose of these restrictions is to cut the most common propagation methods used by viruses and other malware. These often exploit automatic mechanisms and security holes in more popular mail readers (Microsoft mail readers and browsers are a common target). By requiring an explicit and decisive action from the recipient to decode mail, the danger of automatic malware propagation is largely reduced. Reporting-MTA: dns; fir.aquinas.edu Received-From-MTA: smtp; fir.aquinas.edu ([127.0.0.1]) Arrival-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST) Original-Recipient: rfc822;admissions@aquinas.edu Final-Recipient: rfc822;admissions@aquinas.edu Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 554-5.7.1 Rejected, id=64027-04 - BANNED: ~ 554-5.7.1 multipart/mixed | application/octet-stream,.zip,file.zip | ~ 554 5.7.1 .exe,.exe-ms,file.htm ... Last-Attempt-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST) Return-Path: Received: from nm01omta06.auone-net.jp (nm01omta06.auone-net.jp [211.5.2.75]) by fir.aquinas.edu (Postfix) with SMTP id 1CB832618AF for ; Mon, 11 Feb 2008 03:49:57 -0500 (EST) Received: from nm01omta06.auone-net.jp ([211.5.2.75]) by nm01omta06.auone-net.jp ~ via smtpd (for fir.aquinas.edu [198.110.245.41]) with ESMTP; Mon, 11 Feb 2008 03:49:57 -0500 Received: from vanderkooij.org ([220.217.50.1]) by nm01mta.auone-net.jp id <20080211174956503.MAC9.819B608@nm01mta.auone-net.jp>; Mon, 11 Feb 2008 17:49:56 +0900 From: hugo@vanderkooij.org To: admissions@aquinas.edu Subject: Delivery reports about your e-mail Date: Mon, 11 Feb 2008 17:49:06 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_7D574C9E.4731B847" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <200802110849565173190001MAC9@nm01mta.auone-net.jp> - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuBcOBvzDRVjxmYERAm9xAKCjUQHN5D+afmp09lllxuTyQ3ZFPwCgjj0p S0bWsslEgw3aY2n0fz9rcHE= =qQg+ -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Feb 17 11:14:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 11:15:13 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B81196.8060104@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> Message-ID: <47B81727.5020104@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 10:51:01 > > Julian Field wrote: > | How did you upgrade? > | Did you run install.sh? > > I upgraded the packages through yum and installed the MailScanner RPM > with rpm -Uvh manually. > > I do not use that script as I have found that I do not wish to screw up > yet another system with the --force option. I have paid too high a price > to accept that option ever again with rpm. It's just that my install.sh script writes a .rpmmacros file for you that stops all the RPM build errors you were seeing. If you do it all yourself, sorry, but don't expect too much sympathy :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-15 wj8DBQFHuBcrEfZZRxQVtlQRAhPnAJkB/WBRNqj5jN/LvRd5JhaT84mLeQCeP8tV J/52tt4OOK7mbjDp3kz5wCk= =T7aT -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Feb 17 11:53:30 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 11:53:39 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B81727.5020104@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> Message-ID: <47B8203A.9000205@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | | | Hugo van der Kooij wrote: |> * PGP Signed by an unverified key: 02/17/08 at 10:51:01 | |> Julian Field wrote: |> | How did you upgrade? |> | Did you run install.sh? | |> I upgraded the packages through yum and installed the MailScanner RPM |> with rpm -Uvh manually. | |> I do not use that script as I have found that I do not wish to screw up |> yet another system with the --force option. I have paid too high a price |> to accept that option ever again with rpm. | It's just that my install.sh script writes a .rpmmacros file for you | that stops all the RPM build errors you were seeing. If you do it all | yourself, sorry, but don't expect too much sympathy :-) Why is there a requirement for Perl IO of this version? If I go over the mailinglist messages from the pastr months I see people reporting installing per-MailTools 2.02 via yum and not listing per-IO as a requirement. It seems you needed a specific perl-IO version to get perl-MailTools working but why does MailScanner insist to use that version of perl-IO? I will see if a small modification of the MailScanner program will fix this dependency issue. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuCA4BvzDRVjxmYERAoIxAJ0eyprQ4+v9KPOmIGlDHD/K/XoudACfdUUw kpYB607tR7o7UDWDmv7xKVw= =gDpW -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Feb 17 12:34:21 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 12:34:49 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B81727.5020104@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> Message-ID: <47B829CD.70400@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | | | Hugo van der Kooij wrote: |> * PGP Signed by an unverified key: 02/17/08 at 10:51:01 | |> Julian Field wrote: |> | How did you upgrade? |> | Did you run install.sh? | |> I upgraded the packages through yum and installed the MailScanner RPM |> with rpm -Uvh manually. | |> I do not use that script as I have found that I do not wish to screw up |> yet another system with the --force option. I have paid too high a price |> to accept that option ever again with rpm. | It's just that my install.sh script writes a .rpmmacros file for you | that stops all the RPM build errors you were seeing. If you do it all | yourself, sorry, but don't expect too much sympathy :-) I disabled the specific check in MailScanner as a test and MailScanner works just fine from what I can tell. I am currently doing a full set of tests. I can not find specificly what did not work witout this perl IO module in the past months. Can anyone remember that bit of information? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuCnLBvzDRVjxmYERAsb+AKC3qAWOJWhVsJicq1hjfd4X9qtaOQCdHB1h XjI3AX34yEjwHGbPlgDGVzs= =ph1C -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Feb 17 14:33:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 14:33:41 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B829CD.70400@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> Message-ID: <47B845AA.8060803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 12:34:19 > > Julian Field wrote: > | > | > | Hugo van der Kooij wrote: > |> > Old Signed by an unverified key: 02/17/08 at 10:51:01 > | > |> Julian Field wrote: > |> | How did you upgrade? > |> | Did you run install.sh? > | > |> I upgraded the packages through yum and installed the MailScanner RPM > |> with rpm -Uvh manually. > | > |> I do not use that script as I have found that I do not wish to > screw up > |> yet another system with the --force option. I have paid too high a > price > |> to accept that option ever again with rpm. > | It's just that my install.sh script writes a .rpmmacros file for you > | that stops all the RPM build errors you were seeing. If you do it all > | yourself, sorry, but don't expect too much sympathy :-) > > I disabled the specific check in MailScanner as a test and MailScanner > works just fine from what I can tell. I am currently doing a full set of > tests. I always go by what the modules say they need as pre-requisites, not what happens to appear to work. There may be some nasty edge case that you haven't tested. Have you any suggestions for how to avoid this problem entirely? One possibility is to use CPAN to install the modules that I otherwise have to --force. But that still totally screws with the RPM installation of Perl itself, it just does it in a way that is hidden from 'perl -MCPAN' :-( One other possibility is to much with the installation setup of each of my required Perl modules, so that they are always installed in the "site" tree which should be out of the way of CPAN and RPM. Not sure how easy it is to do that though. Any thoughts? > > I can not find specificly what did not work witout this perl IO module > in the past months. Can anyone remember that bit of information? Sorry, I have had a good look. When I upgraded some other Perl module, it must have complained that it needed an even newer version of the IO module than shipped with RedHat 5 or CentOS 5, as that's what I build on. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-15 wj8DBQFHuEWtEfZZRxQVtlQRAnkvAJ9zrQZwagQleV3kxPdDfe3P5Qd7fACfXKYX 8tlBaOVSIDaJVKA8LZwbF+M= =6JMP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Sun Feb 17 15:25:59 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sun Feb 17 15:26:07 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B845AA.8060803@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> Message-ID: <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> On Feb 17, 2008 3:33 PM, Julian Field wrote: > One other possibility is to much with the installation setup of each of > my required Perl modules, so that they are always installed in the > "site" tree which should be out of the way of CPAN and RPM. Not sure how > easy it is to do that though. Any thoughts? I've been dealing with this on Solaris and even though I packaged a IO 1.2301 module it used the older one from within Perl itself, it only searches the INC until it finds a match, it doesn't go through the whole INC and uses the latest module if there are more than one match. I had to use PERLLIB in a few places and didn't like it so I haven't officially released a 4.66 Blastwave package. Instead I have asked the maintainer of Perl to update the included IO which haven't happened yet. :-( -- /peter From hvdkooij at vanderkooij.org Sun Feb 17 16:16:04 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 16:16:50 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> Message-ID: <47B85DC4.5090106@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: | On Feb 17, 2008 3:33 PM, Julian Field wrote: |> One other possibility is to much with the installation setup of each of |> my required Perl modules, so that they are always installed in the |> "site" tree which should be out of the way of CPAN and RPM. Not sure how |> easy it is to do that though. Any thoughts? | | I've been dealing with this on Solaris and even though I packaged a IO | 1.2301 module it used the older one from within Perl itself, it only | searches the INC until it finds a match, it doesn't go through the | whole INC and uses the latest module if there are more than one match. | I had to use PERLLIB in a few places and didn't like it so I haven't | officially released a 4.66 Blastwave package. Instead I have asked the | maintainer of Perl to update the included IO which haven't happened | yet. :-( In the case of the RPM version we need to find a way to add the files without hitting the one from the main perl package. The rpmforge package does not hit a conflict on any regular files. Just on the manual pages. If these are properly markes as documentation we just might get away with it .... .... .. Right. First try to install it with yum. That will fail but download the package anyway. Then install it without the documentation: rpm -Uvh /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm - --excludedocs That installs the required package with an acceptable kludge. It does satisfy my wish to avoid the --force option. I am not familiar enough with the Solaris package manager to see if a similar trick might work. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuF3CBvzDRVjxmYERAkokAJ9x7Ad+kj0KHlHeIkOK2rKiuDfxvACfTGVM tt53JdP0th+ZLMz7ZLTP8dE= =2DCf -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Feb 17 17:20:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 17:21:21 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B85DC4.5090106@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> Message-ID: <47B86CF1.4010307@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 16:16:02 > > shuttlebox wrote: > | On Feb 17, 2008 3:33 PM, Julian Field > wrote: > |> One other possibility is to much with the installation setup of > each of > |> my required Perl modules, so that they are always installed in the > |> "site" tree which should be out of the way of CPAN and RPM. Not > sure how > |> easy it is to do that though. Any thoughts? > | > | I've been dealing with this on Solaris and even though I packaged a IO > | 1.2301 module it used the older one from within Perl itself, it only > | searches the INC until it finds a match, it doesn't go through the > | whole INC and uses the latest module if there are more than one match. > | I had to use PERLLIB in a few places and didn't like it so I haven't > | officially released a 4.66 Blastwave package. Instead I have asked the > | maintainer of Perl to update the included IO which haven't happened > | yet. :-( > > In the case of the RPM version we need to find a way to add the files > without hitting the one from the main perl package. The rpmforge package > does not hit a conflict on any regular files. Just on the manual pages. > > If these are properly markes as documentation we just might get away > with it .... .... .. > > Right. First try to install it with yum. That will fail but download the > package anyway. Then install it without the documentation: > > rpm -Uvh > /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm > --excludedocs > > That installs the required package with an acceptable kludge. It does > satisfy my wish to avoid the --force option. Slight snag. This package was put together by someone who doesn't actually understand what they are doing. They have got round the clashing file problems by putting it into the "vendorperl" instead of "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". So the nice new version you just installed isn't actually used at all. To prove it to yourself... Try editing the code in the file (e.g. put a syntax error in it), and then run this command. It should fail as there is a syntax error in IO.pm which is where the perl-IO rpm is installed. perl -MIO -e 'print $IO::VERSION;' You'll find it still works perfectly, as it isn't using the version you just installed from dag.wieers.com. Oops. If it was that easy, I would have done it years ago :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHuGz6EfZZRxQVtlQRArKSAKDa2BOWeEjYiU9jTmn10ex3qgczgQCfeR/z NmKfmtGv+e1ZTeuH6dHTjSw= =Fxg7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Mon Feb 18 01:05:48 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Feb 18 01:06:21 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802150359p23a75cb5o8edbfe1d44ab459e@mail.gmail.com> Message-ID: Glenn Steen wrote: >On 15/02/2008, Mark Sapiro wrote: >> >> I'm ahead of schedule. I've just installed the 4.67.4 beta and set Max >> Children = 5. >> >> I'll be monitoring my logs for dups. I'll post my findings to the list. >> >Thanks a bundle, Mark! I'm sorry to report that the 4.67.4 beta does not fix my duplicate messages issue. I had two instances of duplication yesterday. Here are the relevant maillog messages Feb 16 07:59:28 sbh16 postfix/smtpd[955]: F031D69069E: client=sbh36.songbird.com[72.52.113.36] Feb 16 07:59:29 sbh16 postfix/cleanup[1036]: F031D69069E: hold: header Received: from dunelt.abriz.net (sbh36.songbird.com [72.52.113.36])??(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by sbh16.songbird.com (Postfix) wit from sbh36.songbird.com[72.52.113.36]; from=<> to= proto=ESMTP helo= Feb 16 07:59:29 sbh16 postfix/cleanup[1036]: F031D69069E: message-id=<20080216155928.6B2C113D4E@dunelt.abriz.net> Feb 16 07:59:29 sbh16 MailScanner[31863]: Requeue: F031D69069E.49A74 to 285CE6906A1 Feb 16 07:59:29 sbh16 MailScanner[31854]: Requeue: F031D69069E.D2AE4 to 699CE6906A7 Feb 16 15:04:19 sbh16 postfix/smtpd[6268]: 7DCF56905E8: client=localhost.localdomain[127.0.0.1] Feb 16 15:04:19 sbh16 postfix/cleanup[6444]: 7DCF56905E8: hold: header Received: from sbh16.songbird.com (localhost.localdomain [127.0.0.1])??by sbh16.songbird.com (Postfix) with ESMTP id 7DCF56905E8??for ; Sat, 16 Feb 2008 15:04:19 -0800 (PST) from localhost.localdomain[127.0.0.1]; from= to= proto=ESMTP helo= Feb 16 15:04:19 sbh16 postfix/cleanup[6444]: 7DCF56905E8: message-id=<380-2200826162342984@earthlink.net> Feb 16 15:04:20 sbh16 MailScanner[5770]: Requeue: 7DCF56905E8.50E16 to CE37369060E Feb 16 15:04:20 sbh16 MailScanner[5655]: Requeue: 7DCF56905E8.B1910 to 5BC9169070D For the time being, I have gone back to Max Children = 1 in MailScanner.conf. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From rohitb at netcore.co.in Mon Feb 18 09:12:38 2008 From: rohitb at netcore.co.in (Rohitb) Date: Mon Feb 18 09:14:19 2008 Subject: MailScanner process defunct on scanning attachments Message-ID: <20080218144238.8rwkcyxuokscc4s0@192.168.2.1> Hi I am having problem with MaiScanner since last 3-4 weeks, MailScanner process defuncts and stops processing mails.On checking ps commmand it shows below output. Is anybody else facing the same issue. ps aux|grep Mail root 13170 0.0 0.0 8748 1288 pts/3 S+ 14:09 0:00 /bin/sh /sbin/service MailScanner restart root 13177 0.0 0.0 10972 1448 pts/3 S+ 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart root 13192 0.0 0.0 10976 1520 pts/3 S+ 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop root 13220 0.0 0.0 5980 576 pts/1 S+ 14:09 0:00 grep Mail postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 0:00 MailScanner: killing children, bwahaha! postfix 30691 2.4 3.5 316392 142740 ? S 09:02 7:34 MailScanner: compressing attachments postfix 30716 26.8 2.3 334060 94956 ? S 09:02 82:22 MailScanner: compressing attachments postfix 30728 16.9 3.3 324112 134868 ? S 09:02 51:54 MailScanner: compressing attachments postfix 30735 8.1 1.9 323708 79160 ? S 09:02 25:09 MailScanner: compressing attachments postfix 30748 7.0 1.5 323932 63212 ? S 09:02 21:39 MailScanner: compressing attachments postfix 30763 0.1 0.5 315404 23524 ? S 09:02 0:19 MailScanner: compressing attachments postfix 30802 16.7 2.6 320368 106572 ? S 09:02 51:16 MailScanner: compressing attachments postfix 30835 0.1 2.1 315476 88060 ? S 09:02 0:19 MailScanner: compressing attachments postfix 30852 6.3 2.5 319344 103124 ? S 09:02 19:19 MailScanner: compressing attachments postfix 30897 2.1 1.5 316372 64164 ? S 09:03 6:36 MailScanner: compressing attachments postfix 30963 7.8 2.6 327264 105916 ? S 09:03 24:06 MailScanner: compressing attachments postfix 30999 16.3 2.4 328536 100172 ? S 09:03 50:14 MailScanner: compressing attachments postfix 31038 16.6 2.0 328620 84392 ? S 09:03 50:56 MailScanner: compressing attachments postfix 31157 7.9 1.8 329416 76784 ? S 09:03 24:22 MailScanner: compressing attachments postfix 31172 1.9 1.9 321068 80544 ? S 09:03 6:05 MailScanner: compressing attachments postfix 31207 1.6 1.8 321244 75668 ? S 09:03 5:10 MailScanner: compressing attachments postfix 31227 2.0 4.4 316196 179244 ? S 09:03 6:20 MailScanner: compressing attachments [root@secure6 ~]# ps aux|grep Mail root 13170 0.0 0.0 8748 1288 pts/3 S+ 14:09 0:00 /bin/sh /sbin/service MailScanner restart root 13177 0.0 0.0 10976 1456 pts/3 S+ 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart root 13278 0.0 0.0 5980 576 pts/1 S+ 14:09 0:00 grep Mail postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 0:00 MailScanner: killing children, bwahaha! postfix 30691 2.4 0.0 0 0 ? Z 09:02 7:34 [MailScanner] postfix 30716 26.8 0.0 0 0 ? Z 09:02 82:23 [MailScanner] postfix 30728 16.8 0.0 0 0 ? Z 09:02 51:54 [MailScanner] postfix 30735 8.1 0.0 0 0 ? Z 09:02 25:10 [MailScanner] postfix 30748 7.0 0.0 0 0 ? Z 09:02 21:39 [MailScanner] postfix 30763 0.1 0.5 315404 24148 ? D 09:02 0:19 MailScanner: compressing attachments postfix 30802 16.7 0.0 0 0 ? Z 09:02 51:17 [MailScanner] postfix 30835 0.1 2.1 315476 88752 ? D 09:02 0:19 MailScanner: compressing attachments postfix 30852 6.3 0.0 0 0 ? Z 09:02 19:19 [MailScanner] postfix 30897 2.1 0.0 0 0 ? Z 09:03 6:36 [MailScanner] postfix 30963 7.8 0.0 0 0 ? Z 09:03 24:06 [MailScanner] postfix 30999 16.3 0.0 0 0 ? Z 09:03 50:14 [MailScanner] postfix 31038 16.6 0.0 0 0 ? Z 09:03 50:56 [MailScanner] postfix 31157 7.9 0.0 0 0 ? Z 09:03 24:22 [MailScanner] postfix 31172 1.9 2.1 321068 88448 ? D 09:03 6:05 MailScanner: compressing attachments postfix 31207 1.6 2.1 321244 86440 ? D 09:03 5:10 MailScanner: compressing attachments postfix 31227 2.0 0.0 0 0 ? Z 09:03 6:20 [MailScanner] Regards Rohit Baisakhiya =================================================================== sms START NETCORE to 575758 to get updates on Netcore's enterprise products and services sms START MYTODAY to 09845398453 for more information on our mobile consumer services or go to http://www.mytodaysms.com =================================================================== From uxbod at splatnix.net Mon Feb 18 09:32:18 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 18 09:32:46 2008 Subject: MailScanner process defunct on scanning attachments In-Reply-To: <20080218144238.8rwkcyxuokscc4s0@192.168.2.1> Message-ID: <28306377.121203327138185.JavaMail.root@office.splatnix.net> anything in your logfiles ? what happens if you MS in debug mode ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Rohitb" wrote: > Hi > I am having problem with MaiScanner since last 3-4 weeks, MailScanner > > process defuncts and stops processing mails.On checking ps commmand it > > shows below output. Is anybody else facing the same issue. > > ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10972 1448 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13192 0.0 0.0 10976 1520 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop > root 13220 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 3.5 316392 142740 ? S 09:02 > 7:34 MailScanner: compressing attachments > postfix 30716 26.8 2.3 334060 94956 ? S 09:02 > 82:22 MailScanner: compressing attachments > postfix 30728 16.9 3.3 324112 134868 ? S 09:02 > 51:54 MailScanner: compressing attachments > postfix 30735 8.1 1.9 323708 79160 ? S 09:02 > 25:09 MailScanner: compressing attachments > postfix 30748 7.0 1.5 323932 63212 ? S 09:02 > 21:39 MailScanner: compressing attachments > postfix 30763 0.1 0.5 315404 23524 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 2.6 320368 106572 ? S 09:02 > 51:16 MailScanner: compressing attachments > postfix 30835 0.1 2.1 315476 88060 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 2.5 319344 103124 ? S 09:02 > 19:19 MailScanner: compressing attachments > postfix 30897 2.1 1.5 316372 64164 ? S 09:03 > 6:36 MailScanner: compressing attachments > postfix 30963 7.8 2.6 327264 105916 ? S 09:03 > 24:06 MailScanner: compressing attachments > postfix 30999 16.3 2.4 328536 100172 ? S 09:03 > 50:14 MailScanner: compressing attachments > postfix 31038 16.6 2.0 328620 84392 ? S 09:03 > 50:56 MailScanner: compressing attachments > postfix 31157 7.9 1.8 329416 76784 ? S 09:03 > 24:22 MailScanner: compressing attachments > postfix 31172 1.9 1.9 321068 80544 ? S 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 1.8 321244 75668 ? S 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 4.4 316196 179244 ? S 09:03 > 6:20 MailScanner: compressing attachments > > > > [root@secure6 ~]# ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10976 1456 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13278 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 0.0 0 0 ? Z > 09:02 7:34 [MailScanner] > postfix 30716 26.8 0.0 0 0 ? Z > 09:02 82:23 [MailScanner] > postfix 30728 16.8 0.0 0 0 ? Z > 09:02 51:54 [MailScanner] > postfix 30735 8.1 0.0 0 0 ? Z > 09:02 25:10 [MailScanner] > postfix 30748 7.0 0.0 0 0 ? Z > 09:02 21:39 [MailScanner] > postfix 30763 0.1 0.5 315404 24148 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 0.0 0 0 ? Z > 09:02 51:17 [MailScanner] > postfix 30835 0.1 2.1 315476 88752 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 0.0 0 0 ? Z > 09:02 19:19 [MailScanner] > postfix 30897 2.1 0.0 0 0 ? Z > 09:03 6:36 [MailScanner] > postfix 30963 7.8 0.0 0 0 ? Z > 09:03 24:06 [MailScanner] > postfix 30999 16.3 0.0 0 0 ? Z > 09:03 50:14 [MailScanner] > postfix 31038 16.6 0.0 0 0 ? Z > 09:03 50:56 [MailScanner] > postfix 31157 7.9 0.0 0 0 ? Z > 09:03 24:22 [MailScanner] > postfix 31172 1.9 2.1 321068 88448 ? D 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 2.1 321244 86440 ? D 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 0.0 0 0 ? Z > 09:03 6:20 [MailScanner] > > > Regards > Rohit Baisakhiya > > > =================================================================== > > sms START NETCORE to 575758 to get updates on Netcore's enterprise > products and services > > sms START MYTODAY to 09845398453 for more information on our mobile > consumer services or go to http://www.mytodaysms.com > > =================================================================== -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andrew.Chester at ukuvuma.co.za Mon Feb 18 09:34:37 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Mon Feb 18 09:42:48 2008 Subject: HTML/Newsletters being received as unreadable code Message-ID: Hi All We have recently implemented MailScanner in a mail gateway of ours, and since then about 4 random emails have come through as unreadable code. The emails seem to HTML based, be it newsletters that have been subscribed to or confirmation of flight details to a user, and seem to be random. The code looks like the following (obviously different for each mail): ]I.Jn*'?'w&]*Z+Z ?4)4)4)4)4)4)??!?4)4)e??????? ?%?%??????4)?e???????????1?4)%??????????????????4)?? ??? ???????M?4)??? ?4)4)e????4)4)e?????????4)??????4)Q?????? ?4)4) IU0??????????4)4) ????????????4)A???????? ???4)?????????????4)???Q???????? 4)??????4)4)%????1=??4)4) ????4)Q0<%???4) ? ???%L%P??4)4)?4)4)4)4)4)4)??!??4)4)Y??????????? ?%e4)??????Y????????4)??????%??1???????????4)???? ???????? ?4)????e?? ?4)4)Y?????4)4)Y?????????4)??????4)A????? ?4)4)QQ9Q%=8????????4)U??? ????????????4)????????4)4)M? ????????????4)???????? ?????4)??????????4)????????????4)4)???????1=??4)4) ??4)3g?%??0<4)?? ??????M?e%???4) ?4)4)?4(4(4(4(Q?????????4)%????????????????????????4)A?????????????4)???????????????????????????4)e??????????????????4(4(()Q????????)?????U????)??(( Does anyone know what the problem for the above is and how to solve it? Another problem has come up where with an email that a user has received, the subject line was removed completely. The email is a newsletter which is received daily, and the problem has never occured before using MailScanner. Any ideas on this? The system we are running is as follows: OS - FreeBSD 6.3 MTA - Postfix 2.4.6 Mailcanner 4.64.3 Any help will be greatly appreciated, thanks. CONFIDENTIALITY CLAUSE This message is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by telephone. VERTROULIKHEIDSKLOUSULE Di? boodskap is slegs vir die gebruik van die individu of entiteit aan wie dit gerig is en bevat streng vertroulike inligting. Indien die leser nie die voorgenome ontvanger is nie, of die werknemer of agent verantwoordelik vir die lewering van die boodskap aan die voorgenome ontvanger nie, word u hiermee meegedeel dat enige verspreiding of kopi?ring van di? boodskap streng verbode is. Indien u die kommunikasie verkeerdelik ontvang het, stel asseblief die afsender telefonies in kennis. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080218/a6b90bb8/attachment.html From martinh at solidstatelogic.com Mon Feb 18 09:44:16 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Feb 18 09:44:26 2008 Subject: MailScanner process defunct on scanning attachments In-Reply-To: <20080218144238.8rwkcyxuokscc4s0@192.168.2.1> Message-ID: <49128710df3e134d9893e1df437b5baf@solidstatelogic.com> Also What version of mailScanner? MailScanner -V Output as well.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rohitb > Sent: 18 February 2008 09:13 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner process defunct on scanning attachments > > Hi > I am having problem with MaiScanner since last 3-4 weeks, MailScanner > process defuncts and stops processing mails.On checking ps commmand it > shows below output. Is anybody else facing the same issue. > > ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10972 1448 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13192 0.0 0.0 10976 1520 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop > root 13220 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 3.5 316392 142740 ? S 09:02 > 7:34 MailScanner: compressing attachments > postfix 30716 26.8 2.3 334060 94956 ? S 09:02 > 82:22 MailScanner: compressing attachments > postfix 30728 16.9 3.3 324112 134868 ? S 09:02 > 51:54 MailScanner: compressing attachments > postfix 30735 8.1 1.9 323708 79160 ? S 09:02 > 25:09 MailScanner: compressing attachments > postfix 30748 7.0 1.5 323932 63212 ? S 09:02 > 21:39 MailScanner: compressing attachments > postfix 30763 0.1 0.5 315404 23524 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 2.6 320368 106572 ? S 09:02 > 51:16 MailScanner: compressing attachments > postfix 30835 0.1 2.1 315476 88060 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 2.5 319344 103124 ? S 09:02 > 19:19 MailScanner: compressing attachments > postfix 30897 2.1 1.5 316372 64164 ? S 09:03 > 6:36 MailScanner: compressing attachments > postfix 30963 7.8 2.6 327264 105916 ? S 09:03 > 24:06 MailScanner: compressing attachments > postfix 30999 16.3 2.4 328536 100172 ? S 09:03 > 50:14 MailScanner: compressing attachments > postfix 31038 16.6 2.0 328620 84392 ? S 09:03 > 50:56 MailScanner: compressing attachments > postfix 31157 7.9 1.8 329416 76784 ? S 09:03 > 24:22 MailScanner: compressing attachments > postfix 31172 1.9 1.9 321068 80544 ? S 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 1.8 321244 75668 ? S 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 4.4 316196 179244 ? S 09:03 > 6:20 MailScanner: compressing attachments > > > > [root@secure6 ~]# ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10976 1456 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13278 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 0.0 0 0 ? Z > 09:02 7:34 [MailScanner] > postfix 30716 26.8 0.0 0 0 ? Z > 09:02 82:23 [MailScanner] > postfix 30728 16.8 0.0 0 0 ? Z > 09:02 51:54 [MailScanner] > postfix 30735 8.1 0.0 0 0 ? Z > 09:02 25:10 [MailScanner] > postfix 30748 7.0 0.0 0 0 ? Z > 09:02 21:39 [MailScanner] > postfix 30763 0.1 0.5 315404 24148 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 0.0 0 0 ? Z > 09:02 51:17 [MailScanner] > postfix 30835 0.1 2.1 315476 88752 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 0.0 0 0 ? Z > 09:02 19:19 [MailScanner] > postfix 30897 2.1 0.0 0 0 ? Z > 09:03 6:36 [MailScanner] > postfix 30963 7.8 0.0 0 0 ? Z > 09:03 24:06 [MailScanner] > postfix 30999 16.3 0.0 0 0 ? Z > 09:03 50:14 [MailScanner] > postfix 31038 16.6 0.0 0 0 ? Z > 09:03 50:56 [MailScanner] > postfix 31157 7.9 0.0 0 0 ? Z > 09:03 24:22 [MailScanner] > postfix 31172 1.9 2.1 321068 88448 ? D 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 2.1 321244 86440 ? D 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 0.0 0 0 ? Z > 09:03 6:20 [MailScanner] > > > Regards > Rohit Baisakhiya > > > =================================================================== > > sms START NETCORE to 575758 to get updates on Netcore's enterprise > products and services > > sms START MYTODAY to 09845398453 for more information on our mobile > consumer services or go to http://www.mytodaysms.com > > =================================================================== > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From lhaig at haigmail.com Mon Feb 18 10:45:04 2008 From: lhaig at haigmail.com (Lance Haig) Date: Mon Feb 18 10:45:12 2008 Subject: List of perl modules required for a MailScanner install? Message-ID: <47B961B0.1040800@haigmail.com> Hi, Does anyone have a list of all the modules and programs needed for a MailScanner install? I can't use Julian's install script on my system. Regards Lance From rohitb at netcore.co.in Mon Feb 18 11:30:24 2008 From: rohitb at netcore.co.in (Rohitb) Date: Mon Feb 18 11:30:41 2008 Subject: MailScanner process defunct on scanning attachments In-Reply-To: <28306377.121203327138185.JavaMail.root@office.splatnix.net> References: <28306377.121203327138185.JavaMail.root@office.splatnix.net> Message-ID: <20080218170024.pey1nrku0w04kcgg@192.168.2.1> I am running MailScanner version 4.64.3, i dont see anything unusual in the logs. Will try to run it in debug mode and send the output once done. I try lint it did not showed any warnings or errors. Rohit Quoting "--[ UxBoD ]--" : > anything in your logfiles ? what happens if you MS in debug mode ? > > Regards, > > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 > // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- "Rohitb" wrote: > >> Hi >> I am having problem with MaiScanner since last 3-4 weeks, MailScanner >> >> process defuncts and stops processing mails.On checking ps commmand it >> >> shows below output. Is anybody else facing the same issue. >> >> ps aux|grep Mail >> root 13170 0.0 0.0 8748 1288 pts/3 S+ >> 14:09 0:00 /bin/sh /sbin/service MailScanner restart >> root 13177 0.0 0.0 10972 1448 pts/3 S+ >> 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart >> root 13192 0.0 0.0 10976 1520 pts/3 S+ >> 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop >> root 13220 0.0 0.0 5980 576 pts/1 S+ >> 14:09 0:00 grep Mail >> postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 >> 0:00 MailScanner: killing children, bwahaha! >> postfix 30691 2.4 3.5 316392 142740 ? S 09:02 >> 7:34 MailScanner: compressing attachments >> postfix 30716 26.8 2.3 334060 94956 ? S 09:02 >> 82:22 MailScanner: compressing attachments >> postfix 30728 16.9 3.3 324112 134868 ? S 09:02 >> 51:54 MailScanner: compressing attachments >> postfix 30735 8.1 1.9 323708 79160 ? S 09:02 >> 25:09 MailScanner: compressing attachments >> postfix 30748 7.0 1.5 323932 63212 ? S 09:02 >> 21:39 MailScanner: compressing attachments >> postfix 30763 0.1 0.5 315404 23524 ? S 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30802 16.7 2.6 320368 106572 ? S 09:02 >> 51:16 MailScanner: compressing attachments >> postfix 30835 0.1 2.1 315476 88060 ? S 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30852 6.3 2.5 319344 103124 ? S 09:02 >> 19:19 MailScanner: compressing attachments >> postfix 30897 2.1 1.5 316372 64164 ? S 09:03 >> 6:36 MailScanner: compressing attachments >> postfix 30963 7.8 2.6 327264 105916 ? S 09:03 >> 24:06 MailScanner: compressing attachments >> postfix 30999 16.3 2.4 328536 100172 ? S 09:03 >> 50:14 MailScanner: compressing attachments >> postfix 31038 16.6 2.0 328620 84392 ? S 09:03 >> 50:56 MailScanner: compressing attachments >> postfix 31157 7.9 1.8 329416 76784 ? S 09:03 >> 24:22 MailScanner: compressing attachments >> postfix 31172 1.9 1.9 321068 80544 ? S 09:03 >> 6:05 MailScanner: compressing attachments >> postfix 31207 1.6 1.8 321244 75668 ? S 09:03 >> 5:10 MailScanner: compressing attachments >> postfix 31227 2.0 4.4 316196 179244 ? S 09:03 >> 6:20 MailScanner: compressing attachments >> >> >> >> [root@secure6 ~]# ps aux|grep Mail >> root 13170 0.0 0.0 8748 1288 pts/3 S+ >> 14:09 0:00 /bin/sh /sbin/service MailScanner restart >> root 13177 0.0 0.0 10976 1456 pts/3 S+ >> 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart >> root 13278 0.0 0.0 5980 576 pts/1 S+ >> 14:09 0:00 grep Mail >> postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 >> 0:00 MailScanner: killing children, bwahaha! >> postfix 30691 2.4 0.0 0 0 ? Z >> 09:02 7:34 [MailScanner] >> postfix 30716 26.8 0.0 0 0 ? Z >> 09:02 82:23 [MailScanner] >> postfix 30728 16.8 0.0 0 0 ? Z >> 09:02 51:54 [MailScanner] >> postfix 30735 8.1 0.0 0 0 ? Z >> 09:02 25:10 [MailScanner] >> postfix 30748 7.0 0.0 0 0 ? Z >> 09:02 21:39 [MailScanner] >> postfix 30763 0.1 0.5 315404 24148 ? D 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30802 16.7 0.0 0 0 ? Z >> 09:02 51:17 [MailScanner] >> postfix 30835 0.1 2.1 315476 88752 ? D 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30852 6.3 0.0 0 0 ? Z >> 09:02 19:19 [MailScanner] >> postfix 30897 2.1 0.0 0 0 ? Z >> 09:03 6:36 [MailScanner] >> postfix 30963 7.8 0.0 0 0 ? Z >> 09:03 24:06 [MailScanner] >> postfix 30999 16.3 0.0 0 0 ? Z >> 09:03 50:14 [MailScanner] >> postfix 31038 16.6 0.0 0 0 ? Z >> 09:03 50:56 [MailScanner] >> postfix 31157 7.9 0.0 0 0 ? Z >> 09:03 24:22 [MailScanner] >> postfix 31172 1.9 2.1 321068 88448 ? D 09:03 >> 6:05 MailScanner: compressing attachments >> postfix 31207 1.6 2.1 321244 86440 ? D 09:03 >> 5:10 MailScanner: compressing attachments >> postfix 31227 2.0 0.0 0 0 ? Z >> 09:03 6:20 [MailScanner] >> >> >> Regards >> Rohit Baisakhiya >> >> >> =================================================================== >> >> sms START NETCORE to 575758 to get updates on Netcore's enterprise >> products and services >> >> sms START MYTODAY to 09845398453 for more information on our mobile >> consumer services or go to http://www.mytodaysms.com >> >> =================================================================== > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =================================================================== sms START NETCORE to 575758 to get updates on Netcore's enterprise products and services sms START MYTODAY to 09845398453 for more information on our mobile consumer services or go to http://www.mytodaysms.com =================================================================== From MailScanner at ecs.soton.ac.uk Mon Feb 18 11:32:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 18 11:32:56 2008 Subject: List of perl modules required for a MailScanner install? In-Reply-To: <47B961B0.1040800@haigmail.com> References: <47B961B0.1040800@haigmail.com> Message-ID: <47B96CB2.4080607@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's a great big table in the install.sh script, that contains all the information you need. Lance Haig wrote: > Hi, > > Does anyone have a list of all the modules and programs needed for a > MailScanner install? > > I can't use Julian's install script on my system. > > Regards > > Lance > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHuWzSEfZZRxQVtlQRAoj4AJ9gBZHt0OUYiscVYpBB7c2BzxjplwCgve+P iHY4b4obDAxG4dLFG956G+k= =pOFw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Mon Feb 18 11:44:22 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Mon Feb 18 11:44:43 2008 Subject: List of perl modules required for a MailScanner install? In-Reply-To: <47B961B0.1040800@haigmail.com> References: <47B961B0.1040800@haigmail.com> Message-ID: > Does anyone have a list of all the modules and programs needed for a > MailScanner install? From a minimal FC8 server installation, I needed to install a few rpms using yum to install MailScanner with Julian's script: # yum install rpm-build # yum install perl-devel # yum install perl-Test-Simple Since perl-Test-Simple is included with MailScanner, might it be possible to remove the requirement for that (and save having problems with yum trying to update it) if it's listed earlier in the MailScanner install.sh? The other two requirements seem pretty basic, and probably don't need to be included with MailScanner. FWIW I found what was required by looking for "not found" error messages when installing MailScanner, and then using "yum provides" on those files. HTH, Anthony -- www.fonant.com - Quality web sites From lhaig at haigmail.com Mon Feb 18 11:55:09 2008 From: lhaig at haigmail.com (Lance Haig) Date: Mon Feb 18 11:55:19 2008 Subject: List of perl modules required for a MailScanner install? In-Reply-To: <47B96CB2.4080607@ecs.soton.ac.uk> References: <47B961B0.1040800@haigmail.com> <47B96CB2.4080607@ecs.soton.ac.uk> Message-ID: <47B9721D.20502@haigmail.com> Julian Field wrote: > There's a great big table in the install.sh script, that contains all > the information you need. > > Lance Haig wrote: >> Hi, > >> Does anyone have a list of all the modules and programs needed for a >> MailScanner install? > >> I can't use Julian's install script on my system. > >> Regards > >> Lance > > > Jules > Hi Julian, Thank you. I will go RTFM :-) Lance From tgc at statsbiblioteket.dk Mon Feb 18 13:21:31 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Feb 18 13:21:41 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B86CF1.4010307@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> Message-ID: <47B9865B.2040400@statsbiblioteket.dk> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Hugo van der Kooij wrote: >> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 >> >> shuttlebox wrote: >> | On Feb 17, 2008 3:33 PM, Julian Field >> wrote: >> |> One other possibility is to much with the installation setup of >> each of >> |> my required Perl modules, so that they are always installed in the >> |> "site" tree which should be out of the way of CPAN and RPM. Not >> sure how >> |> easy it is to do that though. Any thoughts? >> | >> | I've been dealing with this on Solaris and even though I packaged a IO >> | 1.2301 module it used the older one from within Perl itself, it only >> | searches the INC until it finds a match, it doesn't go through the >> | whole INC and uses the latest module if there are more than one match. >> | I had to use PERLLIB in a few places and didn't like it so I haven't >> | officially released a 4.66 Blastwave package. Instead I have asked the >> | maintainer of Perl to update the included IO which haven't happened >> | yet. :-( >> >> In the case of the RPM version we need to find a way to add the files >> without hitting the one from the main perl package. The rpmforge package >> does not hit a conflict on any regular files. Just on the manual pages. >> >> If these are properly markes as documentation we just might get away >> with it .... .... .. >> >> Right. First try to install it with yum. That will fail but download the >> package anyway. Then install it without the documentation: >> >> rpm -Uvh >> /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm >> --excludedocs >> >> That installs the required package with an acceptable kludge. It does >> satisfy my wish to avoid the --force option. > Slight snag. This package was put together by someone who doesn't > actually understand what they are doing. They have got round the > clashing file problems by putting it into the "vendorperl" instead of > "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". > Careful now. Dag is well aware of this issue and has stated many times that there is no good solution for RHEL < 5. On rhel5 however this is nolonger an issue: $ cat /etc/redhat-release CentOS release 5 (Final) $ perl -V Summary of my perl5 (revision 5 version 8 subversion 8) configuration: Built under linux Compiled at Nov 8 2007 06:49:16 @INC: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 . See? It searches vendor_perl before the core paths. > So the nice new version you just installed isn't actually used at all. > True on RHEL/CentOS < 5. > To prove it to yourself... > Try editing the code in the file (e.g. put a syntax error in it), and > then run this command. It should fail as there is a syntax error in > IO.pm which is where the perl-IO rpm is installed. > perl -MIO -e 'print $IO::VERSION;' > You'll find it still works perfectly, as it isn't using the version you > just installed from dag.wieers.com. > > Oops. > > If it was that easy, I would have done it years ago :-) > Did you actually try this on rhel5? To avoid egg on my face I did, here's the result: $ cat /etc/redhat-release CentOS release 5 (Final) # rpm --excludedocs -i perl-IO-1.2301-1.el5.rf.i386.rpm # rpm -q perl perl-IO perl-5.8.8-10.el5_0.2 perl-IO-1.2301-1.el5.rf $ perl -MIO -e 'print $IO::VERSION;' 1.23 # rpm -e perl-IO $ perl -MIO -e 'print $IO::VERSION;' 1.22 Seems to work okay to me. -tgc From MailScanner at ecs.soton.ac.uk Mon Feb 18 13:43:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 18 13:44:16 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B9865B.2040400@statsbiblioteket.dk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> <47B9865B.2040400@statsbiblioteket.dk> Message-ID: <47B98B88.4020606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom G. Christensen wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Hugo van der Kooij wrote: >>> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 >>> >>> shuttlebox wrote: >>> | On Feb 17, 2008 3:33 PM, Julian Field >>> wrote: >>> |> One other possibility is to much with the installation setup of >>> each of >>> |> my required Perl modules, so that they are always installed in the >>> |> "site" tree which should be out of the way of CPAN and RPM. Not >>> sure how >>> |> easy it is to do that though. Any thoughts? >>> | >>> | I've been dealing with this on Solaris and even though I packaged >>> a IO >>> | 1.2301 module it used the older one from within Perl itself, it only >>> | searches the INC until it finds a match, it doesn't go through the >>> | whole INC and uses the latest module if there are more than one >>> match. >>> | I had to use PERLLIB in a few places and didn't like it so I haven't >>> | officially released a 4.66 Blastwave package. Instead I have asked >>> the >>> | maintainer of Perl to update the included IO which haven't happened >>> | yet. :-( >>> >>> In the case of the RPM version we need to find a way to add the files >>> without hitting the one from the main perl package. The rpmforge >>> package >>> does not hit a conflict on any regular files. Just on the manual pages. >>> >>> If these are properly markes as documentation we just might get away >>> with it .... .... .. >>> >>> Right. First try to install it with yum. That will fail but download >>> the >>> package anyway. Then install it without the documentation: >>> >>> rpm -Uvh >>> /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm >>> --excludedocs >>> >>> That installs the required package with an acceptable kludge. It does >>> satisfy my wish to avoid the --force option. >> Slight snag. This package was put together by someone who doesn't >> actually understand what they are doing. They have got round the >> clashing file problems by putting it into the "vendorperl" instead of >> "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". >> > Careful now. Dag is well aware of this issue and has stated many times > that there is no good solution for RHEL < 5. But how am I supposed to produce a set of RPMs that work for RHEL4 and RHEL5? I don't want to produce yet another different distribution. > On rhel5 however this is nolonger an issue: > $ cat /etc/redhat-release > CentOS release 5 (Final) > $ perl -V > Summary of my perl5 (revision 5 version 8 subversion 8) configuration: > > Built under linux > Compiled at Nov 8 2007 06:49:16 > @INC: > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.8 > /usr/lib/perl5/site_perl/5.8.7 > /usr/lib/perl5/site_perl/5.8.6 > /usr/lib/perl5/site_perl/5.8.5 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.8 > /usr/lib/perl5/vendor_perl/5.8.7 > /usr/lib/perl5/vendor_perl/5.8.6 > /usr/lib/perl5/vendor_perl/5.8.5 > /usr/lib/perl5/vendor_perl > /usr/lib/perl5/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/5.8.8 > . > > See? > It searches vendor_perl before the core paths. > >> So the nice new version you just installed isn't actually used at all. >> > True on RHEL/CentOS < 5. > >> To prove it to yourself... >> Try editing the code in the file (e.g. put a syntax error in it), and >> then run this command. It should fail as there is a syntax error in >> IO.pm which is where the perl-IO rpm is installed. >> perl -MIO -e 'print $IO::VERSION;' >> You'll find it still works perfectly, as it isn't using the version >> you just installed from dag.wieers.com. >> >> Oops. >> >> If it was that easy, I would have done it years ago :-) >> > Did you actually try this on rhel5? > > To avoid egg on my face I did, here's the result: > $ cat /etc/redhat-release > CentOS release 5 (Final) > # rpm --excludedocs -i perl-IO-1.2301-1.el5.rf.i386.rpm > # rpm -q perl perl-IO > perl-5.8.8-10.el5_0.2 > perl-IO-1.2301-1.el5.rf > $ perl -MIO -e 'print $IO::VERSION;' > 1.23 > # rpm -e perl-IO > $ perl -MIO -e 'print $IO::VERSION;' > 1.22 > > Seems to work okay to me. > > -tgc Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHuYuIEfZZRxQVtlQRAnXvAKCPhieDkT/J6VZIhnJ+Z2KfGl6GAgCeKHJL DvPZ5i5PanrrCH+WHT31XFs= =n5wg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From tgc at statsbiblioteket.dk Mon Feb 18 14:33:05 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Feb 18 14:33:14 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B98B88.4020606@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> <47B9865B.2040400@statsbiblioteket.dk> <47B98B88.4020606@ecs.soton.ac.uk> Message-ID: <47B99721.50106@statsbiblioteket.dk> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Tom G. Christensen wrote: >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>>> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 >>>> >>>> That installs the required package with an acceptable kludge. It does >>>> satisfy my wish to avoid the --force option. >>> Slight snag. This package was put together by someone who doesn't >>> actually understand what they are doing. They have got round the >>> clashing file problems by putting it into the "vendorperl" instead of >>> "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". >>> >> Careful now. Dag is well aware of this issue and has stated many times >> that there is no good solution for RHEL < 5. > But how am I supposed to produce a set of RPMs that work for RHEL4 and > RHEL5? I don't want to produce yet another different distribution. > I didnt imply you did. However you asserted in no uncertain terms that Dag was not aware of this problem when the RPMforge package was created and that the package was somehow wrong. To my knowledge he is acutely aware of this issue and he very deliberately puts things in vendor_perl because putting it anywhere else makes it impossible to install the package due to file conflicts. Upgrading core perl modules on RHEL < 5 is not possible via RPM because of the INC path issue, using --force to overwrite the files from the perl package to do it is just another (even worse) kludge (though not as bad as using CPAN). You also asserted that Hugo would have problem due to this issue, I think I've shown that he will not as he is using CentOS 5.1. -tgc From ismail at ismailozatay.net Mon Feb 18 14:33:23 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Mon Feb 18 14:33:58 2008 Subject: About archive mail Message-ID: <47B99733.4070600@ismailozatay.net> Hello everyone ; Is it possible to archive someone's outgoing e-mails into different e-mail boxes? For example ; From: user1@domain.com user1@backup1.local user1@backup2.local From: user2@domain.com user2@backup1.local user2@backup2.local Thanks ismail From hvdkooij at vanderkooij.org Mon Feb 18 17:19:09 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 18 17:19:39 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B86CF1.4010307@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> Message-ID: <47B9BE0D.7070402@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | | | Hugo van der Kooij wrote: |> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 | |> shuttlebox wrote: |> | On Feb 17, 2008 3:33 PM, Julian Field |> wrote: |> |> One other possibility is to much with the installation setup of |> each of |> |> my required Perl modules, so that they are always installed in the |> |> "site" tree which should be out of the way of CPAN and RPM. Not |> sure how |> |> easy it is to do that though. Any thoughts? |> | |> | I've been dealing with this on Solaris and even though I packaged a IO |> | 1.2301 module it used the older one from within Perl itself, it only |> | searches the INC until it finds a match, it doesn't go through the |> | whole INC and uses the latest module if there are more than one match. |> | I had to use PERLLIB in a few places and didn't like it so I haven't |> | officially released a 4.66 Blastwave package. Instead I have asked the |> | maintainer of Perl to update the included IO which haven't happened |> | yet. :-( | |> In the case of the RPM version we need to find a way to add the files |> without hitting the one from the main perl package. The rpmforge package |> does not hit a conflict on any regular files. Just on the manual pages. | |> If these are properly markes as documentation we just might get away |> with it .... .... .. | |> Right. First try to install it with yum. That will fail but download the |> package anyway. Then install it without the documentation: | |> rpm -Uvh |> /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm |> --excludedocs | |> That installs the required package with an acceptable kludge. It does |> satisfy my wish to avoid the --force option. | Slight snag. This package was put together by someone who doesn't | actually understand what they are doing. They have got round the | clashing file problems by putting it into the "vendorperl" instead of | "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". | | So the nice new version you just installed isn't actually used at all. | | To prove it to yourself... | Try editing the code in the file (e.g. put a syntax error in it), and | then run this command. It should fail as there is a syntax error in | IO.pm which is where the perl-IO rpm is installed. | perl -MIO -e 'print $IO::VERSION;' | You'll find it still works perfectly, as it isn't using the version you | just installed from dag.wieers.com. Let me try this. ... $ perl -MIO -e 'print $IO::VERSION."\n";' 1.23 Isn't this what I should expect? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHub4KBvzDRVjxmYERAh2ZAJoDOq2EU0QLkv+TuKzugmJMdsdVNQCfaAj7 kwrkFRlp5sVUgcxFldNALoQ= =Z3v2 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Feb 18 17:30:48 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 18 17:31:43 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47B9C0C8.2040104@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Chester wrote: | We have recently implemented MailScanner in a mail gateway of ours, and | since then about 4 random emails have come through as unreadable code. | The emails seem to HTML based, be it newsletters that have been | subscribed to or confirmation of flight details to a user, and seem to | be random. The code looks like the following (obviously different for | each mail): | | ]I.Jn*'?'w&]*Z+Z | ?4)4)4)4)4)4)??!?4)4)e??????? ?%?%??????4)?e???????????1?4)% ??????????????????4) | ?? ??? ???????M?4)????4)4)e????4)4)e?????????4)??????4)Q?????? | ?4)4) Sounds like a unicode message. In what language is it send? (I guess you got plenty of options in South Afrika in that regard.) Preferably we need to see the full message before and after MailScanner handles it. I guess before is out of the queston but the message after might tell us a thing or two by inspecting all of the headers. Sometimes messages are send in a broken format and that might interfere with the proper working of MailScanner or other programs. Hugo. PS: Je mist een telefoonnummer in je bericht. (I read the Afrikaanse disclaimer ;-) - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHucC+BvzDRVjxmYERAnoNAJ9m6c/9Mu6caJJqZrpghVxnBSdeBgCdG9QZ 5Sv9U4lCCa5ZJXA5vNPFfc4= =9Hbr -----END PGP SIGNATURE----- From mark at msapiro.net Mon Feb 18 17:39:03 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Feb 18 17:39:17 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47B9C2B7.9060807@msapiro.net> Andrew Chester wrote: > > We have recently implemented MailScanner in a mail gateway of ours, and > since then about 4 random emails have come through as unreadable code. The > emails seem to HTML based, be it newsletters that have been subscribed to > or confirmation of flight details to a user, and seem to be random. The > code looks like the following (obviously different for each mail): > > ]I.Jn*'?'w&]*Z+Z > > Does anyone know what the problem for the above is and how to solve it? I am a MailScanner noob, but I know a lot about email. It looks like a character set issue of some kind, but beyond that, it is difficult to say. It would help me greatly to understand the problem if instead of posting what appears to be a copy/paste of some rendering of the message, you would post the full, raw message source. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From lukas at spritelink.net Mon Feb 18 23:06:06 2008 From: lukas at spritelink.net (Lukas Garberg) Date: Tue Feb 19 00:05:50 2008 Subject: 4.65.3-1 Segmentation fault at end of batch Message-ID: <47BA0F5E.6050409@spritelink.net> Hi list, I run a spam filter solution with three identical (cloned) servers running Linux 2.6.21.5 (Slackware 12.0) with MailScanner 4.65.3-1, postfix 2.4.6, SpamAssassin 3.2.4 & perl 5.8.8. Hardware is Pentium 4 2.6 GHz with 1 GB RAM. A 128 MB ramdisk is mounted on MailScanners incoming directory. I should maybe also note that all the three machines use the same SA bayes-database stored in SQL on a fourth machine. Now to the problem: _Two_ of the machines have a strange problem with MailScanner segfault:ing at the end of almost every batch; this is what a ps aux | grep MailS looks like: root@xxx:/opt# ps aux | grep MailS postfix 3462 0.0 1.9 23936 19896 ? Ss 00:22 0:00 MailScanner: starting child postfix 4467 3.8 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4475 4.2 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4484 4.4 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4490 4.9 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4493 5.6 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4503 6.5 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4508 7.6 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4512 9.2 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4517 12.1 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4527 16.4 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4533 23.8 4.8 55764 49944 ? S 00:36 0:01 MailScanner: waiting for messages postfix 4539 60.6 4.7 54828 48940 ? S 00:36 0:01 MailScanner: starting child root 4543 0.0 0.0 2004 636 pts/0 R+ 00:36 0:00 grep MailS Note that one of the three machines runs perfectly! If I run MailScanner with Debug & Debug SpamAssassin set to yes this is the end of the output of /opt/MailScanner/bin/check_MailScanner: [4843] dbg: check: is spam? score=13.138 required=5 [4843] dbg: check: tests=BAYES_99,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC, STOX_REPLY_TYPE,TRACKER_ID,TVD_SPACE_RATIO [4843] dbg: check: subtests=__ANY_OUTLOOK_MUA,__CT,__CTE,__CTYPE_CHARSET_QUOTED, __CT_TEXT_PLAIN,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RCVD_TUE,__FH_HAS_XMSMAIL, __FH_HAS_XPRIORITY,__HAS_ANY_URI,__HAS_MIMEOLE,__HAS_MSGID,__HAS_MSMAIL_PRI, __HAS_RCVD,__HAS_SUBJECT,__HAS_X_MAILER,__HDR_ORDER_FTSDMCXXXX,__HELO_NO_DOMAIN, __LAST_UNTRUSTED_RELAY_NO_AUTH,__MIMEOLE_MS,__MIME_VERSION,__MISSING_REF, __MSGID_DOLLARS_MAYBE,__MSGID_DOLLARS_OK,__MSGID_OK_HEX,__MSGID_RANDY, __NONEMPTY_BODY,__NO_INR_YES_REF,__OE_MSGID_2,__OE_MUA,__RATWARE_0_TZ_DATE, __RCVD_IN_SORBS,__RCVD_IN_ZEN,__RDNS_DYNAMIC_HCC,__RDNS_DYNAMIC_IPADDR, __RDNS_INDICATOR_TYPE,__SANE_MSGID,__TOCC_EXISTS,__XM_MSOE6,__XM_MS_IN_GENERAL, __XM_OUTLOOK_EXPRESS [4843] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=10.716, head-points=10.716, learned-points=4 [4843] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam /opt/MailScanner/bin/check_mailscanner: line 131: 4822 Segmentation fault $process $config I've seen a few other posts to the list with similar problems, and most answers have been bayes-related. I, at least in my case, don't find a bayes error very probable since the MailScanner successfully scans & learns all messages but the last one (Max Unscanned Messages Per Scan = 10) and everything runs smoothly on one of the threes machines, with a common bayes DB. Any ideas on how to go further into solving this problem? Thank you in advance, Lukas Garberg From rohitb at netcore.co.in Tue Feb 19 05:50:46 2008 From: rohitb at netcore.co.in (Rohit B) Date: Tue Feb 19 06:00:52 2008 Subject: About archive mail In-Reply-To: <47B99733.4070600@ismailozatay.net> References: <47B99733.4070600@ismailozatay.net> Message-ID: <47BA6E36.4020502@netcore.co.in> Hi Ismail You dont need MS for that, it can be archived using the watchdog function in your MTA. We do that using postfix. Ismail OZATAY wrote: > Hello everyone ; > > Is it possible to archive someone's outgoing e-mails into different > e-mail boxes? For example ; > > From: user1@domain.com user1@backup1.local user1@backup2.local > From: user2@domain.com user2@backup1.local user2@backup2.local > > Thanks > > ismail -- Regards, Rohit Baisakhiya netCORE Solutions Pvt. Ltd. http://www.netcore.co.in PH : +91 22 6662 8174 FAX : +91 22 6662 8134 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4125 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/6e2f0256/smime.bin From ismail at ismailozatay.net Tue Feb 19 07:25:39 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Tue Feb 19 07:26:38 2008 Subject: About archive mail In-Reply-To: <47BA6E36.4020502@netcore.co.in> References: <47B99733.4070600@ismailozatay.net> <47BA6E36.4020502@netcore.co.in> Message-ID: <47BA8473.6030506@ismailozatay.net> Hi Rohit ; Could you give an example , please? Thanks ismail > Hi Ismail > You dont need MS for that, it can be archived using the watchdog > function in your MTA. We do that using postfix. > > Ismail OZATAY wrote: >> Hello everyone ; >> >> Is it possible to archive someone's outgoing e-mails into different >> e-mail boxes? For example ; >> >> From: user1@domain.com user1@backup1.local user1@backup2.local >> From: user2@domain.com user2@backup1.local user2@backup2.local >> >> Thanks >> >> ismail > From alxfrag at gmail.com Tue Feb 19 09:03:35 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 19 09:03:09 2008 Subject: Mailscanner warnings In-Reply-To: <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> Message-ID: <47BA9B67.20901@gmail.com> Glenn Steen wrote: > On 15/02/2008, Martin.Hepworth wrote: > >> Also >> >> The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. >> >> > Not to mention that no facility of MailScanner would ever run trhe > clamd _command_ ... Not whatsoever. > > What seems to have happened here is that someone has followed a > bothced instruction on enabling clamdscan support by futzing the > clamav-* wrapper scripts. This of course hasn't worked, since clamd is > the server part, not the client. > This would explain the bogus log entries on both hosts. > > What Alex should do is to follow the spirit of the wiki article > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > to get things going on the newer install (4.66.5 was it?), and upgrade > the other one to a version later than 4.62.something (just as you say > Martin), and do the same there. > Only other really viable option would be to run clamavmodule on the old one. > > Cheers > Good morning, I've followed your advice and these described in http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd. I've also modified the clamav-wrapper file to its original form. Now, no warnings are displayed. The problem is that clamscan is running that needs too much CPU. How can i switch to clamdscan? Thanks, Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/bfb92aa3/attachment.html From ram at netcore.co.in Tue Feb 19 09:23:56 2008 From: ram at netcore.co.in (ram) Date: Tue Feb 19 09:24:08 2008 Subject: How do I use 3rd party clamav signatures for spam & phishing Message-ID: <1203413036.25764.30.camel@localhost.localdomain> I would like to use 3rd party signatures available with Clamav for spam and phishing. But I assume MailScanner would marks mails caught by these as Virus , rather than spam. What do you folks recommend on a) Using such signatures for clam for large traffic servers b) Using clamav module for SA c) How do I avoid getting spams marked as virus Thanks Ram From goetz.reinicke at filmakademie.de Tue Feb 19 15:24:17 2008 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2U=?=) Date: Tue Feb 19 15:24:33 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <18038616.151202719908924.JavaMail.root@office.splatnix.net> References: <18038616.151202719908924.JavaMail.root@office.splatnix.net> Message-ID: <47BAF4A1.8010100@filmakademie.de> Hi, --[ UxBoD ]-- schrieb: > What happens if you set Virus Scanners = auto ? and then send a message with EICAR in it ? may be worth stopping MS and once you have sent the message run MailScaner --debug and see what is thrown up. Setting "Virus Scanners = auto" ends in the log message: I have found antivir clamav f-secure scanners installed, and will use them all by default. Executing "MailScanner --debug" gives this message: error (program file of AntiVir has been modified): Strange - what's going on...? :-) - Any ideas? Regards G?tz -- G?tz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Gesch?ftsf?hrer: Prof. Thomas Schadt From ugob at lubik.ca Tue Feb 19 16:57:42 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 19 16:58:13 2008 Subject: Mailscanner warnings In-Reply-To: <47BA9B67.20901@gmail.com> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> Message-ID: AlxFrag wrote: > Glenn Steen wrote: >> On 15/02/2008, Martin.Hepworth wrote: >> >>> Also >>> >>> The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. >>> >>> >> Not to mention that no facility of MailScanner would ever run trhe >> clamd _command_ ... Not whatsoever. >> >> What seems to have happened here is that someone has followed a >> bothced instruction on enabling clamdscan support by futzing the >> clamav-* wrapper scripts. This of course hasn't worked, since clamd is >> the server part, not the client. >> This would explain the bogus log entries on both hosts. >> >> What Alex should do is to follow the spirit of the wiki article >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >> to get things going on the newer install (4.66.5 was it?), and upgrade >> the other one to a version later than 4.62.something (just as you say >> Martin), and do the same there. >> Only other really viable option would be to run clamavmodule on the old one. >> >> Cheers >> > Good morning, > > I've followed your advice and these described in > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd. > I've also modified the clamav-wrapper file to its original form. > > Now, no warnings are displayed. The problem is that clamscan is running > that needs too much CPU. > How can i switch to clamdscan? - make sure you're running a version of MS that supports clamd - make appropriate changes in MailScanner.conf - restart MailScanner Ugo From rpoe at plattesheriff.org Tue Feb 19 18:48:22 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Feb 19 18:49:07 2008 Subject: Spam Messages Message-ID: <47BAD011.65ED.00A2.0@plattesheriff.org> I'm getting a lot of these recently .. ( I put in the Address Removed to avoid tripping filters).. Anyone have any rules for this? ---------------------------------------------------------------------------------------- SpamAssassin (not cached, score=4.952, required 5, BAYES_60 1.00, DCC_CHECK 2.17, RCVD_IN_PBL 0.91, RCVD_IN_SORBS_DUL 0.88) Hello! I am tired tonight. I am nice girl that would like to chat with you. Email me at <> only, because I am using my friend's email to write this. I will show you some of my private pictures From uxbod at splatnix.net Tue Feb 19 18:54:14 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 19 18:54:39 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: <28557253.1751203447254870.JavaMail.root@office.splatnix.net> Justin Mason posted his blog again earlier on the SA list. These should help http://taint.org/2007/08/15/004348a.html Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Rob Poe" wrote: > I'm getting a lot of these recently .. ( I put in the Address Removed > to avoid tripping filters).. > > Anyone have any rules for this? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Feb 19 18:54:58 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 19 18:55:20 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: <23493887.1781203447298960.JavaMail.root@office.splatnix.net> can you post a example so we can run it through own MS installations ? pastebin or a URL to the actual message ideally. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Rob Poe" wrote: > I'm getting a lot of these recently .. ( I put in the Address Removed > to avoid tripping filters).. > > Anyone have any rules for this? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andrew.Chester at ukuvuma.co.za Tue Feb 19 19:22:21 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Tue Feb 19 19:30:18 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47B9C2B7.9060807@msapiro.net> Message-ID: Hi The message is sent in English, with HTML coding. The headers (of one of the mails) looks like this: "from apollo.ukuvuma.co.za ([196.46.186.99]) by domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1) with ESMTP id 2008021918054545-356 ; Tue, 19 Feb 2008 18:05:45 +0200" "from inet01.xybanetx.co.za (unknown [196.46.184.239]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for ; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)" "from apollo.ukuvuma.co.za ([196.46.186.99]) by inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2) with ESMTP id 2008021917413397-3560 ; Tue, 19 Feb 2008 17:41:33 +0200" "from smtp.sa.24.com (smtp.sa.24.com [196.28.152.23]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for ; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)" "from 24cpt-msg01.za.ds.naspers.com (Not Verified[196.28.152.25]) by smtp.sa.24.com with MailMarshal (v6,1,8,2172) id ; Tue, 19 Feb 2008 18:12:41 +0200" "from mail.kalahari.net ([196.14.118.77]) by 24cpt-msg01.za.ds.naspers.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:12:41 +0200" "from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:13:04 +0200" As far as the raw message is concerned, it is exactly that which I sent previously - its the entire message. Another message received today looks like this (entire email): ]I.Jn*'?'w&idjVjz?nRKf[1I??hZ)?tjdj?6W"&WB77v&B2cF2W76vR2&VV66VBf"f'W6W2@FvW&W26FVB'FRVWgVvFWvB0&V?WfVBF&R6V P.S. Dankie Hugo ;-) Mark Sapiro Sent by: mailscanner-bounces@lists.mailscanner.info 2008/02/18 07:36 PM Please respond to MailScanner discussion To MailScanner discussion cc Subject Re: HTML/Newsletters being received as unreadable code X-Ukuvuma Solutions-MailScanner-From: mailscanner-bounces@lists.mailscanner.info X-Spam-Status: No Andrew Chester wrote: > > We have recently implemented MailScanner in a mail gateway of ours, and > since then about 4 random emails have come through as unreadable code. The > emails seem to HTML based, be it newsletters that have been subscribed to > or confirmation of flight details to a user, and seem to be random. The > code looks like the following (obviously different for each mail): > > ]I.Jn*'?'w&]*Z+Z > > Does anyone know what the problem for the above is and how to solve it? I am a MailScanner noob, but I know a lot about email. It looks like a character set issue of some kind, but beyond that, it is difficult to say. It would help me greatly to understand the problem if instead of posting what appears to be a copy/paste of some rendering of the message, you would post the full, raw message source. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by the Ukuvuma Apollo gateway and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/d2d35514/attachment.html From mark at msapiro.net Tue Feb 19 20:00:13 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Feb 19 20:00:27 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: Message-ID: Andrew Chester wrote: > >The message is sent in English, with HTML coding >The headers (of one of the mails) looks like this: > >"from apollo.ukuvuma.co.za ([196.46.186.99]) by >domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1) with ESMTP >id 2008021918054545-356 ; Tue, 19 Feb 2008 18:05:45 +0200" > >"from inet01.xybanetx.co.za (unknown [196.46.184.239]) by >apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for >; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)" > >"from apollo.ukuvuma.co.za ([196.46.186.99]) by >inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2) with ESMTP >id 2008021917413397-3560 ; Tue, 19 Feb 2008 17:41:33 +0200" > > >"from smtp.sa.24.com (smtp.sa.24.com [196.28.152.23]) by >apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for >; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)" > > >"from 24cpt-msg01.za.ds.naspers.com (Not Verified[196.28.152.25]) by >smtp.sa.24.com with MailMarshal (v6,1,8,2172) id ; Tue, 19 >Feb 2008 18:12:41 +0200" > > >"from mail.kalahari.net ([196.14.118.77]) by 24cpt-msg01.za.ds.naspers.com >with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:12:41 +0200" > > >"from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft >SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:13:04 +0200" > >As far as the raw message is concerned, it is exactly that which I sent >previously - its the entire message. Another message received today looks >like this (entire email): You misunderstand what I am asking for. I have attached the file Raw_email.txt to this post. That file contains the raw message to which I am replying (the list post from you). This is the equivalent of what I would like to see from one of your garbled messages. You appear to be using Lotus Notes as your mailer. If I could, I would tell you how to get what I want to see, but I have no idea how to do this with Lotus Notes. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- Return-Path: X-Original-To: mark@msapiro.net Delivered-To: msapiro_mark@sbh16.songbird.com Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sbh16.songbird.com (Postfix) with ESMTP id A099C6905EA for ; Tue, 19 Feb 2008 11:34:59 -0800 (PST) Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m1JJUIXZ012806; Tue, 19 Feb 2008 19:30:32 GMT X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $ Received: from domino.ukuvuma.co.za (domino.ukuvuma.co.za [196.46.184.173]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m1JJU8Zn012791 for ; Tue, 19 Feb 2008 19:30:16 GMT In-Reply-To: <47B9C2B7.9060807@msapiro.net> To: MailScanner discussion MIME-Version: 1.0 X-Mailer: Lotus Notes Release 7.0.2 September 26, 2006 Message-ID: Date: Tue, 19 Feb 2008 21:22:21 +0200 From: "Andrew Chester" X-MIMETrack: Serialize by Router on USMR01/Server/Ukuvuma(Release 7.0.2FP1|January 10, 2007) at 02/19/2008 21:23:03, Serialize complete at 02/19/2008 21:23:03 Subject: Re: HTML/Newsletters being received as unreadable code X-BeenThere: mailscanner@lists.mailscanner.info X-Mailman-Version: 2.1.5 Precedence: list Reply-To: MailScanner discussion List-Id: MailScanner discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0149753535==" Sender: mailscanner-bounces@lists.mailscanner.info Errors-To: mailscanner-bounces@lists.mailscanner.info X-MailScanner-ID: A099C6905EA.C069A X-GPC-MailScanner: Found to be clean X-GPC-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.599, required 5, autolearn=not spam, BAYES_00 -2.60, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_LOW -1.00, SPF_PASS -0.00) X-GPC-MailScanner-From: mailscanner-bounces@lists.mailscanner.info X-Spam-Status: No This is a multipart message in MIME format. --=_alternative 006B1BAD422573F4_= Content-Type: text/plain; charset="ISO-8859-2" Content-Transfer-Encoding: quoted-printable Hi The message is sent in English, with HTML coding.=20 The headers (of one of the mails) looks like this: "from apollo.ukuvuma.co.za ([196.46.186.99]) by=20 domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1) with ESMTP=20 id 2008021918054545-356 ; Tue, 19 Feb 2008 18:05:45 +0200" "from inet01.xybanetx.co.za (unknown [196.46.184.239]) by=20 apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for=20 ; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)" "from apollo.ukuvuma.co.za ([196.46.186.99]) by=20 inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2) with ESMTP=20 id 2008021917413397-3560 ; Tue, 19 Feb 2008 17:41:33 +0200" "from smtp.sa.24.com (smtp.sa.24.com [196.28.152.23]) by=20 apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for=20 ; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)" "from 24cpt-msg01.za.ds.naspers.com (Not Verified[196.28.152.25]) by=20 smtp.sa.24.com with MailMarshal (v6,1,8,2172) id ; Tue, 19=20 Feb 2008 18:12:41 +0200" "from mail.kalahari.net ([196.14.118.77]) by 24cpt-msg01.za.ds.naspers.com = with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:12:41 +0200" "from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft=20 SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:13:04 +0200" As far as the raw message is concerned, it is exactly that which I sent=20 previously - its the entire message. Another message received today looks=20 like this (entire email):=20 ]I.Jn*'?'=1Aw=16&idjVjz?n=17RKf[1I?=D9h=1AZ)?tjdj?6W"=04=16=16=17&WB=07=06= =1777v&B=062=03=03=03c=03F2=06W76=16vR=06=172=06&VV=0766=16VB=06f"=07f'W6W2= =06=16@F=16vW&W2=066FVB=06'=07FR=05VWgV=12=04=17=06=06v=17FWv=17=06=16B=060= &V?WfVB=07F=06&R=066V=16 P.S. Dankie Hugo ;-) Mark Sapiro =20 Sent by: mailscanner-bounces@lists.mailscanner.info 2008/02/18 07:36 PM Please respond to MailScanner discussion To MailScanner discussion cc Subject Re: HTML/Newsletters being received as unreadable code X-Ukuvuma Solutions-MailScanner-From:=20 mailscanner-bounces@lists.mailscanner.info X-Spam-Status: No Andrew Chester wrote: >=20 > We have recently implemented MailScanner in a mail gateway of ours, and=20 > since then about 4 random emails have come through as unreadable code.=20 The=20 > emails seem to HTML based, be it newsletters that have been subscribed=20 to=20 > or confirmation of flight details to a user, and seem to be random. The=20 > code looks like the following (obviously different for each mail): >=20 > ]I.Jn*'?'=1Aw=16&]*Z+Z >=20 > Does anyone know what the problem for the above is and how to solve it? I am a MailScanner noob, but I know a lot about email. It looks like a=20 character set issue of some kind, but beyond that, it is difficult to=20 say. It would help me greatly to understand the problem if instead of=20 posting what appears to be a copy/paste of some rendering of the=20 message, you would post the full, raw message source. --=20 Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan --=20 MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!=20 --=20 This message has been scanned for viruses and dangerous content by the Ukuvuma Apollo gateway and is believed to be clean. --=_alternative 006B1BAD422573F4_= Content-Type: text/html; charset="ISO-8859-2" Content-Transfer-Encoding: quoted-printable
Hi

The message is sent in English, with HTML coding.
The headers (of one of the mails) lo= oks like this:

"from apollo.ukuvuma.co.za ([19= 6.46.186.99])          by domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1)          with ESMTP id 200802191= 8054545-356 ;          Tue, 19 Feb 2008 18:05:45 +0200"

"from inet01.xybanetx.co.za (un= known [196.46.184.239]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for <dvh@ukuvuma.co.za>; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)"=

"from apollo.ukuvuma.co.za ([19= 6.46.186.99])          by inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2)          with ESMTP id 200802191= 7413397-3560 ;          Tue, 19 Feb 2008 17:41:33 +0200"


"from smtp.sa.24.com (smtp.sa.2= 4.com [196.28.152.23]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for <dvh@xybanetx.co.za>; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)"= ;


"from 24cpt-msg01.za.ds.naspers= .com (Not Verified[196.28.152.25]) by smtp.sa.24.com with MailMarshal (v6,1,8,21= 72) id <B47bafff90000>; Tue, 19 Feb 2008 18:12:41 +0200"


"from mail.kalahari.net ([196.1= 4.118.77]) by 24cpt-msg01.za.ds.naspers.com with Microsoft SMTPSVC(6.0.3790.3959);  Tue, 19 Feb 2008 18:12:41 +0200"


"from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft SMTPSVC(6.0.3790.3959);  Tue, 19 Feb 2008 18:13:04 +0200"
As far as the raw message is concern= ed, it is exactly that which I sent previously - its the entire message. Another message received today looks like this (entire email):

]I.Jn*'Ƣ'=1Aw=16&idjVjzҥn=17RKf[1I= 23;=D9h=1AZ)޵tjdj۬6W"=04=16=16=17&WB=07=06=1777v&B= =062=03=03=03c=03F2=06W76=16vR=06=172=06&VV=0766=16VB=06f"=07f'W6W= 2=06=16@F=16vW&W2=066FVB=06'=07FR=05VWgV=12=04=17=06=06v=17FWv=17=06=16= B=060&VƖWfVB=07F=06&R=066V=16

P.S.
Dankie Hugo ;-)




Mark Sapiro <mark@= msapiro.net>
Sent by: mailscanner-bounces@lists.m= ailscanner.info

2008/02/18 07:36 PM
Please respond to
MailScanner discussion <mailscanner@lists.mailscanner.info>
To
MailScanner discussion <mailscann= er@lists.mailscanner.info>
cc
Subject
Re: HTML/Newsletters being received as unreadable code





X-Ukuvuma Solutions-MailScanner-From: mailscanner-bo= unces@lists.mailscanner.info
X-Spam-Status: No

Andrew Chester wrote:
>
> We have recently implemented MailScanner in a mail gateway of ours, and
> since then about 4 random emails have come through as unreadable code. The
> emails seem to HTML based, be it newsletters that have been subscribed to
> or confirmation of flight details to a user, and seem to be random. The
> code looks like the following (obviously different for each mail):
>
> ]I.Jn*'?'=1Aw=16&]*Z+Z
<snip>
>
> Does anyone know what the problem for the above is and how to solve it?


I am a MailScanner noob, but I know a lot about email. It looks like a
character set issue of some kind, but beyond that, it is difficult to
say. It would help me greatly to understand the problem if instead of
posting what appears to be a copy/paste of some rendering of the
message, you would post the full, raw message source.

--
Mark Sapiro <mark@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
This message has been scanned for viruses and
dangerous content by the Ukuvuma Apollo gateway and is
believed to be clean.
--=_alternative 006B1BAD422573F4_=-- --===============0149753535== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! --===============0149753535==-- From ssilva at sgvwater.com Tue Feb 19 20:19:03 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 19 20:19:29 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: > > > You misunderstand what I am asking for. I have attached the file > Raw_email.txt to this post. That file contains the raw message to > which I am replying (the list post from you). This is the equivalent > of what I would like to see from one of your garbled messages. > > You appear to be using Lotus Notes as your mailer. If I could, I would > tell you how to get what I want to see, but I have no idea how to do > this with Lotus Notes. > > I think it is something like "View message source" or "View E-mail Message Source". Then you can copy and paste that into a new message. It has been a long time since I used Notes. Probably before IBM bought it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/21da666c/signature.bin From lhaig at haigmail.com Tue Feb 19 20:39:57 2008 From: lhaig at haigmail.com (Lance Haig) Date: Tue Feb 19 20:40:07 2008 Subject: Debian removal and install Message-ID: <47BB3E9D.50406@haigmail.com> Hi , I have tried unsuccessfully to install MailScanner on a Debian vps I have. I first tried to use the package but that was a very old version of MS. I then deleted all the files and tried t install the tar version but I have borked that up completely. is there a Debian person who has documented this process? I have my postfix server running and it relays the mail just fine. Thanks Lance From cooper at hmcnetworks.com Tue Feb 19 20:46:23 2008 From: cooper at hmcnetworks.com (Al Cooper) Date: Tue Feb 19 20:49:08 2008 Subject: White List Not Working Message-ID: <03c401c87338$7dacd260$79067720$@com> MailScanner version: 4.66.5 Spamassassin version: 3.2.3 Output from spamassassin --lint: [22373] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /etc/MailScanner/rules/spam.whitelist.rules I have checked the config in both Mailscanner.conf and spam.assassin.prefs.conf and the whitelist is pointing to /etc/MailScanner/rules/spam.whitelist.rules. Any idea why whitelisting is not working? Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikea at mikea.ath.cx Tue Feb 19 20:54:29 2008 From: mikea at mikea.ath.cx (mikea) Date: Tue Feb 19 20:54:40 2008 Subject: White List Not Working In-Reply-To: <03c401c87338$7dacd260$79067720$@com> References: <03c401c87338$7dacd260$79067720$@com> Message-ID: <20080219205428.GB83159@mikea.ath.cx> On Tue, Feb 19, 2008 at 01:46:23PM -0700, Al Cooper wrote: > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, It would be _most_ helpful to have the line in question available for examination, together with indications as to whether whitespace in the line is space(s) or tab(s). -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From cooper at hmcnetworks.com Tue Feb 19 21:07:17 2008 From: cooper at hmcnetworks.com (Al Cooper) Date: Tue Feb 19 21:10:03 2008 Subject: White List Not Working In-Reply-To: <20080219205428.GB83159@mikea.ath.cx> References: <03c401c87338$7dacd260$79067720$@com> <20080219205428.GB83159@mikea.ath.cx> Message-ID: <03cb01c8733b$694b5af0$3be210d0$@com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mikea Sent: Tuesday, February 19, 2008 1:54 PM To: MailScanner discussion Subject: Re: White List Not Working On Tue, Feb 19, 2008 at 01:46:23PM -0700, Al Cooper wrote: > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, It would be _most_ helpful to have the line in question available for examination, together with indications as to whether whitespace in the line is space(s) or tab(s). -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hi All, I am assuming that the "line in question" is my spam.whitelist.rules file. I set that file back to its default setting in attempt to clear up the error. The spam.whitelist.rules file is below: # If you are basing a blacklist on this then you can refer to # a null (empty) sender address with "/^$/" as the address to match. # # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes FromOrTo: default no Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Tue Feb 19 21:17:34 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Feb 19 21:17:46 2008 Subject: White List Not Working In-Reply-To: <03cb01c8733b$694b5af0$3be210d0$@com> References: <03c401c87338$7dacd260$79067720$@com> <20080219205428.GB83159@mikea.ath.cx> <03cb01c8733b$694b5af0$3be210d0$@com> Message-ID: <625385e30802191317h319347c3v3b9bb4b5c6ee5add@mail.gmail.com> On Feb 19, 2008 10:07 PM, Al Cooper wrote: > I am assuming that the "line in question" is my spam.whitelist.rules file. > I set that file back to its default setting in attempt to clear up the > error. > > The spam.whitelist.rules file is below: > > > # If you are basing a blacklist on this then you can refer to > # a null (empty) sender address with "/^$/" as the address to match. > # > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > #From: 152.78. yes > #From: 130.246. yes > FromOrTo: default no Am I correct in assuming you have linked mailscanner.cf to the above file? You can't do that, the rules files are for MailScanner, not SpamAssassin. Remove that link to start with and it should work. -- /peter From jaearick at colby.edu Tue Feb 19 21:30:08 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Feb 19 21:30:42 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: Hi, I put these in my spam.assassin.prefs.conf file, at the bottom: #---added to kill chat spam, 2/15/2008 body CHAT3 /Hello! I am/ describe CHAT3 chat spam3 score CHAT3 5.0 body CHAT4 /Please rate me/ describe CHAT4 chat spam4 score CHAT4 5.0 body CHAT5 /I am nice girl/ describe CHAT5 chat spam5 score CHAT5 5.0 body CHAT6 /I have found you/ describe CHAT6 chat spam6 score CHAT6 5.0 Most are killed by CHAT3 + CHAT5 quite nicely. Jeff Earickson Colby College On Tue, 19 Feb 2008, Rob Poe wrote: > Date: Tue, 19 Feb 2008 12:48:22 -0600 > From: Rob Poe > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Spam Messages > > I'm getting a lot of these recently .. ( I put in the Address Removed to avoid tripping filters).. > > Anyone have any rules for this? > > ---------------------------------------------------------------------------------------- > > SpamAssassin (not cached, score=4.952, required 5, BAYES_60 1.00, > DCC_CHECK 2.17, RCVD_IN_PBL 0.91, RCVD_IN_SORBS_DUL 0.88) > > Hello! I am tired tonight. I am nice girl that would like to chat with you. > Email me at <> only, because I am using my friend's > email to write this. I will show you some of my private pictures > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Denis.Beauchemin at usherbrooke.ca Tue Feb 19 21:37:03 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue Feb 19 21:38:01 2008 Subject: White List Not Working In-Reply-To: <03c401c87338$7dacd260$79067720$@com> References: <03c401c87338$7dacd260$79067720$@com> Message-ID: <47BB4BFF.3050509@USherbrooke.ca> Al Cooper a ?crit : > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, > > > > Al, You shouldn't use MailScanner's whitelist in spam.assassin.prefs.conf. That's what's causing your warning. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From cooper at hmcnetworks.com Tue Feb 19 21:44:38 2008 From: cooper at hmcnetworks.com (Al Cooper) Date: Tue Feb 19 21:47:23 2008 Subject: White List Not Working In-Reply-To: <47BB4BFF.3050509@USherbrooke.ca> References: <03c401c87338$7dacd260$79067720$@com> <47BB4BFF.3050509@USherbrooke.ca> Message-ID: <000a01c87340$a0e2abd0$e2a80370$@com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Tuesday, February 19, 2008 2:37 PM To: MailScanner discussion Subject: Re: White List Not Working Al Cooper a ?crit : > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, > > > > Al, You shouldn't use MailScanner's whitelist in spam.assassin.prefs.conf. That's what's causing your warning. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Thanks Denis, That solved the problem. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From raymond at prolocation.net Tue Feb 19 22:25:55 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Feb 19 22:26:12 2008 Subject: Spam Messages In-Reply-To: References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: Hi! > I put these in my spam.assassin.prefs.conf file, at the bottom: > > #---added to kill chat spam, 2/15/2008 > body CHAT3 /Hello! I am/ > describe CHAT3 chat spam3 > score CHAT3 5.0 > body CHAT4 /Please rate me/ > describe CHAT4 chat spam4 > score CHAT4 5.0 > body CHAT5 /I am nice girl/ > describe CHAT5 chat spam5 > score CHAT5 5.0 > body CHAT6 /I have found you/ > describe CHAT6 chat spam6 > score CHAT6 5.0 > > Most are killed by CHAT3 + CHAT5 quite nicely. So is a lot of regular mail. Pffff.... Be carefull adding oneliners like this and scoring it 5. Bye, Raymond. From mi6 at orcon.net.nz Wed Feb 20 02:16:54 2008 From: mi6 at orcon.net.nz (Charlie) Date: Wed Feb 20 02:17:01 2008 Subject: mailscanner restarts Message-ID: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> Hi, I was just wondering if there is a setting I can change so that Mailscanner only restarts every 24 hours? It is taking too long to start up and everyone's emails are queuing up for too long as a result. Also, Mailscanner is taking at least 8-10 minutes to start up on my box. It is a Pentium 4, 2.4GHz, with 1GB RAM. Is this an abnormally long time? Thanks! Charlie From raymond at prolocation.net Wed Feb 20 02:24:19 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Feb 20 02:24:38 2008 Subject: mailscanner restarts In-Reply-To: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> References: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> Message-ID: Hi! > I was just wondering if there is a setting I can change so that Mailscanner > only restarts every 24 hours? It is taking too long to start up and > everyone's emails are queuing up for too long as a result. > > Also, Mailscanner is taking at least 8-10 minutes to start up on my box. It > is a Pentium 4, 2.4GHz, with 1GB RAM. Is this an abnormally long time? You most likely run a outdated ClamAV. Reload times should be really short. Bye, Raymond. From r.berber at computer.org Wed Feb 20 02:42:23 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Feb 20 02:42:37 2008 Subject: mailscanner restarts In-Reply-To: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> References: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> Message-ID: Charlie wrote: > I was just wondering if there is a setting I can change so that > Mailscanner only restarts every 24 hours? It is taking too long to start > up and everyone's emails are queuing up for too long as a result. # To avoid resource leaks, re-start periodically. Forces a re-read of all # the configuration files too, so new updates to the bad phishing sites list # are read frequently. Restart Every = 14400 You want to increase that one to 86400. > Also, Mailscanner is taking at least 8-10 minutes to start up on my box. > It is a Pentium 4, 2.4GHz, with 1GB RAM. Is this an abnormally long time? Yes, that's too long. -- Ren? Berber From Andrew.Chester at ukuvuma.co.za Wed Feb 20 10:29:07 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Wed Feb 20 10:36:27 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 258 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/3a7393cc/signature-0001.obj From prandal at herefordshire.gov.uk Wed Feb 20 10:55:49 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 20 10:56:15 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0303D6D0@HC-MBX02.herefordshire.gov.uk> body HC_GIRL /\bnice girl that would like to chat.{1,16}Email me at .{1,32}\.info.{1,120}\bpic(ture)?s\b/ describe HC_GIRL Girl with pics scam score HC_GIRL 5 body HC_GIRL2 /I am writing from my friend's email/ describe HC_GIRL2 Girl with pics scam score HC_GIRL2 5 Mind the linewraps in the above. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Rob Poe > Sent: 19 February 2008 18:48 > To: MailScanner discussion > Subject: Spam Messages > > I'm getting a lot of these recently .. ( I put in the > Address Removed to avoid tripping filters).. > > Anyone have any rules for this? > > -------------------------------------------------------------- > -------------------------- > > SpamAssassin (not cached, score=4.952, required 5, BAYES_60 1.00, > DCC_CHECK 2.17, RCVD_IN_PBL 0.91, RCVD_IN_SORBS_DUL 0.88) > > Hello! I am tired tonight. I am nice girl that would like to > chat with you. > Email me at <> only, because I am using my friend's > email to write this. I will show you some of my private pictures > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Wed Feb 20 11:34:16 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Feb 20 11:34:34 2008 Subject: Spam Messages In-Reply-To: References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: On Tue, 19 Feb 2008, Raymond Dijkxhoorn wrote: >> I put these in my spam.assassin.prefs.conf file, at the bottom: >> >> #---added to kill chat spam, 2/15/2008 >> body CHAT3 /Hello! I am/ >> describe CHAT3 chat spam3 >> score CHAT3 5.0 >> body CHAT4 /Please rate me/ >> describe CHAT4 chat spam4 >> score CHAT4 5.0 >> body CHAT5 /I am nice girl/ >> describe CHAT5 chat spam5 >> score CHAT5 5.0 >> body CHAT6 /I have found you/ >> describe CHAT6 chat spam6 >> score CHAT6 5.0 >> >> Most are killed by CHAT3 + CHAT5 quite nicely. > > So is a lot of regular mail. Pffff.... Be carefull adding oneliners like this > and scoring it 5. Not true. My spam threshold is 6, discard is 10. I've had zero false positives. All but one message that have been flagged by these rules were CHAT3+CHAT5, score > 10 (avg about 13)... discarded. The remaining one message triggered CHAT4, plus a bunch of regular SA stuff to get a 13.76. My one reservation was doing body SA rules, extra CPU cycles. But I had a lot of people complaining about the "I am tired/bored/lonely" spams and these rules silenced the complaints. Jeff Earickson Colby College From steve.freegard at fsl.com Wed Feb 20 12:01:11 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Feb 20 12:01:49 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47BC1687.8060203@fsl.com> Andrew Chester wrote: > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net ^^^ There's your problem - you have spaces in your %org-name% setting in MailScanner.conf. Fix that and restart and it should work correctly. Cheers, Steve. -- Steve Freegard Fort Systems Ltd. From sbanderson at impromed.com Wed Feb 20 14:17:25 2008 From: sbanderson at impromed.com (Scott B. Anderson) Date: Wed Feb 20 14:18:12 2008 Subject: OT Spam Assassin Prefs question Message-ID: My users have been seeing a large amount of Russian charset email spam. How would I set a SA rule to include all Cyrillic (sp) emails or would this be better set at the MTA (sendmail in my case) ? Scott Anderson sbanderson@impromed.com IT Administrator ImproMed, Inc. From glenn.steen at gmail.com Wed Feb 20 15:34:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 20 15:34:42 2008 Subject: Mailscanner warnings In-Reply-To: References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> Message-ID: <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> On 19/02/2008, Ugo Bellavance wrote: > AlxFrag wrote: > > Glenn Steen wrote: > >> On 15/02/2008, Martin.Hepworth wrote: > >> > >>> Also > >>> > >>> The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. > >>> > >>> > >> Not to mention that no facility of MailScanner would ever run trhe > >> clamd _command_ ... Not whatsoever. > >> > >> What seems to have happened here is that someone has followed a > >> bothced instruction on enabling clamdscan support by futzing the > >> clamav-* wrapper scripts. This of course hasn't worked, since clamd is > >> the server part, not the client. > >> This would explain the bogus log entries on both hosts. > >> > >> What Alex should do is to follow the spirit of the wiki article > >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > >> to get things going on the newer install (4.66.5 was it?), and upgrade > >> the other one to a version later than 4.62.something (just as you say > >> Martin), and do the same there. > >> Only other really viable option would be to run clamavmodule on the old one. > >> > >> Cheers > >> > > Good morning, > > > > I've followed your advice and these described in > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd. > > I've also modified the clamav-wrapper file to its original form. > > > > Now, no warnings are displayed. The problem is that clamscan is running > > that needs too much CPU. > > How can i switch to clamdscan? > > - make sure you're running a version of MS that supports clamd > - make appropriate changes in MailScanner.conf > - restart MailScanner > > Ugo > If the version is too old for clamd (4.62.something...?), then use clamavmodule. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Wed Feb 20 15:45:55 2008 From: mark at msapiro.net (Mark Sapiro) Date: Wed Feb 20 15:46:15 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC1687.8060203@fsl.com> Message-ID: Steve Freegard wrote: >Andrew Chester wrote: >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > ^^^ > >There's your problem - you have spaces in your %org-name% setting in >MailScanner.conf. While the space in %org-name% is wrong, it does not seem to be the cause of the problem. Here's what I see in the last few headers and body: --------------------------------------------------------------- content-transfer-encoding: base64 content-type: text/plain; charset=utf-8 X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net X-Spam-Status: No X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net X-Spam-Status: No WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK ----------------------------------------------------------------- The two sets of MailScanner headers are curious, but it looks from the Received: headers that the message passed twice through apollo.ukuvuma.co.za so it was probably scanned twice. The real problem is the empty lines preceeding each set of MailScanner headers. This causes the MailScanner headers to be part of the body which totally destroys the base64 encoding and results in the garbled message. I suspect that all base64 encoded messages get garbled this way and non-bas64 encoded messages show the MailScanner headers in the body. Perhaps someone with more MailScanner experience has a clue as to why the MailScanner headers are preceded by an empty line. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From shuttlebox at gmail.com Wed Feb 20 15:58:20 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Feb 20 15:58:34 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: <47BC1687.8060203@fsl.com> Message-ID: <625385e30802200758h4b791069r209f8ee1008e6d@mail.gmail.com> On Wed, Feb 20, 2008 at 4:45 PM, Mark Sapiro wrote: > Steve Freegard wrote: > > >Andrew Chester wrote: > >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > > ^^^ > > > >There's your problem - you have spaces in your %org-name% setting in > >MailScanner.conf. > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. Why don't you fix it first and then post new output? That error has been known to cause all kinds of problems in the past and in your version of MailScanner a check for wrong org-names was introduced to the --lint check which I guess you never ran as you also missed: # **** RULE: It must not contain any spaces! **** ...right above the conf line in question. :-) -- /peter From MailScanner at ecs.soton.ac.uk Wed Feb 20 16:03:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 16:03:45 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47BC4F49.204@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Steve Freegard wrote: > > >> Andrew Chester wrote: >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> >> ^^^ >> >> There's your problem - you have spaces in your %org-name% setting in >> MailScanner.conf. >> > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. > > Here's what I see in the last few headers and body: > > --------------------------------------------------------------- > content-transfer-encoding: base64 > content-type: text/plain; charset=utf-8 > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz > IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu > Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg > YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK > ----------------------------------------------------------------- > > The two sets of MailScanner headers are curious, but it looks from the > Received: headers that the message passed twice through > apollo.ukuvuma.co.za so it was probably scanned twice. > > The real problem is the empty lines preceeding each set of MailScanner > headers. This causes the MailScanner headers to be part of the body > which totally destroys the base64 encoding and results in the garbled > message. > > I suspect that all base64 encoded messages get garbled this way and > non-bas64 encoded messages show the MailScanner headers in the body. > > Perhaps someone with more MailScanner experience has a clue as to why > the MailScanner headers are preceded by an empty line. > It's probably the MTA (or MailScanner) attempting to render the message in a form correct for the next mail handling program it passes through. There should always be a blank line after the last header. But I don't guarantee what MailScanner will do if the headers end on an incomplete line, as it never happens in real mail that hasn't been screwed by something (in your case, the space in %org-name%). The point about spaces in %org-name% is very clearly documented in the MailScanner.conf file. If you break that rule I make no guarantees what may happen to your mail. I will add some more code to check for that and flag it very boldly in the logs, and ensure that MailScanner --debug and MailScanner --lint check for it too. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvE9LEfZZRxQVtlQRAsPEAKC3epcVVp8RrJAKRa0MNSqQK/yfZgCfQ1mD /gzKDix5AGtCwHyCaIaL8vM= =Wr2g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Feb 20 16:07:08 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 16:07:32 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC4F49.204@ecs.soton.ac.uk> Message-ID: <21904417.1681203523628463.JavaMail.root@office.splatnix.net> Jules, perhaps MS should not even start if that is the case ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Steve Freegard wrote: > > >> Andrew Chester wrote: >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> >> ^^^ >> >> There's your problem - you have spaces in your %org-name% setting in >> MailScanner.conf. >> > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. > > Here's what I see in the last few headers and body: > > --------------------------------------------------------------- > content-transfer-encoding: base64 > content-type: text/plain; charset=utf-8 > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz > IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu > Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg > YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK > ----------------------------------------------------------------- > > The two sets of MailScanner headers are curious, but it looks from the > Received: headers that the message passed twice through > apollo.ukuvuma.co.za so it was probably scanned twice. > > The real problem is the empty lines preceeding each set of MailScanner > headers. This causes the MailScanner headers to be part of the body > which totally destroys the base64 encoding and results in the garbled > message. > > I suspect that all base64 encoded messages get garbled this way and > non-bas64 encoded messages show the MailScanner headers in the body. > > Perhaps someone with more MailScanner experience has a clue as to why > the MailScanner headers are preceded by an empty line. > It's probably the MTA (or MailScanner) attempting to render the message in a form correct for the next mail handling program it passes through. There should always be a blank line after the last header. But I don't guarantee what MailScanner will do if the headers end on an incomplete line, as it never happens in real mail that hasn't been screwed by something (in your case, the space in %org-name%). The point about spaces in %org-name% is very clearly documented in the MailScanner.conf file. If you break that rule I make no guarantees what may happen to your mail. I will add some more code to check for that and flag it very boldly in the logs, and ensure that MailScanner --debug and MailScanner --lint check for it too. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvE9LEfZZRxQVtlQRAsPEAKC3epcVVp8RrJAKRa0MNSqQK/yfZgCfQ1mD /gzKDix5AGtCwHyCaIaL8vM= =Wr2g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Wed Feb 20 17:04:17 2008 From: mark at msapiro.net (Mark Sapiro) Date: Wed Feb 20 17:04:30 2008 Subject: OT Spam Assassin Prefs question In-Reply-To: Message-ID: Scott B. Anderson wrote: >My users have been seeing a large amount of Russian charset email spam. How > would I set a SA rule to include all Cyrillic (sp) emails or would this be > better set at the MTA (sendmail in my case) ? You could set a header rule something like header X_RULE_NAME Content-Type =~ /charset="?(ibm-855|iso-8859-5|iso-ir-11|koi8-r|koi8-u|maccyrillic|macukranian|windows-1251|cp-866)/i -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Andrew.Chester at ukuvuma.co.za Wed Feb 20 17:30:50 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Wed Feb 20 17:37:59 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <21904417.1681203523628463.JavaMail.root@office.splatnix.net> Message-ID: Hi guys Thanks for the info, I corrected the space between the org-name and this seemed to have solved the problem as I tested it again and this time it was delivered correctly. Thanks for all the help! And yes, egg on my face shall we say, I'll read the comments in the config more attentativly from now on ;-) Kind Regards, Andrew "--[ UxBoD ]--" Sent by: mailscanner-bounces@lists.mailscanner.info 2008/02/20 06:04 PM Please respond to MailScanner discussion To MailScanner discussion cc Subject Re: HTML/Newsletters being received as unreadable code Jules, perhaps MS should not even start if that is the case ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Steve Freegard wrote: > > >> Andrew Chester wrote: >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> >> ^^^ >> >> There's your problem - you have spaces in your %org-name% setting in >> MailScanner.conf. >> > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. > > Here's what I see in the last few headers and body: > > --------------------------------------------------------------- > content-transfer-encoding: base64 > content-type: text/plain; charset=utf-8 > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz > IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu > Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg > YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK > ----------------------------------------------------------------- > > The two sets of MailScanner headers are curious, but it looks from the > Received: headers that the message passed twice through > apollo.ukuvuma.co.za so it was probably scanned twice. > > The real problem is the empty lines preceeding each set of MailScanner > headers. This causes the MailScanner headers to be part of the body > which totally destroys the base64 encoding and results in the garbled > message. > > I suspect that all base64 encoded messages get garbled this way and > non-bas64 encoded messages show the MailScanner headers in the body. > > Perhaps someone with more MailScanner experience has a clue as to why > the MailScanner headers are preceded by an empty line. > It's probably the MTA (or MailScanner) attempting to render the message in a form correct for the next mail handling program it passes through. There should always be a blank line after the last header. But I don't guarantee what MailScanner will do if the headers end on an incomplete line, as it never happens in real mail that hasn't been screwed by something (in your case, the space in %org-name%). The point about spaces in %org-name% is very clearly documented in the MailScanner.conf file. If you break that rule I make no guarantees what may happen to your mail. I will add some more code to check for that and flag it very boldly in the logs, and ensure that MailScanner --debug and MailScanner --lint check for it too. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvE9LEfZZRxQVtlQRAsPEAKC3epcVVp8RrJAKRa0MNSqQK/yfZgCfQ1mD /gzKDix5AGtCwHyCaIaL8vM= =Wr2g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by the Ukuvuma Apollo gateway and is believed to be clean. CONFIDENTIALITY CLAUSE This message is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by telephone. VERTROULIKHEIDSKLOUSULE Dié boodskap is slegs vir die gebruik van die individu of entiteit aan wie dit gerig is en bevat streng vertroulike inligting. Indien die leser nie die voorgenome ontvanger is nie, of die werknemer of agent verantwoordelik vir die lewering van die boodskap aan die voorgenome ontvanger nie, word u hiermee meegedeel dat enige verspreiding of kopiëring van dié boodskap streng verbode is. Indien u die kommunikasie verkeerdelik ontvang het, stel asseblief die afsender telefonies in kennis. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/30c064bb/attachment.html From MailScanner at ecs.soton.ac.uk Wed Feb 20 17:42:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 17:42:53 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC4F49.204@ecs.soton.ac.uk> References: <47BC4F49.204@ecs.soton.ac.uk> Message-ID: <47BC6684.7080300@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > * PGP Signed: 02/20/08 at 16:03:23 > > > > Mark Sapiro wrote: >> Steve Freegard wrote: >> >> >>> Andrew Chester wrote: >>> >>>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>>> >>> ^^^ >>> >>> There's your problem - you have spaces in your %org-name% setting in >>> MailScanner.conf. >>> >> >> While the space in %org-name% is wrong, it does not seem to be the >> cause of the problem. >> >> Here's what I see in the last few headers and body: >> >> --------------------------------------------------------------- >> content-transfer-encoding: base64 >> content-type: text/plain; charset=utf-8 >> >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No >> >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No >> >> WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz >> IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu >> Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg >> YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK >> ----------------------------------------------------------------- >> >> The two sets of MailScanner headers are curious, but it looks from the >> Received: headers that the message passed twice through >> apollo.ukuvuma.co.za so it was probably scanned twice. >> >> The real problem is the empty lines preceeding each set of MailScanner >> headers. This causes the MailScanner headers to be part of the body >> which totally destroys the base64 encoding and results in the garbled >> message. >> >> I suspect that all base64 encoded messages get garbled this way and >> non-bas64 encoded messages show the MailScanner headers in the body. >> >> Perhaps someone with more MailScanner experience has a clue as to why >> the MailScanner headers are preceded by an empty line. >> > It's probably the MTA (or MailScanner) attempting to render the > message in a form correct for the next mail handling program it passes > through. There should always be a blank line after the last header. > But I don't guarantee what MailScanner will do if the headers end on > an incomplete line, as it never happens in real mail that hasn't been > screwed by something (in your case, the space in %org-name%). > > The point about spaces in %org-name% is very clearly documented in the > MailScanner.conf file. > > If you break that rule I make no guarantees what may happen to your mail. > > I will add some more code to check for that and flag it very boldly in > the logs, and ensure that MailScanner --debug and MailScanner --lint > check for it too. When you run MailScanner --lint, a polite warning is already shown, which I reckon is sufficient for that case. But when you run MailScanner - --debug, there was no obvious warning, so now you get this printed instead, which I think is obvious enough for nearly everyone (the rows of "*"s are included in the output) : ************************************************************************ In MailScanner.conf, your "%org-name%" or "Mail Header" setting contains spaces and/or other illegal characters. Including any spaces will break all your mail system. Otherwise, it should only contain characters from the set a-z, A-Z, 0-9 and "-". While theoretically some other characters are allowed, many commercial mail systems fail to handle them correctly. This is clearly noted in the MailScanner.conf file, immediately above the %org-name% setting. Please read the documentation! ************************************************************************ Clear enough for you? :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvGaHEfZZRxQVtlQRAqCkAKDVBknIo31mlCMZjJei4hA8sTFdrgCfYcxE Xx+u7XzasyvAT3h2YyJTY64= =6Vjk -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Feb 20 17:55:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 17:55:43 2008 Subject: OT Spam Assassin Prefs question In-Reply-To: References: Message-ID: <47BC6988.2080101@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Scott B. Anderson wrote: > > >> My users have been seeing a large amount of Russian charset email spam. How >> would I set a SA rule to include all Cyrillic (sp) emails or would this be >> better set at the MTA (sendmail in my case) ? >> > > > You could set a header rule something like > > header X_RULE_NAME Content-Type =~ > /charset="?(ibm-855|iso-8859-5|iso-ir-11|koi8-r|koi8-u|maccyrillic|macukranian|windows-1251|cp-866)/ > There is already functionality built into SpamAssasin to do this for you, probably more reliably than you could code yourself (no insult intended!). Here's the relevant chunk of "man Mail::SpamAssassin::Conf" ... ok_locales xx [ yy zz ... ] (default: all) This option is used to specify which locales are considered OK for incoming mail. Mail using the character sets that are allowed by this option will not be marked as possibly being spam in a foreign language. If you receive lots of spam in foreign languages, and never get any non-spam in these languages, this may help. Note that all ISO-8859-* character sets, and Windows code page character sets, are always permitted by default. Set this to "all" to allow all character sets. This is the default. The rules "CHARSET_FARAWAY", "CHARSET_FARAWAY_BODY", and "CHARSET_FARAWAY_HEADERS" are triggered based on how this is set. Examples: ok_locales all (allow all locales) ok_locales en (only allow English) ok_locales en ja zh (allow English, Japanese, and Chinese) Note: if there are multiple ok_locales lines, only the last one is used. Select the locales to allow from the list below: en - Western character sets in general ja - Japanese character sets ko - Korean character sets ru - Cyrillic character sets th - Thai character sets zh - Chinese (both simplified and traditional) character sets So if you set "ok_locales en" that will probably do what you want. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvGmKEfZZRxQVtlQRAn8KAKC2T5D9nWVBLajr9Sq2kMVt2CmCYQCcD/JJ dybHN0CfAv6VdepL/qWZw/g= =bkqd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From itdept at fractalweb.com Wed Feb 20 17:55:36 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 17:55:56 2008 Subject: possible corrupt sanesecurity defs Message-ID: <47BC6998.3060801@fractalweb.com> Our server downloaded what I believe to be either a corrupt sanesecurity definition file or a valid file with a false-positive. In any case, hundreds of messages were incorrectly tagged as infected. Not a good day. How do I go about releasing these? And how can we prevent this from happening in the future? Any help would be much appreciated. From brose at med.wayne.edu Wed Feb 20 18:12:21 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Feb 20 18:12:41 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6998.3060801@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> Message-ID: <610C64469748E84DB6BDD5BD23F01A764DEE@MED-CORE03-MS1.med.wayne.edu> I just discovered the same issue. Email.Hdr.Sanesecurity.07021900 is bad and I'm not sure what the thought was behind that one. It looks like the signature is for "Return-Path: < g>" -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik Sent: Wednesday, February 20, 2008 12:56 PM To: mailscanner@lists.mailscanner.info Subject: possible corrupt sanesecurity defs Our server downloaded what I believe to be either a corrupt sanesecurity definition file or a valid file with a false-positive. In any case, hundreds of messages were incorrectly tagged as infected. Not a good day. How do I go about releasing these? And how can we prevent this from happening in the future? Any help would be much appreciated. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Wed Feb 20 18:12:52 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Feb 20 18:13:35 2008 Subject: OT Spam Assassin Prefs question In-Reply-To: References: Message-ID: <47BC6DA4.5000900@evi-inc.com> Scott B. Anderson wrote: > My users have been seeing a large amount of Russian charset email spam. How would I set a SA rule to include all Cyrillic (sp) emails or would this be better set at the MTA (sendmail in my case) ? > See the "ok_locales" option in the Mail::SpamAssassin::Conf manpage: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html Note that ok_locales is character set based, not language analysis based like ok_languages. It also supports a *very* limited list of locales, and any unsupported locales are essentially "OK" by default. you'd probably want to do something like: ok_locales en ja ko th zh Which would effectively cause all messages with Cyrillic in them to trigger the CHARSET_FARAWAY rules and be penalized. (note I left "ru" out of the "ok" list). From itdept at fractalweb.com Wed Feb 20 18:17:09 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 18:17:27 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6998.3060801@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> Message-ID: <47BC6EA5.2050903@fractalweb.com> Chris Yuzik wrote: > Our server downloaded what I believe to be either a corrupt > sanesecurity definition file or a valid file with a false-positive. In > any case, hundreds of messages were incorrectly tagged as infected. > Not a good day. > > How do I go about releasing these? > > And how can we prevent this from happening in the future? > > Any help would be much appreciated. I suppose I should point out that it hit on the rule "Email.Hdr.Sanesecurity.07021900" From Denis.Beauchemin at usherbrooke.ca Wed Feb 20 18:23:48 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Wed Feb 20 18:24:37 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6998.3060801@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> Message-ID: <47BC7034.1050602@USherbrooke.ca> Chris Yuzik a ?crit : > Our server downloaded what I believe to be either a corrupt > sanesecurity definition file or a valid file with a false-positive. In > any case, hundreds of messages were incorrectly tagged as infected. > Not a good day. > > How do I go about releasing these? > > And how can we prevent this from happening in the future? > > Any help would be much appreciated. Chris, I've seen many download errors since yesterday: CURL had a problem getting scam.ndb.gz , error code : 7 Check : /var/tmp/clamdb/SCAM-UpdateSession.log CURL had a problem getting phish.ndb.gz , error code : 7 Check : /var/tmp/clamdb/PHISH-UpdateSession.log The download script I use seems robust enough to not install incomplete files: http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Wed Feb 20 18:28:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 18:29:21 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6EA5.2050903@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> Message-ID: <47BC7161.6040603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > Chris Yuzik wrote: >> Our server downloaded what I believe to be either a corrupt >> sanesecurity definition file or a valid file with a false-positive. >> In any case, hundreds of messages were incorrectly tagged as >> infected. Not a good day. >> >> How do I go about releasing these? >> >> And how can we prevent this from happening in the future? >> >> Any help would be much appreciated. > I suppose I should point out that it hit on the rule > "Email.Hdr.Sanesecurity.07021900" > > What MTA are you using? Do you quarantine viruses at all? Do you quarantine them as Raw Queue Files? All of this lot are in your MailScanner.conf file. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvHFrEfZZRxQVtlQRArX7AKCgUl3Mr1Udy1226jhGVUkt1IP7QgCfQZqb znH6KxhHWD4e4di5VsCQJGI= =mlGj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From itdept at fractalweb.com Wed Feb 20 18:37:54 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 18:38:10 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC7161.6040603@ecs.soton.ac.uk> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> Message-ID: <47BC7382.1090909@fractalweb.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Chris Yuzik wrote: > >> Chris Yuzik wrote: >> >>> Our server downloaded what I believe to be either a corrupt >>> sanesecurity definition file or a valid file with a false-positive. >>> In any case, hundreds of messages were incorrectly tagged as >>> infected. Not a good day. >>> >>> How do I go about releasing these? >>> >>> And how can we prevent this from happening in the future? >>> >>> Any help would be much appreciated. >>> >> I suppose I should point out that it hit on the rule >> "Email.Hdr.Sanesecurity.07021900" >> >> >> > What MTA are you using? Do you quarantine viruses at all? Do you > quarantine them as Raw Queue Files? All of this lot are in your > MailScanner.conf file. > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: Use Thunderbird Enigmail to verify this message > Charset: ISO-8859-1 > > wj8DBQFHvHFrEfZZRxQVtlQRArX7AKCgUl3Mr1Udy1226jhGVUkt1IP7QgCfQZqb > znH6KxhHWD4e4di5VsCQJGI= > =mlGj > -----END PGP SIGNATURE----- > > Julian, Using Sendmail. We DO quarantine viruses. They are NOT quarantined as raw queue files. So, for example, we have a file called "message" in a dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. Thanks, Chris From wolfee at earthlink.net Wed Feb 20 18:49:52 2008 From: wolfee at earthlink.net (Matthew Wolfe) Date: Wed Feb 20 18:50:02 2008 Subject: Return-Path is being rewritten. Message-ID: <17785475.1203533392418.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net> Hi, I am not sure if this is a MailScanner or Sendmail thing but hopefully you guys can point me in the right direction. I have a client who just got a new email address and when he sends email to me the return path is rewritten to user@webhostingcompany instead of user@domainname. To make things more interesting his webhosting provider and email provider are different companies. If I send email to a email address that is not being scanned by MailScanner the return address is correct. We scan about 30000 emails a day and I have never seen anything like this. Any suggestions? Thanks Matt From MailScanner at ecs.soton.ac.uk Wed Feb 20 19:14:13 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 19:14:37 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC7382.1090909@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> Message-ID: <47BC7C05.70106@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Chris Yuzik wrote: >> >>> Chris Yuzik wrote: >>> >>>> Our server downloaded what I believe to be either a corrupt >>>> sanesecurity definition file or a valid file with a false-positive. >>>> In any case, hundreds of messages were incorrectly tagged as >>>> infected. Not a good day. >>>> >>>> How do I go about releasing these? >>>> >>>> And how can we prevent this from happening in the future? >>>> >>>> Any help would be much appreciated. >>>> >>> I suppose I should point out that it hit on the rule >>> "Email.Hdr.Sanesecurity.07021900" >>> >>> >>> >> What MTA are you using? Do you quarantine viruses at all? Do you >> quarantine them as Raw Queue Files? All of this lot are in your >> MailScanner.conf file. >> >> Jules >> >> - -- Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.8.0 (Build 2158) >> Comment: Use Thunderbird Enigmail to verify this message >> Charset: ISO-8859-1 >> >> wj8DBQFHvHFrEfZZRxQVtlQRArX7AKCgUl3Mr1Udy1226jhGVUkt1IP7QgCfQZqb >> znH6KxhHWD4e4di5VsCQJGI= >> =mlGj >> -----END PGP SIGNATURE----- >> >> > Julian, > > Using Sendmail. We DO quarantine viruses. They are NOT quarantined as > raw queue files. So, for example, we have a file called "message" in a > dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. In which case something like this should do the trick more or less: bash cd /var/spool/MailScanner/quarantine/20080220 for F in * do /usr/sbin/sendmail -t < $F echo $F done That should deliver the message to where the mail said it was addressed to in the headers, not the original envelope, but it's probably close enough. I have just had a good look at a sample of messages caught by this signature, and yes there are a lot of them. However they all appear to be spam. So I'm just going to let MailScanner deal with them appropriately, no need for panic actions here. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvHwIEfZZRxQVtlQRAjMEAJ97uTelKrxys03R+7Dk2neaHIrC5wCfXQp0 AWSiTNy/MGSSmeIpsME3sCQ= =CRV7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Feb 20 19:28:08 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 19:28:42 2008 Subject: HTML mangle Message-ID: Hi, src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" (should be src="http://www.domain.com/path/to/image.jpg"" Anyone seen this kind of html mangle done by MailScanner? The image doesn't show in the HTML message. I can provide more details off-list if needed. Regards, Ugo From uxbod at splatnix.net Wed Feb 20 19:34:24 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 19:34:48 2008 Subject: HTML mangle In-Reply-To: Message-ID: <21611048.1741203536064776.JavaMail.root@office.splatnix.net> do you happen to have the original email you could post somewhere ? you could change the headers etc. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Ugo Bellavance" wrote: > Hi, > > src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" > > (should be src="http://www.domain.com/path/to/image.jpg"" > > Anyone seen this kind of html mangle done by MailScanner? > > The image doesn't show in the HTML message. > > I can provide more details off-list if needed. > > Regards, > > Ugo -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Feb 20 19:56:18 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 19:56:46 2008 Subject: HTML mangle In-Reply-To: <21611048.1741203536064776.JavaMail.root@office.splatnix.net> References: <21611048.1741203536064776.JavaMail.root@office.splatnix.net> Message-ID: --[ UxBoD ]-- wrote: > do you happen to have the original email you could post somewhere ? you could change the headers etc. The original e-mail, you mean the original code? No, I don't have it on hand. Regards, Ugo From itdept at fractalweb.com Wed Feb 20 20:00:49 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 20:01:09 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC7C05.70106@ecs.soton.ac.uk> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> <47BC7C05.70106@ecs.soton.ac.uk> Message-ID: <47BC86F1.4080403@fractalweb.com> Julian Field wrote: >> Julian, >> >> Using Sendmail. We DO quarantine viruses. They are NOT quarantined as >> raw queue files. So, for example, we have a file called "message" in a >> dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. >> > In which case something like this should do the trick more or less: > > bash > cd /var/spool/MailScanner/quarantine/20080220 > for F in * > do > /usr/sbin/sendmail -t < $F > echo $F > done > > That should deliver the message to where the mail said it was addressed > to in the headers, not the original envelope, but it's probably close > enough. > > I have just had a good look at a sample of messages caught by this > signature, and yes there are a lot of them. > However they all appear to be spam. > So I'm just going to let MailScanner deal with them appropriately, no > need for panic actions here. > > Jules > Jules, I had to modify this a bit because there were approximately 3.2 bazillion files from postmaster to postmaster that were also tagged. Needless to say, I didn't want to re-inject those into the queue. Most of the emails nailed by this false positive were not spam in our case. So what I did was: 1) created MySQL query to give me a list of the message IDs that were incorrectly tagged as being virus infected, and saved that as a text file. 2) created a small perl script ( I suck at bash scripting ) to loop over the text file and do a system command that looks like '/usr/sbin/sendmail -t < m1KEoKOn020766/message' If anyone wants a copy of my script, please let me know. Thank you again for your help. Cheers, Chris From MailScanner at ecs.soton.ac.uk Wed Feb 20 20:00:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 20:01:12 2008 Subject: HTML mangle In-Reply-To: References: Message-ID: <47BC86F1.8050401@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Hi, > > src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" > > (should be src="http://www.domain.com/path/to/image.jpg"" > > Anyone seen this kind of html mangle done by MailScanner? Nope. Never see that. A URL with an embedded CR+LF sequence? Eek. > > The image doesn't show in the HTML message. > > I can provide more details off-list if needed. > > Regards, > > Ugo > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvIbzEfZZRxQVtlQRAvyrAKDphGHoXrDK3ng3a06Obu2xz6jwegCfQ3h0 nlso6PEBbx5JVDRus8rJ29U= =Ye54 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Feb 20 20:01:52 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 20:02:20 2008 Subject: HTML mangle In-Reply-To: Message-ID: <10206824.1771203537712933.JavaMail.root@office.splatnix.net> I have seen that happen before, but on closer inspection of the email there were some dodgy characters in the email which caused it to be mangled. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Ugo Bellavance" wrote: --[ UxBoD ]-- wrote: > do you happen to have the original email you could post somewhere ? you could change the headers etc. The original e-mail, you mean the original code? No, I don't have it on hand. Regards, Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From amoore at dekalbmemorial.com Wed Feb 20 20:06:06 2008 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Feb 20 20:06:16 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: References: <47BC6998.3060801@fractalweb.com> Message-ID: <60D398EB2DB948409CA1F50D8AF12257033F6604@exch1.dekalbmemorial.local> My coworker discovered the same issue before I got into work this morning. It was repeatedly marking system generated e-mails too. It had hit a few thousand messages in a couple of hours. Did anyone submit some of their false positives to the sanesecurity folks? -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From steve.freegard at fsl.com Wed Feb 20 20:15:12 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Feb 20 20:15:50 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC6684.7080300@ecs.soton.ac.uk> References: <47BC4F49.204@ecs.soton.ac.uk> <47BC6684.7080300@ecs.soton.ac.uk> Message-ID: <47BC8A50.9000109@fsl.com> Julian Field wrote: > When you run MailScanner --lint, a polite warning is already shown, > which I reckon is sufficient for that case. But when you run MailScanner > - --debug, there was no obvious warning, so now you get this printed > instead, which I think is obvious enough for nearly everyone (the rows > of "*"s are included in the output) : > ************************************************************************ > In MailScanner.conf, your "%org-name%" or "Mail Header" setting > contains spaces and/or other illegal characters. > > Including any spaces will break all your mail system. > > Otherwise, it should only contain characters from the set a-z, A-Z, > 0-9 and "-". While theoretically some other characters are allowed, > many commercial mail systems fail to handle them correctly. > > This is clearly noted in the MailScanner.conf file, immediately above > the %org-name% setting. Please read the documentation! > ************************************************************************ > > Clear enough for you? :-) As this still requires someone to run --lint to get this warning (which a newbie might skip) why not just do the equivalent of: $orgname =~ s/\s+/-/g That way they can't break their mail system accidentally. Cheers, Steve. From ugob at lubik.ca Wed Feb 20 20:23:24 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 20:23:52 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC86F1.4080403@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> <47BC7C05.70106@ecs.soton.ac.uk> <47BC86F1.4080403@fractalweb.com> Message-ID: Chris Yuzik wrote: > Julian Field wrote: >>> Julian, >>> >>> Using Sendmail. We DO quarantine viruses. They are NOT quarantined as >>> raw queue files. So, for example, we have a file called "message" in >>> a dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. >>> >> In which case something like this should do the trick more or less: >> >> bash >> cd /var/spool/MailScanner/quarantine/20080220 >> for F in * >> do >> /usr/sbin/sendmail -t < $F >> echo $F >> done >> >> That should deliver the message to where the mail said it was >> addressed to in the headers, not the original envelope, but it's >> probably close enough. >> >> I have just had a good look at a sample of messages caught by this >> signature, and yes there are a lot of them. >> However they all appear to be spam. >> So I'm just going to let MailScanner deal with them appropriately, no >> need for panic actions here. >> >> Jules >> > > Jules, > > I had to modify this a bit because there were approximately 3.2 > bazillion files from postmaster to postmaster that were also tagged. > Needless to say, I didn't want to re-inject those into the queue. > > Most of the emails nailed by this false positive were not spam in our case. > > So what I did was: > 1) created MySQL query to give me a list of the message IDs that were > incorrectly tagged as being virus infected, and saved that as a text file. > 2) created a small perl script ( I suck at bash scripting ) to loop over > the text file and do a system command that looks like > '/usr/sbin/sendmail -t < m1KEoKOn020766/message' > > If anyone wants a copy of my script, please let me know. For those who are using MailWatch, I think that there is a way to acheive this... maybe a script is already on the MW list... Ugo From brose at med.wayne.edu Wed Feb 20 20:25:53 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Feb 20 20:26:09 2008 Subject: FW: [FP] possible corrupt sanesecurity defs Message-ID: <610C64469748E84DB6BDD5BD23F01A764DFB@MED-CORE03-MS1.med.wayne.edu> -----Original Message----- From: Steve Basford [mailto:steveb_clamav@sanesecurity.com] Sent: Wednesday, February 20, 2008 3:08 PM To: Rose, Bobby Subject: Re: [FP] Rose, Bobby wrote: What is this look for? Email.Hdr.Sanesecurity.07021900 This def had "alot" of false positives from all over the place. Here's are two header samples. Hi, I've just fixed this problem....when I checked the sig I noticed it had the end bit of the sig chopped off compared to version the other day... not exactly sure how it happened... and very annoyed with myself if it was finger trouble...but it's fixed and uploaded, so should be with the mirrors in about an hour. I can only apologise for the problems caused :( Cheers, Steve From ugob at lubik.ca Wed Feb 20 20:24:59 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 20:30:21 2008 Subject: HTML mangle In-Reply-To: <47BC86F1.8050401@ecs.soton.ac.uk> References: <47BC86F1.8050401@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ugo Bellavance wrote: >> Hi, >> >> src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" >> >> (should be src="http://www.domain.com/path/to/image.jpg"" >> >> Anyone seen this kind of html mangle done by MailScanner? > Nope. Never see that. A URL with an embedded CR+LF sequence? Eek. So you're saying that the probleme is in the source HTML code? Is MailScanner changing the CR+LF to the '!%0d%0a%20'? Ugo From MailScanner at ecs.soton.ac.uk Wed Feb 20 20:30:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 20:30:34 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC8A50.9000109@fsl.com> References: <47BC4F49.204@ecs.soton.ac.uk> <47BC6684.7080300@ecs.soton.ac.uk> <47BC8A50.9000109@fsl.com> Message-ID: <47BC8DD3.9040209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Julian Field wrote: > >> When you run MailScanner --lint, a polite warning is already shown, >> which I reckon is sufficient for that case. But when you run >> MailScanner - --debug, there was no obvious warning, so now you get >> this printed instead, which I think is obvious enough for nearly >> everyone (the rows of "*"s are included in the output) : >> ************************************************************************ >> In MailScanner.conf, your "%org-name%" or "Mail Header" setting >> contains spaces and/or other illegal characters. >> >> Including any spaces will break all your mail system. >> >> Otherwise, it should only contain characters from the set a-z, A-Z, >> 0-9 and "-". While theoretically some other characters are allowed, >> many commercial mail systems fail to handle them correctly. >> >> This is clearly noted in the MailScanner.conf file, immediately above >> the %org-name% setting. Please read the documentation! >> ************************************************************************ >> >> Clear enough for you? :-) > > > As this still requires someone to run --lint to get this warning > (which a newbie might skip) why not just do the equivalent of: > > $orgname =~ s/\s+/-/g > > That way they can't break their mail system accidentally. I could, but what happens if they have upgraded their way from an early version and don't use %org-name%? It really needs doing to a whole bunch of settings which are used as header names. I could try to find all the header settings and automatically apply it to all of the headers, I'll take a look at doing that. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvI3VEfZZRxQVtlQRAnlbAJwNtOpFxs/voZG7Cs+sQiXPVblkhgCgzJ8G bgeNkr/jRtEmqzAvoRO+A+w= =seLu -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Wed Feb 20 20:32:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 20 20:32:13 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC4F49.204@ecs.soton.ac.uk> References: <47BC4F49.204@ecs.soton.ac.uk> Message-ID: on 2/20/2008 8:03 AM Julian Field spake the following: > > > Mark Sapiro wrote: >> Steve Freegard wrote: > > >>> Andrew Chester wrote: >>> >>>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>>> >>> ^^^ >>> >>> There's your problem - you have spaces in your %org-name% setting in >>> MailScanner.conf. >>> >> While the space in %org-name% is wrong, it does not seem to be the >> cause of the problem. > >> Here's what I see in the last few headers and body: > >> --------------------------------------------------------------- >> content-transfer-encoding: base64 >> content-type: text/plain; charset=utf-8 > >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No > >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No > >> WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz >> IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu >> Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg >> YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK >> ----------------------------------------------------------------- > >> The two sets of MailScanner headers are curious, but it looks from the >> Received: headers that the message passed twice through >> apollo.ukuvuma.co.za so it was probably scanned twice. > >> The real problem is the empty lines preceeding each set of MailScanner >> headers. This causes the MailScanner headers to be part of the body >> which totally destroys the base64 encoding and results in the garbled >> message. > >> I suspect that all base64 encoded messages get garbled this way and >> non-bas64 encoded messages show the MailScanner headers in the body. > >> Perhaps someone with more MailScanner experience has a clue as to why >> the MailScanner headers are preceded by an empty line. > > It's probably the MTA (or MailScanner) attempting to render the message > in a form correct for the next mail handling program it passes through. > There should always be a blank line after the last header. But I don't > guarantee what MailScanner will do if the headers end on an incomplete > line, as it never happens in real mail that hasn't been screwed by > something (in your case, the space in %org-name%). > > The point about spaces in %org-name% is very clearly documented in the > MailScanner.conf file. > > If you break that rule I make no guarantees what may happen to your mail. > > I will add some more code to check for that and flag it very boldly in > the logs, and ensure that MailScanner --debug and MailScanner --lint > check for it too. > > Jules > If you have to check for the space anyway, how hard would it be to force the space to be an underscore? Still pound the logs with messages, but at least it would work. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/b4d67183/signature.bin From uxbod at splatnix.net Wed Feb 20 20:41:20 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 20:41:51 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC8DD3.9040209@ecs.soton.ac.uk> Message-ID: <7838822.1801203540080285.JavaMail.root@office.splatnix.net> Jules, Is the danger though that if somebody has put in a space instead of say a '-' then MS would just continue on its merry way. Would it be better that MS does just not start, but reports out a error ? You could even put in the error message the place in the documentation where it says how to set it correctly ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Julian Field wrote: > >> When you run MailScanner --lint, a polite warning is already shown, >> which I reckon is sufficient for that case. But when you run >> MailScanner - --debug, there was no obvious warning, so now you get >> this printed instead, which I think is obvious enough for nearly >> everyone (the rows of "*"s are included in the output) : >> ************************************************************************ >> In MailScanner.conf, your "%org-name%" or "Mail Header" setting >> contains spaces and/or other illegal characters. >> >> Including any spaces will break all your mail system. >> >> Otherwise, it should only contain characters from the set a-z, A-Z, >> 0-9 and "-". While theoretically some other characters are allowed, >> many commercial mail systems fail to handle them correctly. >> >> This is clearly noted in the MailScanner.conf file, immediately above >> the %org-name% setting. Please read the documentation! >> ************************************************************************ >> >> Clear enough for you? :-) > > > As this still requires someone to run --lint to get this warning > (which a newbie might skip) why not just do the equivalent of: > > $orgname =~ s/\s+/-/g > > That way they can't break their mail system accidentally. I could, but what happens if they have upgraded their way from an early version and don't use %org-name%? It really needs doing to a whole bunch of settings which are used as header names. I could try to find all the header settings and automatically apply it to all of the headers, I'll take a look at doing that. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvI3VEfZZRxQVtlQRAnlbAJwNtOpFxs/voZG7Cs+sQiXPVblkhgCgzJ8G bgeNkr/jRtEmqzAvoRO+A+w= =seLu -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Wed Feb 20 20:47:50 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 20 20:48:03 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> <47BC7C05.70106@ecs.soton.ac.uk> <47BC86F1.4080403@fractalweb.com> Message-ID: on 2/20/2008 12:23 PM Ugo Bellavance spake the following: > Chris Yuzik wrote: >> Julian Field wrote: >>>> Julian, >>>> >>>> Using Sendmail. We DO quarantine viruses. They are NOT quarantined >>>> as raw queue files. So, for example, we have a file called "message" >>>> in a dir called >>>> /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. >>>> >>> In which case something like this should do the trick more or less: >>> >>> bash >>> cd /var/spool/MailScanner/quarantine/20080220 >>> for F in * >>> do >>> /usr/sbin/sendmail -t < $F >>> echo $F >>> done >>> >>> That should deliver the message to where the mail said it was >>> addressed to in the headers, not the original envelope, but it's >>> probably close enough. >>> >>> I have just had a good look at a sample of messages caught by this >>> signature, and yes there are a lot of them. >>> However they all appear to be spam. >>> So I'm just going to let MailScanner deal with them appropriately, no >>> need for panic actions here. >>> >>> Jules >>> >> >> Jules, >> >> I had to modify this a bit because there were approximately 3.2 >> bazillion files from postmaster to postmaster that were also tagged. >> Needless to say, I didn't want to re-inject those into the queue. >> >> Most of the emails nailed by this false positive were not spam in our >> case. >> >> So what I did was: >> 1) created MySQL query to give me a list of the message IDs that were >> incorrectly tagged as being virus infected, and saved that as a text >> file. >> 2) created a small perl script ( I suck at bash scripting ) to loop >> over the text file and do a system command that looks like >> '/usr/sbin/sendmail -t < m1KEoKOn020766/message' >> >> If anyone wants a copy of my script, please let me know. > > For those who are using MailWatch, I think that there is a way to > acheive this... maybe a script is already on the MW list... > > Ugo > I would just be happy if I could set Mailwatch to not protect me from myself and allow me to release virus content. I think I saw a patch somewhere, but I sure can't find it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/afd1d51f/signature.bin From mkettler at evi-inc.com Wed Feb 20 20:51:31 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Feb 20 20:52:12 2008 Subject: mailscanner restarts In-Reply-To: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> References: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> Message-ID: <47BC92D3.4030800@evi-inc.com> Charlie wrote: > Hi, > I was just wondering if there is a setting I can change so that > Mailscanner only restarts every 24 hours? It is taking too long to start > up and everyone's emails are queuing up for too long as a result. > > Also, Mailscanner is taking at least 8-10 minutes to start up on my box. > It is a Pentium 4, 2.4GHz, with 1GB RAM. Is this an abnormally long time? That's *really* long.. What's the output from running "free" look like? If you're not running an old version of clamav, the other likely cause is that you're deeply running into your swap. Most common causes of running into swap: 1) using spamassassin with absurd rulesets like sa-blacklist that are not for production use. Be *very* wary of any add-on config files that are larger than 256kb. 2) starting too many MailScanner children for your amount of memory. This is set by Max Children = in MailScanner.conf. There it gives guidelines based on number of processors, but ram amount needs to be considered too. If the box is lightly loaded other than mail, you should be able to run 5-6 of them without any trouble, which fits the recommendation for single CPUs. Unless of course you've got problem 1, in which case you can probably only run one child before you run out of memory. (sa-blacklist adds approx 400MB per child) From ssilva at sgvwater.com Wed Feb 20 20:57:06 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 20 20:57:13 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: <47BC4F49.204@ecs.soton.ac.uk> Message-ID: on 2/20/2008 12:32 PM Scott Silva spake the following: > on 2/20/2008 8:03 AM Julian Field spake the following: >> >> >> Mark Sapiro wrote: >>> Steve Freegard wrote: >> >> >>>> Andrew Chester wrote: >>>> >>>>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>>>> >>>> ^^^ >>>> >>>> There's your problem - you have spaces in your %org-name% setting in >>>> MailScanner.conf. >>>> >>> While the space in %org-name% is wrong, it does not seem to be the >>> cause of the problem. >> >>> Here's what I see in the last few headers and body: >> >>> --------------------------------------------------------------- >>> content-transfer-encoding: base64 >>> content-type: text/plain; charset=utf-8 >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> X-Spam-Status: No >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> X-Spam-Status: No >> >>> WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz >>> IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu >>> Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg >>> YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK >>> ----------------------------------------------------------------- >> >>> The two sets of MailScanner headers are curious, but it looks from the >>> Received: headers that the message passed twice through >>> apollo.ukuvuma.co.za so it was probably scanned twice. >> >>> The real problem is the empty lines preceeding each set of MailScanner >>> headers. This causes the MailScanner headers to be part of the body >>> which totally destroys the base64 encoding and results in the garbled >>> message. >> >>> I suspect that all base64 encoded messages get garbled this way and >>> non-bas64 encoded messages show the MailScanner headers in the body. >> >>> Perhaps someone with more MailScanner experience has a clue as to why >>> the MailScanner headers are preceded by an empty line. >> >> It's probably the MTA (or MailScanner) attempting to render the >> message in a form correct for the next mail handling program it passes >> through. There should always be a blank line after the last header. >> But I don't guarantee what MailScanner will do if the headers end on >> an incomplete line, as it never happens in real mail that hasn't been >> screwed by something (in your case, the space in %org-name%). >> >> The point about spaces in %org-name% is very clearly documented in the >> MailScanner.conf file. >> >> If you break that rule I make no guarantees what may happen to your mail. >> >> I will add some more code to check for that and flag it very boldly in >> the logs, and ensure that MailScanner --debug and MailScanner --lint >> check for it too. >> >> Jules >> > If you have to check for the space anyway, how hard would it be to force > the space to be an underscore? Still pound the logs with messages, but > at least it would work. > I guess I need to read the list earlier out here in GMT-8 land. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/4dec934a/signature.bin From ssilva at sgvwater.com Wed Feb 20 20:59:20 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 20 21:00:11 2008 Subject: HTML mangle In-Reply-To: References: <47BC86F1.8050401@ecs.soton.ac.uk> Message-ID: on 2/20/2008 12:24 PM Ugo Bellavance spake the following: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Ugo Bellavance wrote: >>> Hi, >>> >>> src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" >>> >>> (should be src="http://www.domain.com/path/to/image.jpg"" >>> >>> Anyone seen this kind of html mangle done by MailScanner? >> Nope. Never see that. A URL with an embedded CR+LF sequence? Eek. > > So you're saying that the probleme is in the source HTML code? Is > MailScanner changing the CR+LF to the '!%0d%0a%20'? > > Ugo > %0d%0a%20 is web encoded for CR+LF+space -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/886c6b6d/signature.bin From vernon at comp-wiz.com Wed Feb 20 21:09:47 2008 From: vernon at comp-wiz.com (Vernon Webb) Date: Wed Feb 20 21:09:57 2008 Subject: Infected message m1KKY4eW011980 came from 127.0.0.1 Message-ID: <025b01c87404$ec8ec590$c5ac50b0$@com> I have had to stop MailScanner and am getting killed with SPAM. For some reason I have been unable to send emails when MailScanner is running, but not when Sendmail is running alone. So I have stopped MailScanner and am now only running Sendmail (on a Fedora Core box). I have recently upgraded MailScanner and am not sure that this is related as I didn't upgrade today and today is when the problem seems to have started. When I look in my logs I see this messages like a million times: Feb 20 15:34:06 ns MailScanner[10744]: ClamAVModule::INFECTED:: Email.Hdr.Sanesecurity.07021900:: ./m1KKY4eW011980/ Feb 20 15:34:07 ns MailScanner[10744]: Infected message m1KKY4eW011980 came from 127.0.0.1 Anyone have any ideas? Vernon Webb (201) 703-1232 web designs & web hosting by comp-wiz.com, inc. Information in this transmission is privileged & confidential. It is intended for the use of the individual or entity named above. Any review, dissemination, disclosure, alteration, printing, circulation or transmission of this email or it's attachments is prohibited and unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/df066d6e/attachment.html From roland at inbox4u.de Wed Feb 20 21:22:17 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Wed Feb 20 21:23:40 2008 Subject: AW: Infected message m1KKY4eW011980 came from 127.0.0.1 In-Reply-To: <025b01c87404$ec8ec590$c5ac50b0$@com> References: <025b01c87404$ec8ec590$c5ac50b0$@com> Message-ID: <9A519AA4E4FCED4582DCCAEFE0E0C6F941E10EDD68@ts-dc2.TS-Webarts.local> Hi, please read the Mails with "possible corrupt sanesecurity defs" in this Mailinglist. There is the answer to your question. Regards, Roland Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Vernon Webb Gesendet: Mittwoch, 20. Februar 2008 22:10 An: mailscanner@lists.mailscanner.info Betreff: Infected message m1KKY4eW011980 came from 127.0.0.1 I have had to stop MailScanner and am getting killed with SPAM. For some reason I have been unable to send emails when MailScanner is running, but not when Sendmail is running alone. So I have stopped MailScanner and am now only running Sendmail (on a Fedora Core box). I have recently upgraded MailScanner and am not sure that this is related as I didn't upgrade today and today is when the problem seems to have started. When I look in my logs I see this messages like a million times: Feb 20 15:34:06 ns MailScanner[10744]: ClamAVModule::INFECTED:: Email.Hdr.Sanesecurity.07021900:: ./m1KKY4eW011980/ Feb 20 15:34:07 ns MailScanner[10744]: Infected message m1KKY4eW011980 came from 127.0.0.1 Anyone have any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/242b80d5/attachment.html From brose at med.wayne.edu Wed Feb 20 21:28:37 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Feb 20 21:28:51 2008 Subject: Infected message m1KKY4eW011980 came from 127.0.0.1 In-Reply-To: <025b01c87404$ec8ec590$c5ac50b0$@com> References: <025b01c87404$ec8ec590$c5ac50b0$@com> Message-ID: <610C64469748E84DB6BDD5BD23F01A764E0E@MED-CORE03-MS1.med.wayne.edu> That's the one that's been discussed on list as being corrupt. Search the list for subject "FW: [FP] possible corrupt sanesecurity defs" You may need to remove scan.ndb or manually kick off an update and check to see if you have one that they have fixed (since it may not be on all the mirrors yet) ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon Webb Sent: Wednesday, February 20, 2008 4:10 PM To: mailscanner@lists.mailscanner.info Subject: Infected message m1KKY4eW011980 came from 127.0.0.1 I have had to stop MailScanner and am getting killed with SPAM. For some reason I have been unable to send emails when MailScanner is running, but not when Sendmail is running alone. So I have stopped MailScanner and am now only running Sendmail (on a Fedora Core box). I have recently upgraded MailScanner and am not sure that this is related as I didn't upgrade today and today is when the problem seems to have started. When I look in my logs I see this messages like a million times: Feb 20 15:34:06 ns MailScanner[10744]: ClamAVModule::INFECTED:: Email.Hdr.Sanesecurity.07021900:: ./m1KKY4eW011980/ Feb 20 15:34:07 ns MailScanner[10744]: Infected message m1KKY4eW011980 came from 127.0.0.1 Anyone have any ideas? Vernon Webb (201) 703-1232 web designs & web hosting by comp-wiz.com, inc. Information in this transmission is privileged & confidential. It is intended for the use of the individual or entity named above. Any review, dissemination, disclosure, alteration, printing, circulation or transmission of this email or it's attachments is prohibited and unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/e6c8d1f7/attachment.html From MailScanner at ecs.soton.ac.uk Wed Feb 20 21:30:43 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 21:31:07 2008 Subject: Infected message m1KKY4eW011980 came from 127.0.0.1 In-Reply-To: <025b01c87404$ec8ec590$c5ac50b0$@com> References: <025b01c87404$ec8ec590$c5ac50b0$@com> Message-ID: <47BC9C03.9090305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There may be a problem with the Sane security additions to ClamAV. I'm going to kill this feature until tomorrow, in case I'm losing real mail. Everything I've looked at is spam, but I'm not 100% convinced as it's catching an *awful* lot of messages. Vernon Webb wrote: > > I have had to stop MailScanner and am getting killed with SPAM. For > some reason I have been unable to send emails when MailScanner is > running, but not when Sendmail is running alone. So I have stopped > MailScanner and am now only running Sendmail (on a Fedora Core box). I > have recently upgraded MailScanner and am not sure that this is > related as I didn't upgrade today and today is when the problem seems > to have started. When I look in my logs I see this messages like a > million times: > > > > Feb 20 15:34:06 ns MailScanner[10744]: ClamAVModule::INFECTED:: > Email.Hdr.Sanesecurity.07021900:: ./m1KKY4eW011980/ > > Feb 20 15:34:07 ns MailScanner[10744]: Infected message m1KKY4eW011980 > came from 127.0.0.1 > > > > Anyone have any ideas? > > > > Vernon Webb > > (201) 703-1232 > > web designs & web hosting > by comp-wiz.com, inc. > > Information in this transmission is privileged & confidential. It is > intended for the use of the individual or entity named above. Any > review, dissemination, disclosure, alteration, printing, circulation > or transmission of this email or it's attachments is prohibited and > unlawful. > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvJwFEfZZRxQVtlQRAsx8AKDrUFexEKB5ufAwyI0il3+cZSTftwCdFVCh UtNa2GkEfTNMmy+miCNy+eE= =3Rr+ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From roland at inbox4u.de Wed Feb 20 21:39:32 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Wed Feb 20 21:40:33 2008 Subject: AW: [FP] possible corrupt sanesecurity defs In-Reply-To: <610C64469748E84DB6BDD5BD23F01A764DFB@MED-CORE03-MS1.med.wayne.edu> References: <610C64469748E84DB6BDD5BD23F01A764DFB@MED-CORE03-MS1.med.wayne.edu> Message-ID: <9A519AA4E4FCED4582DCCAEFE0E0C6F941E10EDD69@ts-dc2.TS-Webarts.local> Hi, the working version of scam.ndb is: -rw-r--r-- 1 clamav clamav 1177245 Feb 20 21:45 scam.ndb Sice has changed from 1177232 Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Rose, Bobby > Gesendet: Mittwoch, 20. Februar 2008 21:26 > An: MailScanner discussion > Betreff: FW: [FP] possible corrupt sanesecurity defs > > > > -----Original Message----- > From: Steve Basford [mailto:steveb_clamav@sanesecurity.com] > Sent: Wednesday, February 20, 2008 3:08 PM > To: Rose, Bobby > Subject: Re: [FP] > > > > Rose, Bobby wrote: > > What is this look for? Email.Hdr.Sanesecurity.07021900 This > def had "alot" of false positives from all over the place. Here's are > two header samples. > > Hi, > > I've just fixed this problem....when I checked the sig I noticed it had > the end bit of the sig chopped off compared to version the other day... > not exactly sure how it happened... and very annoyed with myself if it > was finger trouble...but it's fixed and uploaded, so should be with the > mirrors in about an hour. > > I can only apologise for the problems caused :( > > Cheers, > > Steve > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ugob at lubik.ca Wed Feb 20 22:02:23 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 22:02:46 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC6684.7080300@ecs.soton.ac.uk> References: <47BC4F49.204@ecs.soton.ac.uk> <47BC6684.7080300@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Julian Field wrote: >> * PGP Signed: 02/20/08 at 16:03:23 >> >> >> >> Mark Sapiro wrote: >>> Steve Freegard wrote: >>> >>> >>>> Andrew Chester wrote: >>>> >>>>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>>>> >>>> ^^^ >>>> >>>> There's your problem - you have spaces in your %org-name% setting in >>>> MailScanner.conf. >>>> >>> While the space in %org-name% is wrong, it does not seem to be the >>> cause of the problem. >>> >>> Here's what I see in the last few headers and body: >>> >>> --------------------------------------------------------------- >>> content-transfer-encoding: base64 >>> content-type: text/plain; charset=utf-8 >>> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> X-Spam-Status: No >>> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> X-Spam-Status: No >>> >>> WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz >>> IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu >>> Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg >>> YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK >>> ----------------------------------------------------------------- >>> >>> The two sets of MailScanner headers are curious, but it looks from the >>> Received: headers that the message passed twice through >>> apollo.ukuvuma.co.za so it was probably scanned twice. >>> >>> The real problem is the empty lines preceeding each set of MailScanner >>> headers. This causes the MailScanner headers to be part of the body >>> which totally destroys the base64 encoding and results in the garbled >>> message. >>> >>> I suspect that all base64 encoded messages get garbled this way and >>> non-bas64 encoded messages show the MailScanner headers in the body. >>> >>> Perhaps someone with more MailScanner experience has a clue as to why >>> the MailScanner headers are preceded by an empty line. >>> >> It's probably the MTA (or MailScanner) attempting to render the >> message in a form correct for the next mail handling program it passes >> through. There should always be a blank line after the last header. >> But I don't guarantee what MailScanner will do if the headers end on >> an incomplete line, as it never happens in real mail that hasn't been >> screwed by something (in your case, the space in %org-name%). >> >> The point about spaces in %org-name% is very clearly documented in the >> MailScanner.conf file. >> >> If you break that rule I make no guarantees what may happen to your mail. >> >> I will add some more code to check for that and flag it very boldly in >> the logs, and ensure that MailScanner --debug and MailScanner --lint >> check for it too. > When you run MailScanner --lint, a polite warning is already shown, > which I reckon is sufficient for that case. But when you run MailScanner > - --debug, there was no obvious warning Maybe you should run a --lint as part (before) the --debug to avoid having to sync the 2 code parts. Ugo From uxbod at splatnix.net Wed Feb 20 21:17:49 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 22:22:42 2008 Subject: Infected message m1KKY4eW011980 came from 127.0.0.1 In-Reply-To: <025b01c87404$ec8ec590$c5ac50b0$@com> Message-ID: <27061337.1831203542269194.JavaMail.root@office.splatnix.net> There has been a issue in the SaneSecurity sigs. It should now be sorted so download the latest definitions. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Vernon Webb" wrote: > I have had to stop MailScanner and am getting killed with SPAM. For > some reason I have been unable to send emails when MailScanner is > running, but not when Sendmail is running alone. So I have stopped > MailScanner and am now only running Sendmail (on a Fedora Core box). I > have recently upgraded MailScanner and am not sure that this is > related as I didn't upgrade today and today is when the problem seems > to have started. When I look in my logs I see this messages like a > million times: > > > > Feb 20 15:34:06 ns MailScanner[10744]: ClamAVModule::INFECTED:: > Email.Hdr.Sanesecurity.07021900:: ./m1KKY4eW011980/ > > Feb 20 15:34:07 ns MailScanner[10744]: Infected message m1KKY4eW011980 > came from 127.0.0.1 > > > > Anyone have any ideas? > > > > Vernon Webb > > (201) 703-1232 > > web designs & web hosting by comp-wiz.com, inc. > > Information in this transmission is privileged & confidential. It is > intended for the use of the individual or entity named above. Any > review, dissemination, disclosure, alteration, printing, circulation > or transmission of this email or it's attachments is prohibited and > unlawful. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Feb 20 22:17:56 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 22:23:12 2008 Subject: AW: [FP] possible corrupt sanesecurity defs In-Reply-To: <9A519AA4E4FCED4582DCCAEFE0E0C6F941E10EDD69@ts-dc2.TS-Webarts.local> References: <610C64469748E84DB6BDD5BD23F01A764DFB@MED-CORE03-MS1.med.wayne.edu> <9A519AA4E4FCED4582DCCAEFE0E0C6F941E10EDD69@ts-dc2.TS-Webarts.local> Message-ID: <47BCA714.6060603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Even with that version of the file, it is still catching a *lot* of messages. So I'm not 100% convinced it is totally fixed. Ehle, Roland wrote: > Hi, > > the working version of scam.ndb is: > > -rw-r--r-- 1 clamav clamav 1177245 Feb 20 21:45 scam.ndb > > Sice has changed from 1177232 > > Regards, > Roland > > >> -----Urspr?ngliche Nachricht----- >> Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] Im Auftrag von Rose, Bobby >> Gesendet: Mittwoch, 20. Februar 2008 21:26 >> An: MailScanner discussion >> Betreff: FW: [FP] possible corrupt sanesecurity defs >> >> >> >> -----Original Message----- >> From: Steve Basford [mailto:steveb_clamav@sanesecurity.com] >> Sent: Wednesday, February 20, 2008 3:08 PM >> To: Rose, Bobby >> Subject: Re: [FP] >> >> >> >> Rose, Bobby wrote: >> >> What is this look for? Email.Hdr.Sanesecurity.07021900 This >> def had "alot" of false positives from all over the place. Here's are >> two header samples. >> >> Hi, >> >> I've just fixed this problem....when I checked the sig I noticed it had >> the end bit of the sig chopped off compared to version the other day... >> not exactly sure how it happened... and very annoyed with myself if it >> was finger trouble...but it's fixed and uploaded, so should be with the >> mirrors in about an hour. >> >> I can only apologise for the problems caused :( >> >> Cheers, >> >> Steve >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvKcWEfZZRxQVtlQRAn6XAKCK/2RS0VdKfnmNgOUkxl7T3QaZXQCg2hFm Ca+vrWY4SSChvnOjiFbN5aE= =skDA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brose at med.wayne.edu Wed Feb 20 22:42:31 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Feb 20 22:42:57 2008 Subject: AW: [FP] possible corrupt sanesecurity defs In-Reply-To: <47BCA714.6060603@ecs.soton.ac.uk> References: <610C64469748E84DB6BDD5BD23F01A764DFB@MED-CORE03-MS1.med.wayne.edu><9A519AA4E4FCED4582DCCAEFE0E0C6F941E10EDD69@ts-dc2.TS-Webarts.local> <47BCA714.6060603@ecs.soton.ac.uk> Message-ID: <610C64469748E84DB6BDD5BD23F01A764E17@MED-CORE03-MS1.med.wayne.edu> I've tried to convert from hex to text and I'm not sure what this signature is for. Bad signature is "52657475726e2d506174683a203c{-2}673e*46726f6d3a2022" 52657475726e2d506174683a203c{-2}673e* = Return-Path: <g> 46726f6d3a2022 = From: " Which makes sense why it was bad. The corrected signature is "52657475726e2d506174683a203c{-2}673e*46726f6d3a2022{-50}22203c5f" 52657475726e2d506174683a203c{-2}673e = Return-Path: <g> 46726f6d3a2022 = From: " 22203c5f = " <_ So I'm guessing it's for messages with no return path and have a From address begging with an underscore. I searhed my logs and sure enough there are alot of those that look like spam email addresses. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Wednesday, February 20, 2008 5:18 PM To: MailScanner discussion Subject: Re: AW: [FP] possible corrupt sanesecurity defs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Even with that version of the file, it is still catching a *lot* of messages. So I'm not 100% convinced it is totally fixed. Ehle, Roland wrote: > Hi, > > the working version of scam.ndb is: > > -rw-r--r-- 1 clamav clamav 1177245 Feb 20 21:45 scam.ndb > > Sice has changed from 1177232 > > Regards, > Roland > > >> -----Urspr?ngliche Nachricht----- >> Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] Im Auftrag von Rose, Bobby >> Gesendet: Mittwoch, 20. Februar 2008 21:26 >> An: MailScanner discussion >> Betreff: FW: [FP] possible corrupt sanesecurity defs >> >> >> >> -----Original Message----- >> From: Steve Basford [mailto:steveb_clamav@sanesecurity.com] >> Sent: Wednesday, February 20, 2008 3:08 PM >> To: Rose, Bobby >> Subject: Re: [FP] >> >> >> >> Rose, Bobby wrote: >> >> What is this look for? Email.Hdr.Sanesecurity.07021900 This >> def had "alot" of false positives from all over the place. Here's >> are two header samples. >> >> Hi, >> >> I've just fixed this problem....when I checked the sig I noticed it >> had the end bit of the sig chopped off compared to version the other day... >> not exactly sure how it happened... and very annoyed with myself if >> it was finger trouble...but it's fixed and uploaded, so should be >> with the mirrors in about an hour. >> >> I can only apologise for the problems caused :( >> >> Cheers, >> >> Steve >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvKcWEfZZRxQVtlQRAn6XAKCK/2RS0VdKfnmNgOUkxl7T3QaZXQCg2hFm Ca+vrWY4SSChvnOjiFbN5aE= =skDA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jmunroe at netone.ca Wed Feb 20 23:27:12 2008 From: jmunroe at netone.ca (Jim Munroe (NETONE)) Date: Wed Feb 20 23:25:08 2008 Subject: Any ideas on limiting the total number of SMTP messages processed per day? Message-ID: <47BCB750.7040100@netone.ca> Hi, Anyone have any ideas on how to limit the number of SMTP msgs sent by a given host/IP over a duration of time? For example, users are only allowed to send a total of 200 SMTP messages per day through a given mail relay then they are blocked (IPTables or Access file) until the next day. We do something like this today using MailScanner and Vispan to limit the total number of virii/spam msgs per IP. Any help or suggestions would be greatly appreciated! Thanks, Jim From naolson at gmail.com Thu Feb 21 00:00:09 2008 From: naolson at gmail.com (Nathan Olson) Date: Thu Feb 21 00:00:17 2008 Subject: Any ideas on limiting the total number of SMTP messages processed per day? In-Reply-To: <47BCB750.7040100@netone.ca> References: <47BCB750.7040100@netone.ca> Message-ID: <8f54b4330802201600l4f2f7d1cx1432c8e7834c1778@mail.gmail.com> milter-limit Nate From wolfee at earthlink.net Thu Feb 21 03:52:45 2008 From: wolfee at earthlink.net (Matthew Wolfe) Date: Thu Feb 21 03:52:55 2008 Subject: Return Path is being rewritten Message-ID: <14889473.1203565966175.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Hi, I am not sure if this is a MailScanner or Sendmail thing but hopefully you guys can point me in the right direction. I have a client who just got a new email address and when he sends email to me the return path is rewritten to user@webhostingcompany instead of user@domainname. To make things more interesting his webhosting provider and email provider are different companies. If I send email to a email address that is not being scanned by MailScanner the return address is correct. We scan about 30000 emails a day and I have never seen anything like this. Any suggestions? Thanks Matt P.S. Sorry if this is a repost, I didn't see it come through the first time. From wolfee at earthlink.net Thu Feb 21 05:17:13 2008 From: wolfee at earthlink.net (wolfee@earthlink.net) Date: Thu Feb 21 05:17:24 2008 Subject: Return Path is being rewritten Message-ID: <000001c87449$051efa50$6449a8c0@turbodsm.com> Hi, I am not sure if this is a MailScanner or Sendmail thing but hopefully you guys can point me in the right direction. I have a client who just got a new email address and when he sends email to me the return path is rewritten to user@webhostingcompany instead of user@domainname. To make things more interesting his webhosting provider and email provider are different companies. If I send email to a email address that is not being scanned by MailScanner the return address is correct. We scan about 30000 emails a day and I have never seen anything like this. Any suggestions? Thanks Matt P.S. Sorry if this is a repost; I didn't see it come through the first time. From hvdkooij at vanderkooij.org Thu Feb 21 07:08:53 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Feb 21 07:09:26 2008 Subject: OT Spam Assassin Prefs question In-Reply-To: References: Message-ID: <47BD2385.2040609@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott B. Anderson wrote: | My users have been seeing a large amount of Russian charset email spam. How would I set a SA rule to include all Cyrillic (sp) emails or would this be better set at the MTA (sendmail in my case) ? I prefer to stop these at the MTA level if possible. If now one is able to read them then why should I bother to accept them in the first place? So in the postfix header checks I have lines like: /^Subject:.+=\?windows-1255\?/ REJECT No one here reads this language! /^From: =\?windows-1255\?/ REJECT No one here reads this language! /^Content-Type: text/plain; charset=windows-1255/ REJECT No one here reads this language! I guess I could even improve those some more. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHvSODBvzDRVjxmYERAjDGAJ9ESHzar4H+VP/ycRrLCm5zdyuxeACeOU9C tymaLS/ceAm6cVA3bjYHKmg= =wmob -----END PGP SIGNATURE----- From twiztar at gmail.com Thu Feb 21 07:24:18 2008 From: twiztar at gmail.com (Erik Weber) Date: Thu Feb 21 07:24:34 2008 Subject: Google maps blocked as .ico In-Reply-To: <29597293.4351202297681623.JavaMail.root@office.splatnix.net> References: <29597293.4351202297681623.JavaMail.root@office.splatnix.net> Message-ID: <47BD2722.4090504@gmail.com> --[ UxBoD ]-- wrote: > Hmmm. Thinking about this little problem. Could you post the whole message on that paste site, obviously sanitize it first for the email addresses. Would be good to see the MIME headers, as I wonder if it is being treated as a inline image. What email client was used to send it ? > > Sorry for the late reply but I've been a bit busy and it took some time to get the user to actually send another mail. Here's the paste: http://rafb.net/p/yty9ua92.html -- Erik From MailScanner at ecs.soton.ac.uk Thu Feb 21 08:39:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 21 08:39:24 2008 Subject: Any ideas on limiting the total number of SMTP messages processed per day? In-Reply-To: <47BCB750.7040100@netone.ca> References: <47BCB750.7040100@netone.ca> Message-ID: <47BD38A4.6060900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you take a look in the CustomConfig.pm there is code in there to implement this within MailScanner. Jim Munroe (NETONE) wrote: > Hi, > > Anyone have any ideas on how to limit the number of SMTP msgs sent by a > given host/IP over a duration of time? For example, users are only > allowed to send a total of 200 SMTP messages per day through a given mail > relay then they are blocked (IPTables or Access file) until the next day. > > We do something like this today using MailScanner and Vispan to limit the > total number of virii/spam msgs per IP. > > Any help or suggestions would be greatly appreciated! > > Thanks, > > Jim > > > > > > > > > > > > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvTimEfZZRxQVtlQRAsFBAKCJRxpOVI+xdXQzrO+Exz+O2oP//ACfRLGR eIj937b2O0F78m4j6e/uoM0= =SC5Q -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Feb 21 08:39:07 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 21 08:39:35 2008 Subject: Any ideas on limiting the total number of SMTP messages processed per day? In-Reply-To: <47BCB750.7040100@netone.ca> Message-ID: <4131776.111203583147782.JavaMail.root@office.splatnix.net> What MTA are you using ? If using Postfix then I believe PolicyD (http://policyd.sourceforge.net) has something built into it. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Jim Munroe (NETONE)" wrote: > Hi, > > Anyone have any ideas on how to limit the number of SMTP msgs sent by > a > given host/IP over a duration of time? For example, users are only > allowed to send a total of 200 SMTP messages per day through a given > mail > relay then they are blocked (IPTables or Access file) until the next > day. > > We do something like this today using MailScanner and Vispan to limit > the > total number of virii/spam msgs per IP. > > Any help or suggestions would be greatly appreciated! > > Thanks, > > Jim -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Thu Feb 21 08:56:16 2008 From: alxfrag at gmail.com (AlxFrag) Date: Thu Feb 21 08:55:47 2008 Subject: Mailscanner warnings In-Reply-To: <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> Message-ID: <47BD3CB0.2000009@gmail.com> Glenn Steen wrote: > On 19/02/2008, Ugo Bellavance wrote: > >> AlxFrag wrote: >> >>> Glenn Steen wrote: >>> >>>> On 15/02/2008, Martin.Hepworth wrote: >>>> >>>> >>>>> Also >>>>> >>>>> The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. >>>>> >>>>> >>>>> >>>> Not to mention that no facility of MailScanner would ever run trhe >>>> clamd _command_ ... Not whatsoever. >>>> >>>> What seems to have happened here is that someone has followed a >>>> bothced instruction on enabling clamdscan support by futzing the >>>> clamav-* wrapper scripts. This of course hasn't worked, since clamd is >>>> the server part, not the client. >>>> This would explain the bogus log entries on both hosts. >>>> >>>> What Alex should do is to follow the spirit of the wiki article >>>> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >>>> to get things going on the newer install (4.66.5 was it?), and upgrade >>>> the other one to a version later than 4.62.something (just as you say >>>> Martin), and do the same there. >>>> Only other really viable option would be to run clamavmodule on the old one. >>>> >>>> Cheers >>>> >>>> >>> Good morning, >>> >>> I've followed your advice and these described in >>> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd. >>> I've also modified the clamav-wrapper file to its original form. >>> >>> Now, no warnings are displayed. The problem is that clamscan is running >>> that needs too much CPU. >>> How can i switch to clamdscan? >>> >> - make sure you're running a version of MS that supports clamd >> - make appropriate changes in MailScanner.conf >> - restart MailScanner >> >> Ugo >> >> > If the version is too old for clamd (4.62.something...?), then use clamavmodule. > > Cheers > i've solved the problem thanks! the only thing i had to specify is Virus Scanners = clamd instead of Virus Scanners = clamav. Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080221/e0cd83a6/attachment.html From mailscanner2 at eltofts.homelinux.com Thu Feb 21 11:22:51 2008 From: mailscanner2 at eltofts.homelinux.com (Andy Wright) Date: Thu Feb 21 11:23:49 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> <47BC7C05.70106@ecs.soton.ac.uk> <47BC86F1.4080403@fractalweb.com> Message-ID: <47BD5F0B.6090009@eltofts.homelinux.com> Scott Silva wrote: >> > I would just be happy if I could set Mailwatch to not protect me from > myself and allow me to release virus content. I think I saw a patch > somewhere, but I sure can't find it. > Scott, if you're still looking for a way to do this you can edit line 326 of details.php in your mailwatch html directory - find the line; if($item['dangerous'] !== "Y") { and change the "Y" to something else - I altered mine to "r", then you'll be able to release all items nomatter how they're flagged. Andy. From samp at arial-concept.com Thu Feb 21 11:48:33 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Thu Feb 21 11:54:05 2008 Subject: Problem with the version 4.46.2 Message-ID: <1203594513.15753.217.camel@mars-linux> Hi, I upgraded to Ubuntu Dapper who use MailScanner 4.46.2 and after started it stop and restart all the time !? Postfix and MailScanner run as user postfix and group postfix and at the install MailScanner don't create /var/lock/subsys/Mailscanner nor /var/run/MailScanner I had to creates by hand, I don't have this problems on others version ? Thanks for your help... Sam. -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n'a été trouvé. From martinh at solidstatelogic.com Thu Feb 21 12:01:37 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 21 12:02:15 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <1203594513.15753.217.camel@mars-linux> Message-ID: <843f62b5435ca243b1a0c9845daa04c2@solidstatelogic.com> Hi 4.46 is very very old. Could be the version of postfix you have isn't compatible with that old version of MS. Try latest version.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > Sent: 21 February 2008 11:49 > To: MailScanner discussion > Subject: Problem with the version 4.46.2 > > Hi, > > I upgraded to Ubuntu Dapper who use MailScanner 4.46.2 and after started > it stop and restart all the time !? > > Postfix and MailScanner run as user postfix and group postfix and at the > install MailScanner don't create /var/lock/subsys/Mailscanner > nor /var/run/MailScanner I had to creates by hand, I don't have this > problems on others version ? > > Thanks for your help... > > Sam. > > > > > > -- > Ce message a ?t? v?rifi? par MailScanner > pour des virus ou des polluriels et rien de > suspect n'a ?t? trouv?. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From samp at arial-concept.com Thu Feb 21 12:55:43 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Thu Feb 21 12:59:04 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <843f62b5435ca243b1a0c9845daa04c2@solidstatelogic.com> References: <843f62b5435ca243b1a0c9845daa04c2@solidstatelogic.com> Message-ID: <1203598543.15753.224.camel@mars-linux> Le jeudi 21 f?vrier 2008 ? 12:01 +0000, Martin.Hepworth a ?crit : > Hi > > 4.46 is very very old. I MUST use this version to be coherent with Ubuntu Dapper. > Could be the version of postfix you have isn't compatible with that old version of MS. We use Postfix v 2.4.5 and we have to keep this version in Ubuntu Dapper. We upgraded from old Ubuntu version (Breezy) to Dapper, then if it work we upgrade latter to newer version Thanks anyway Sam. > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > > Sent: 21 February 2008 11:49 > > To: MailScanner discussion > > Subject: Problem with the version 4.46.2 > > > > Hi, > > > > I upgraded to Ubuntu Dapper who use MailScanner 4.46.2 and after started > > it stop and restart all the time !? > > > > Postfix and MailScanner run as user postfix and group postfix and at the > > install MailScanner don't create /var/lock/subsys/Mailscanner > > nor /var/run/MailScanner I had to creates by hand, I don't have this > > problems on others version ? > > > > Thanks for your help... > > > > Sam. > > -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From jaearick at colby.edu Thu Feb 21 13:40:39 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Feb 21 13:40:58 2008 Subject: Any ideas on limiting the total number of SMTP messages processed per day? In-Reply-To: <47BCB750.7040100@netone.ca> References: <47BCB750.7040100@netone.ca> Message-ID: Jim, I would suggest the IPBlock feature of Mailscanner, contained within CustomConfig.pm. I have the following in my MailScanner.conf file: Always Looked Up Last = &IPBlock Which calls the IPBlock code and allows me to limit smtp msgs per IP netblock. It is one of the cooler and less known features of MailScanner. Jeff Earickson Colby College On Wed, 20 Feb 2008, Jim Munroe (NETONE) wrote: > Date: Wed, 20 Feb 2008 19:27:12 -0400 > From: "Jim Munroe (NETONE)" > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Any ideas on limiting the total number of SMTP messages processed per > day? > > Hi, > > Anyone have any ideas on how to limit the number of SMTP msgs sent by a > given host/IP over a duration of time? For example, users are only > allowed to send a total of 200 SMTP messages per day through a given mail > relay then they are blocked (IPTables or Access file) until the next day. > > We do something like this today using MailScanner and Vispan to limit the > total number of virii/spam msgs per IP. > > Any help or suggestions would be greatly appreciated! > > Thanks, > > Jim > > > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Thu Feb 21 13:50:26 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 21 13:50:37 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <1203598543.15753.224.camel@mars-linux> Message-ID: Sam MS 4.46 is NOT compatible with postfix 2.4x. You'll need at least MailScanner 4.60.8. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > Sent: 21 February 2008 12:56 > To: MailScanner discussion > Subject: RE: Problem with the version 4.46.2 > > > Le jeudi 21 f?vrier 2008 ? 12:01 +0000, Martin.Hepworth a ?crit : > > Hi > > > > 4.46 is very very old. > > I MUST use this version to be coherent with Ubuntu Dapper. > > > Could be the version of postfix you have isn't compatible with that old > version of MS. > > We use Postfix v 2.4.5 and we have to keep this version in Ubuntu > Dapper. > > We upgraded from old Ubuntu version (Breezy) to Dapper, then if it work we > upgrade latter > to newer version > > Thanks anyway > > Sam. > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > > > Sent: 21 February 2008 11:49 > > > To: MailScanner discussion > > > Subject: Problem with the version 4.46.2 > > > > > > Hi, > > > > > > I upgraded to Ubuntu Dapper who use MailScanner 4.46.2 and after > started > > > it stop and restart all the time !? > > > > > > Postfix and MailScanner run as user postfix and group postfix and at > the > > > install MailScanner don't create /var/lock/subsys/Mailscanner > > > nor /var/run/MailScanner I had to creates by hand, I don't have this > > > problems on others version ? > > > > > > Thanks for your help... > > > > > > Sam. > > > > > > > -- > Ce message a ?t? v?rifi? par MailScanner > pour des virus ou des polluriels et rien de > suspect n'a ?t? trouv?. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From telecaadmin at gmail.com Thu Feb 21 13:54:02 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Thu Feb 21 13:54:13 2008 Subject: When will MailScanner + postfix actually say "421 too much load" Message-ID: <47BD827A.50604@gmail.com> Hello all, topic says it all: when will a MailScanner + postfix actually go into the "Too much load" situation? Will MailScanner actually affect postfix's decision to go 421? Did anybody have this kind of situation yet? Thanks, Ronny From steinkel at pa.net Thu Feb 21 14:17:58 2008 From: steinkel at pa.net (Leland J. Steinke) Date: Thu Feb 21 14:18:14 2008 Subject: When will MailScanner + postfix actually say "421 too much load" In-Reply-To: <47BD827A.50604@gmail.com> References: <47BD827A.50604@gmail.com> Message-ID: <47BD8816.1080504@pa.net> Ronny T. Lampert wrote: > Will MailScanner actually affect postfix's decision to go 421? > > Did anybody have this kind of situation yet? > MailScanner does not exert backpressure on postfix automatically. We created a policy service that queries the size of the hold queue and defers messages when the queue is too big. To reduce load on the server, the service checks the hold queue only once at startup. Then it gives the same answer until spawn(8) is done with it. This has worked reasonably well for us in diverting traffic from overloaded servers to others. Leland From samp at arial-concept.com Thu Feb 21 14:15:44 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Thu Feb 21 14:19:04 2008 Subject: Problem with the version 4.46.2 In-Reply-To: References: Message-ID: <1203603344.15753.255.camel@mars-linux> Le jeudi 21 f?vrier 2008 ? 13:50 +0000, Martin.Hepworth a ?crit : > Sam > > MS 4.46 is NOT compatible with postfix 2.4x. You'll need at least MailScanner 4.60.8. Thanks a lot ! Sam. > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > > Sent: 21 February 2008 12:56 > > To: MailScanner discussion > > Subject: RE: Problem with the version 4.46.2 > > > > > > Le jeudi 21 f?vrier 2008 ? 12:01 +0000, Martin.Hepworth a ?crit : > > > Hi > > > > > > 4.46 is very very old. > > > > I MUST use this version to be coherent with Ubuntu Dapper. > > > > > Could be the version of postfix you have isn't compatible with that old > > version of MS. > > > > We use Postfix v 2.4.5 and we have to keep this version in Ubuntu > > Dapper. > > > > We upgraded from old Ubuntu version (Breezy) to Dapper, then if it work we > > upgrade latter > > to newer version > > > > Thanks anyway > > > > Sam. > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > > > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > > > > Sent: 21 February 2008 11:49 > > > > To: MailScanner discussion > > > > Subject: Problem with the version 4.46.2 > > > > > > > > Hi, > > > > > > > > I upgraded to Ubuntu Dapper who use MailScanner 4.46.2 and after > > started > > > > it stop and restart all the time !? > > > > > > > > Postfix and MailScanner run as user postfix and group postfix and at > > the > > > > install MailScanner don't create /var/lock/subsys/Mailscanner > > > > nor /var/run/MailScanner I had to creates by hand, I don't have this > > > > problems on others version ? > > > > > > > > Thanks for your help... > > > > > > > > Sam. -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From MailScanner at ecs.soton.ac.uk Thu Feb 21 14:20:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 21 14:21:03 2008 Subject: When will MailScanner + postfix actually say "421 too much load" In-Reply-To: <47BD827A.50604@gmail.com> References: <47BD827A.50604@gmail.com> Message-ID: <47BD88A9.4000602@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ronny T. Lampert wrote: > Hello all, > > topic says it all: when will a MailScanner + postfix actually go into > the "Too much load" situation? > > Will MailScanner actually affect postfix's decision to go 421? MailScanner is not involved with the SMTP transaction at all, so this is nothing to do with MailScanner, it's all down to Postfix. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHvYiqEfZZRxQVtlQRAiGgAJ90157FcKKfHE5hI99jasUIDKb1VgCg9UFd Cm+fhATDr6M56HSde8P3Gf0= =HQF2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Thu Feb 21 14:21:58 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 21 14:22:16 2008 Subject: When will MailScanner + postfix actually say "421 too much load" In-Reply-To: <47BD827A.50604@gmail.com> References: <47BD827A.50604@gmail.com> Message-ID: Ronny T. Lampert wrote: > Hello all, > > topic says it all: when will a MailScanner + postfix actually go into > the "Too much load" situation? Probably when the load on your machine is rather high. Sendmail does that by default when load is 12X# of CPU > Will MailScanner actually affect postfix's decision to go 421? > > Did anybody have this kind of situation yet? MailScanner an other processes affect the load, and postfix makes a decision based on the load. Ugo From martinh at solidstatelogic.com Thu Feb 21 14:34:36 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 21 14:34:48 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <1203603344.15753.255.camel@mars-linux> Message-ID: <578081c56792d146baef7e723d754e46@solidstatelogic.com> Sam Not our fault it's postfix that keep changing the formats. Also the APT maintainers should keep a better eye on MS as it's changing quite rapidly.....you could always use a non apt version or see if another repository has a recent version - the debain etch is still showing 4.55! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > Sent: 21 February 2008 14:16 > To: MailScanner discussion > Subject: RE: Problem with the version 4.46.2 > > > Le jeudi 21 f?vrier 2008 ? 13:50 +0000, Martin.Hepworth a ?crit : > > Sam > > > > MS 4.46 is NOT compatible with postfix 2.4x. You'll need at least > MailScanner 4.60.8. > > Thanks a lot ! > > Sam. > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > > > Sent: 21 February 2008 12:56 > > > To: MailScanner discussion > > > Subject: RE: Problem with the version 4.46.2 > > > > > > > > > Le jeudi 21 f?vrier 2008 ? 12:01 +0000, Martin.Hepworth a ?crit : > > > > Hi > > > > > > > > 4.46 is very very old. > > > > > > I MUST use this version to be coherent with Ubuntu Dapper. > > > > > > > Could be the version of postfix you have isn't compatible with that > old > > > version of MS. > > > > > > We use Postfix v 2.4.5 and we have to keep this version in Ubuntu > > > Dapper. > > > > > > We upgraded from old Ubuntu version (Breezy) to Dapper, then if it > work we > > > upgrade latter > > > to newer version > > > > > > Thanks anyway > > > > > > Sam. > > > > > > > > > > > -----Original Message----- > > > > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > > > > bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa > > > > > Sent: 21 February 2008 11:49 > > > > > To: MailScanner discussion > > > > > Subject: Problem with the version 4.46.2 > > > > > > > > > > Hi, > > > > > > > > > > I upgraded to Ubuntu Dapper who use MailScanner 4.46.2 and after > > > started > > > > > it stop and restart all the time !? > > > > > > > > > > Postfix and MailScanner run as user postfix and group postfix and > at > > > the > > > > > install MailScanner don't create /var/lock/subsys/Mailscanner > > > > > nor /var/run/MailScanner I had to creates by hand, I don't have > this > > > > > problems on others version ? > > > > > > > > > > Thanks for your help... > > > > > > > > > > Sam. > > > > -- > Ce message a ?t? v?rifi? par MailScanner > pour des virus ou des polluriels et rien de > suspect n'a ?t? trouv?. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From telecaadmin at gmail.com Thu Feb 21 14:39:39 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Thu Feb 21 14:39:50 2008 Subject: When will MailScanner + postfix actually say "421 too much load" In-Reply-To: <47BD88A9.4000602@ecs.soton.ac.uk> References: <47BD827A.50604@gmail.com> <47BD88A9.4000602@ecs.soton.ac.uk> Message-ID: <47BD8D2B.1080709@gmail.com> >> topic says it all: when will a MailScanner + postfix actually go into >> the "Too much load" situation? >> >> Will MailScanner actually affect postfix's decision to go 421? > MailScanner is not involved with the SMTP transaction at all, so this is > nothing to do with MailScanner, it's all down to Postfix. That's what I was suspecting; but I know that e.g. sendmail is doing funny calculation about when to go 421 and it does by using the loadavg and some overall process stats. Thanks! Ronny From MailScanner at ecs.soton.ac.uk Thu Feb 21 15:23:06 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 21 15:23:51 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <578081c56792d146baef7e723d754e46@solidstatelogic.com> References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> Message-ID: <47BD975A.20508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately the Debian maintainers have the view that MailScanner is "unstable" as I produce releases too frequently for them. Obviously you're only allowed in Debian if you hardly put any effort into your project and so only produce any new features every year or so :-( If someone else can get me started on the files needed to package MailScanner for Debian/Ubuntu then I might be prepared to take over the packaging myself, so long as it doesn't take too much extra work. Martin.Hepworth wrote: > Sam > > Not our fault it's postfix that keep changing the formats. > > Also the APT maintainers should keep a better eye on MS as it's changing quite rapidly.....you could always use a non apt version or see if another repository has a recent version - the debain etch is still showing 4.55! > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa >> Sent: 21 February 2008 14:16 >> To: MailScanner discussion >> Subject: RE: Problem with the version 4.46.2 >> >> >> Le jeudi 21 f?vrier 2008 ? 13:50 +0000, Martin.Hepworth a ?crit : >> >>> Sam >>> >>> MS 4.46 is NOT compatible with postfix 2.4x. You'll need at least >>> >> MailScanner 4.60.8. >> >> Thanks a lot ! >> >> Sam. >> >> >> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa >>>> Sent: 21 February 2008 12:56 >>>> To: MailScanner discussion >>>> Subject: RE: Problem with the version 4.46.2 >>>> >>>> >>>> Le jeudi 21 f?vrier 2008 ? 12:01 +0000, Martin.Hepworth a ?crit : >>>> >>>>> Hi >>>>> >>>>> 4.46 is very very old. >>>>> >>>> I MUST use this version to be coherent with Ubuntu Dapper. >>>> >>>> >>>>> Could be the version of postfix you have isn't compatible with that >>>>> >> old >> >>>> version of MS. >>>> >>>> We use Postfix v 2.4.5 and we have to keep this version in Ubuntu >>>> Dapper. >>>> >>>> We upgraded from old Ubuntu version (Breezy) to Dapper, then if it >>>> >> work we >> >>>> upgrade latter >>>> to newer version >>>> >>>> Thanks anyway >>>> >>>> Sam. >>>> >>>> >>>> >>>>>> -----Original Message----- >>>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>>> >> [mailto:mailscanner- >> >>>>>> bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa >>>>>> Sent: 21 February 2008 11:49 >>>>>> To: MailScanner discussion >>>>>> Subject: Problem with the version 4.46.2 >>>>>> >>>>>> Hi, >>>>>> >>>>>> I upgraded to Ubuntu Dapper who use MailScanner 4.46.2 and after >>>>>> >>>> started >>>> >>>>>> it stop and restart all the time !? >>>>>> >>>>>> Postfix and MailScanner run as user postfix and group postfix and >>>>>> >> at >> >>>> the >>>> >>>>>> install MailScanner don't create /var/lock/subsys/Mailscanner >>>>>> nor /var/run/MailScanner I had to creates by hand, I don't have >>>>>> >> this >> >>>>>> problems on others version ? >>>>>> >>>>>> Thanks for your help... >>>>>> >>>>>> Sam. >>>>>> >> >> -- >> Ce message a ?t? v?rifi? par MailScanner >> pour des virus ou des polluriels et rien de >> suspect n'a ?t? trouv?. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHvZdnEfZZRxQVtlQRAnqTAKDajgUR5hdgQibJ3sY2p5ua7/Nb5QCfXPDJ tBQ9ilBZ5GRKxfPSPcuLuSM= =fEvG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Thu Feb 21 15:33:06 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 21 15:33:23 2008 Subject: Mailscanner warnings In-Reply-To: <47BD3CB0.2000009@gmail.com> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> <47BD3CB0.2000009@gmail.com> Message-ID: AlxFrag wrote: >> > i've solved the problem thanks! the only thing i had to specify is Virus > Scanners = clamd instead of Virus Scanners = clamav. If you found a problem with the doc, please fix it or ask us to fix it. Regards, Ugo From samp at arial-concept.com Thu Feb 21 15:50:09 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Thu Feb 21 15:54:27 2008 Subject: Problem with the version 4.46.2 In-Reply-To: References: Message-ID: <1203609009.15753.278.camel@mars-linux> Le jeudi 21 f?vrier 2008 ? 13:50 +0000, Martin.Hepworth a ?crit : > Sam > > MS 4.46 is NOT compatible with postfix 2.4x. You'll need at least MailScanner 4.60.8. I recently installed two servers with Ubuntu 7.10 who comes with Postfix 2.4.7 and MalScanner 4.58.9 and it's work fine. Thanks for your help. Sam. -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From ssilva at sgvwater.com Thu Feb 21 18:07:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 21 18:07:40 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BD5F0B.6090009@eltofts.homelinux.com> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> <47BC7C05.70106@ecs.soton.ac.uk> <47BC86F1.4080403@fractalweb.com> <47BD5F0B.6090009@eltofts.homelinux.com> Message-ID: on 2/21/2008 3:22 AM Andy Wright spake the following: > Scott Silva wrote: >>> >> I would just be happy if I could set Mailwatch to not protect me from >> myself and allow me to release virus content. I think I saw a patch >> somewhere, but I sure can't find it. >> > > Scott, if you're still looking for a way to do this you can edit line > 326 of details.php in your mailwatch html directory - find the line; > > if($item['dangerous'] !== "Y") { > > and change the "Y" to something else - I altered mine to "r", then > you'll be able to release all items nomatter how they're flagged. > > Andy. Thank you! I knew I saw it somewhere. Now to get the multi-release patches working in 1.0.4. I'll probably get it just in time for 2.0 to come out. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080221/6bc0161b/signature.bin From samp at arial-concept.com Thu Feb 21 18:27:30 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Thu Feb 21 18:29:13 2008 Subject: Problem with the version 4.46.2 In-Reply-To: References: Message-ID: <1203618450.5500.9.camel@mars-linux> Le jeudi 21 f?vrier 2008 ? 13:50 +0000, Martin.Hepworth a ?crit : > Sam > > MS 4.46 is NOT compatible with postfix 2.4x. You'll need at least MailScanner 4.60.8. I'm now use Postfix 2.2.10 and MS 4.46.2 but I have the same problem, MS always stop and restart ! Look this funny log: Feb 21 19:25:18 ftb MailScanner[24747]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... Feb 21 19:25:18 ftb MailScanner[24747]: Read 676 hostnames from the phishing whitelist Feb 21 19:25:19 ftb MailScanner[24747]: Using locktype = flock Feb 21 19:25:29 ftb MailScanner[24748]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... Feb 21 19:25:29 ftb MailScanner[24748]: Read 676 hostnames from the phishing whitelist Feb 21 19:25:30 ftb MailScanner[24748]: Using locktype = flock Feb 21 19:25:40 ftb MailScanner[24762]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... Feb 21 19:25:40 ftb MailScanner[24762]: Read 676 hostnames from the phishing whitelist Feb 21 19:25:41 ftb MailScanner[24762]: Using locktype = flock Feb 21 19:25:51 ftb MailScanner[24763]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... Feb 21 19:25:51 ftb MailScanner[24763]: Read 676 hostnames from the phishing whitelist Feb 21 19:25:52 ftb MailScanner[24763]: Using locktype = flock Feb 21 19:26:02 ftb MailScanner[24772]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... Feb 21 19:26:02 ftb MailScanner[24772]: Read 676 hostnames from the phishing whitelist Feb 21 19:26:03 ftb MailScanner[24772]: Using locktype = flock Feb 21 19:26:13 ftb MailScanner[24782]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... Feb 21 19:26:13 ftb MailScanner[24782]: Read 676 hostnames from the phishing whitelist Feb 21 19:26:14 ftb MailScanner[24782]: Using locktype = flock Feb 21 19:26:24 ftb MailScanner[24789]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... Feb 21 19:26:24 ftb MailScanner[24789]: Read 676 hostnames from the phishing whitelist Feb 21 19:26:25 ftb MailScanner[24789]: Using locktype = flock Does the problem come from Postfix ? Sam. -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From ssilva at sgvwater.com Thu Feb 21 18:45:18 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 21 18:44:54 2008 Subject: Problem with the version 4.46.2 In-Reply-To: References: <1203618450.5500.9.camel@mars-linux> Message-ID: on 2/21/2008 10:38 AM Ugo Bellavance spake the following: > Sam Przyswa wrote: >> Le jeudi 21 f?vrier 2008 ? 13:50 +0000, Martin.Hepworth a ?crit : >>> Sam >>> >>> MS 4.46 is NOT compatible with postfix 2.4x. You'll need at least MailScanner 4.60.8. >> I'm now use Postfix 2.2.10 and MS 4.46.2 but I have the same problem, MS >> always stop and restart ! >> >> Look this funny log: >> >> Feb 21 19:25:18 ftb MailScanner[24747]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... >> Feb 21 19:25:18 ftb MailScanner[24747]: Read 676 hostnames from the phishing whitelist >> Feb 21 19:25:19 ftb MailScanner[24747]: Using locktype = flock >> Feb 21 19:25:29 ftb MailScanner[24748]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... >> Feb 21 19:25:29 ftb MailScanner[24748]: Read 676 hostnames from the phishing whitelist >> Feb 21 19:25:30 ftb MailScanner[24748]: Using locktype = flock >> Feb 21 19:25:40 ftb MailScanner[24762]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... >> Feb 21 19:25:40 ftb MailScanner[24762]: Read 676 hostnames from the phishing whitelist >> Feb 21 19:25:41 ftb MailScanner[24762]: Using locktype = flock >> Feb 21 19:25:51 ftb MailScanner[24763]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... >> Feb 21 19:25:51 ftb MailScanner[24763]: Read 676 hostnames from the phishing whitelist >> Feb 21 19:25:52 ftb MailScanner[24763]: Using locktype = flock >> Feb 21 19:26:02 ftb MailScanner[24772]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... >> Feb 21 19:26:02 ftb MailScanner[24772]: Read 676 hostnames from the phishing whitelist >> Feb 21 19:26:03 ftb MailScanner[24772]: Using locktype = flock >> Feb 21 19:26:13 ftb MailScanner[24782]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... >> Feb 21 19:26:13 ftb MailScanner[24782]: Read 676 hostnames from the phishing whitelist >> Feb 21 19:26:14 ftb MailScanner[24782]: Using locktype = flock >> Feb 21 19:26:24 ftb MailScanner[24789]: MailScanner E-Mail Virus Scanner version 4.46.2 starting... >> Feb 21 19:26:24 ftb MailScanner[24789]: Read 676 hostnames from the phishing whitelist >> Feb 21 19:26:25 ftb MailScanner[24789]: Using locktype = flock >> >> Does the problem come from Postfix ? > > What does 'MailScanner --lint' show? > What does 'MailScanner --debug' show? > > And how did you set up postfix for mailscanner? Did you use the hold queue method, or the depreciated 2 processes method. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080221/0a37c005/signature.bin From william at raidbr.com.br Thu Feb 21 20:15:27 2008 From: william at raidbr.com.br (William A. Knob) Date: Thu Feb 21 20:12:03 2008 Subject: SQLBlackWhitelist using wildcards Message-ID: <47BDDBDF.2060008@raidbr.com.br> Hi all! People, I want to use "wildcards" on my black/whitelist SQL tables to use with Mailscanner... Anybody knows how can I do that? Or anyone has made a modification on the "SQLBlackWhiteList.pm" script to do that stuff? Regards; -- *William A. Knob - Divis?o Desenvolvimento* Raidbr Solu??es em Inform?tica Ltda. Rua Jos? Albino Reuse, 1125. Cinquenten?rio. Caxias do Sul - RS Fone/ Fax: (54) 3223.7074 Visite nosso site: www.raidbr.com.br -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From MailScanner at ecs.soton.ac.uk Thu Feb 21 20:37:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 21 20:37:58 2008 Subject: SQLBlackWhitelist using wildcards In-Reply-To: <47BDDBDF.2060008@raidbr.com.br> References: <47BDDBDF.2060008@raidbr.com.br> Message-ID: <47BDE10F.6060201@ecs.soton.ac.uk> Unfortunately you can't do that without slowing it down a lot. The SQLBlackWhiteList stuff, instead of allowing wildcards and hence having to check every entry in the list for every message, reduces the whole problem to a couple of hash table lookups which are very fast, as it knows that there aren't any wildcards. If you allow the use of wildcards, every entry has to be matched against every address of every message. This is slow and is why MailScanner rulesets shouldn't ideally have more than several hundred (or maybe a thousand) entries. The SQL stuff does not allow wildcards much, with the result that it can just do table lookups to find if the address is listed or not. This is enormously faster than searching every entry of a ruleset. The reason the SQL black+whitelist support is fast, not because of it being SQL (which actually makes it run slower) but because it doesn't support wildcards. I hope that explains my design philosophy a bit for this feature. Jules. William A. Knob wrote: > Hi all! > > People, I want to use "wildcards" on my black/whitelist SQL tables > to use with Mailscanner... Anybody knows how can I do that? Or anyone > has made a modification on the "SQLBlackWhiteList.pm" script to do > that stuff? > > Regards; > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Feb 21 20:50:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 21 20:50:36 2008 Subject: SQLBlackWhitelist using wildcards In-Reply-To: <47BDE10F.6060201@ecs.soton.ac.uk> References: <47BDDBDF.2060008@raidbr.com.br> <47BDE10F.6060201@ecs.soton.ac.uk> Message-ID: on 2/21/2008 12:37 PM Julian Field spake the following: > Unfortunately you can't do that without slowing it down a lot. The > SQLBlackWhiteList stuff, instead of allowing wildcards and hence having > to check every entry in the list for every message, reduces the whole > problem to a couple of hash table lookups which are very fast, as it > knows that there aren't any wildcards. > > If you allow the use of wildcards, every entry has to be matched against > every address of every message. This is slow and is why MailScanner > rulesets shouldn't ideally have more than several hundred (or maybe a > thousand) entries. The SQL stuff does not allow wildcards much, with the > result that it can just do table lookups to find if the address is > listed or not. This is enormously faster than searching every entry of a > ruleset. > > The reason the SQL black+whitelist support is fast, not because of it > being SQL (which actually makes it run slower) but because it doesn't > support wildcards. > > I hope that explains my design philosophy a bit for this feature. > > Jules. > > William A. Knob wrote: >> Hi all! >> >> People, I want to use "wildcards" on my black/whitelist SQL tables >> to use with Mailscanner... Anybody knows how can I do that? Or anyone >> has made a modification on the "SQLBlackWhiteList.pm" script to do >> that stuff? >> >> Regards; >> >> > > Jules > Does matching only a domain slow it down? IE... using 'domain.com' to match '*@domain.com' instead of the default of 'user@domain.com'. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080221/7fcd6a91/signature.bin From william at raidbr.com.br Thu Feb 21 20:55:55 2008 From: william at raidbr.com.br (William A. Knob) Date: Thu Feb 21 20:52:35 2008 Subject: SQLBlackWhitelist using wildcards In-Reply-To: <47BDE10F.6060201@ecs.soton.ac.uk> References: <47BDDBDF.2060008@raidbr.com.br> <47BDE10F.6060201@ecs.soton.ac.uk> Message-ID: <47BDE55B.3020800@raidbr.com.br> Ok, I understand... but so, how can I block "subdomains" on my Blacklist without wildcards? On the ruleset file "spam.blacklist.rules" I put something like that: "FromorTo: *@*.domain.com yes"... In the SQL stuff how this works? Regards; Julian Field escreveu: > Unfortunately you can't do that without slowing it down a lot. The > SQLBlackWhiteList stuff, instead of allowing wildcards and hence > having to check every entry in the list for every message, reduces the > whole problem to a couple of hash table lookups which are very fast, > as it knows that there aren't any wildcards. > > If you allow the use of wildcards, every entry has to be matched > against every address of every message. This is slow and is why > MailScanner rulesets shouldn't ideally have more than several hundred > (or maybe a thousand) entries. The SQL stuff does not allow wildcards > much, with the result that it can just do table lookups to find if the > address is listed or not. This is enormously faster than searching > every entry of a ruleset. > > The reason the SQL black+whitelist support is fast, not because of it > being SQL (which actually makes it run slower) but because it doesn't > support wildcards. > > I hope that explains my design philosophy a bit for this feature. > > Jules. > > William A. Knob wrote: >> Hi all! >> >> People, I want to use "wildcards" on my black/whitelist SQL tables >> to use with Mailscanner... Anybody knows how can I do that? Or anyone >> has made a modification on the "SQLBlackWhiteList.pm" script to do >> that stuff? >> >> Regards; >> >> > > Jules > -- *William A. Knob - Divis?o Desenvolvimento* Raidbr Solu??es em Inform?tica Ltda. Rua Jos? Albino Reuse, 1125. Cinquenten?rio. Caxias do Sul - RS Fone/ Fax: (54) 3223.7074 Visite nosso site: www.raidbr.com.br -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From ajcartmell at fonant.com Thu Feb 21 21:11:42 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Feb 21 21:11:57 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <47BD975A.20508@ecs.soton.ac.uk> References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> Message-ID: > Unfortunately the Debian maintainers have the view that MailScanner is > "unstable" as I produce releases too frequently for them. That reminds me of a long discussion we had, a few months ago, about frequently-released operating systems and whether their release schedule made them "unstable"... FWIW (not much) I love MailScanner's release schedule :) Anthony -- www.fonant.com - Quality web sites From spamlists at coders.co.uk Thu Feb 21 21:27:44 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Thu Feb 21 21:28:51 2008 Subject: Problem with the version 4.46.2 In-Reply-To: References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> Message-ID: <47BDECD0.8020309@coders.co.uk> Anthony Cartmell wrote: >> Unfortunately the Debian maintainers have the view that MailScanner is >> "unstable" as I produce releases too frequently for them. > That's the problem when MailScanner causes swapping...... ;-) From MailScanner at ecs.soton.ac.uk Thu Feb 21 21:30:04 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 21 21:30:35 2008 Subject: SQLBlackWhitelist using wildcards In-Reply-To: References: <47BDDBDF.2060008@raidbr.com.br> <47BDE10F.6060201@ecs.soton.ac.uk> Message-ID: <47BDED5C.60602@ecs.soton.ac.uk> Scott Silva wrote: > on 2/21/2008 12:37 PM Julian Field spake the following: >> Unfortunately you can't do that without slowing it down a lot. The >> SQLBlackWhiteList stuff, instead of allowing wildcards and hence >> having to check every entry in the list for every message, reduces >> the whole problem to a couple of hash table lookups which are very >> fast, as it knows that there aren't any wildcards. >> >> If you allow the use of wildcards, every entry has to be matched >> against every address of every message. This is slow and is why >> MailScanner rulesets shouldn't ideally have more than several hundred >> (or maybe a thousand) entries. The SQL stuff does not allow wildcards >> much, with the result that it can just do table lookups to find if >> the address is listed or not. This is enormously faster than >> searching every entry of a ruleset. >> >> The reason the SQL black+whitelist support is fast, not because of it >> being SQL (which actually makes it run slower) but because it doesn't >> support wildcards. >> >> I hope that explains my design philosophy a bit for this feature. >> >> Jules. >> >> William A. Knob wrote: >>> Hi all! >>> >>> People, I want to use "wildcards" on my black/whitelist SQL >>> tables to use with Mailscanner... Anybody knows how can I do that? >>> Or anyone has made a modification on the "SQLBlackWhiteList.pm" >>> script to do that stuff? >>> >>> Regards; >>> >>> >> >> Jules >> > Does matching only a domain slow it down? > IE... using 'domain.com' to match '*@domain.com' instead of the > default of 'user@domain.com'. I have finally found the original code, it was written for a specific customer. It reduces the search process to a string of hash table lookups, like this: return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$to}{'default'}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{$todomain}{$ip}; return 1 if $BlackWhite->{$todomain}{'default'}; return 1 if $BlackWhite->{'default'}{$from}; return 1 if $BlackWhite->{'default'}{$fromdomain}; return 1 if $BlackWhite->{'default'}{$ip}; So if the exact address user@domain.com or domain.com or the numerical IP address is listed, it will match. I can't remember too much about this code, I wrote it quite a long time ago. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 21 21:35:56 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 21 21:36:27 2008 Subject: Problem with the version 4.46.2 In-Reply-To: References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> Message-ID: <47BDEEBC.7020301@ecs.soton.ac.uk> Anthony Cartmell wrote: >> Unfortunately the Debian maintainers have the view that MailScanner is >> "unstable" as I produce releases too frequently for them. > > That reminds me of a long discussion we had, a few months ago, about > frequently-released operating systems and whether their release > schedule made them "unstable"... > > FWIW (not much) I love MailScanner's release schedule :) Thank you :-) Would you really prefer to have to wait a year before feature requests were implemented, just to keep some "distorted" Debian admins happy? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Thu Feb 21 22:00:06 2008 From: alxfrag at gmail.com (AlxFrag) Date: Thu Feb 21 21:59:21 2008 Subject: Mailscanner warnings In-Reply-To: References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> <47BD3CB0.2000009@gmail.com> Message-ID: <47BDF466.2060907@gmail.com> Ugo Bellavance wrote: > AlxFrag wrote: >>> >> i've solved the problem thanks! the only thing i had to specify is >> Virus Scanners = clamd instead of Virus Scanners = clamav. > > If you found a problem with the doc, please fix it or ask us to fix it. > > Regards, > > Ugo > Another problem i had is that in the older version the clamd socket was /tmp/clamd while in this version is /tmp/clamd.socket :) From MailScanner at ecs.soton.ac.uk Thu Feb 21 22:10:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 21 22:10:47 2008 Subject: Mailscanner warnings In-Reply-To: <47BDF466.2060907@gmail.com> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> <47BD3CB0.2000009@gmail.com> <47BDF466.2060907@gmail.com> Message-ID: <47BDF6CB.4060400@ecs.soton.ac.uk> AlxFrag wrote: > Ugo Bellavance wrote: >> AlxFrag wrote: >>>> >>> i've solved the problem thanks! the only thing i had to specify is >>> Virus Scanners = clamd instead of Virus Scanners = clamav. >> >> If you found a problem with the doc, please fix it or ask us to fix it. >> >> Regards, >> >> Ugo >> > Another problem i had is that in the older version the clamd socket > was /tmp/clamd while in this version is /tmp/clamd.socket :) But this is configurable in MailScanner, so shouldn't matter. Should it? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From james at gray.net.au Thu Feb 21 22:58:30 2008 From: james at gray.net.au (James Gray) Date: Thu Feb 21 22:58:45 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <47BDEEBC.7020301@ecs.soton.ac.uk> References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> <47BDEEBC.7020301@ecs.soton.ac.uk> Message-ID: <33D48A86-8DBC-4BBF-B79B-0AC1C804491B@gray.net.au> On 22/02/2008, at 8:35 AM, Julian Field wrote: > Anthony Cartmell wrote: >>> Unfortunately the Debian maintainers have the view that >>> MailScanner is >>> "unstable" as I produce releases too frequently for them. >> >> That reminds me of a long discussion we had, a few months ago, >> about frequently-released operating systems and whether their >> release schedule made them "unstable"... >> >> FWIW (not much) I love MailScanner's release schedule :) > Thank you :-) > > Would you really prefer to have to wait a year before feature > requests were implemented, just to keep some "distorted" Debian > admins happy? I don't have any "pure" Debian systems running but I have a number of Ubuntu server installs I can play with. Most are running Ubuntu 6.06LTS (aka. "Dapper"). I'd be willing to investigate the whole packaging so that it plays nice with Debian/Ubuntu's little quirks. Just a few questions: - Did you want to bundle SpamAssassin and ClamAV too? - Do we need to use your Perl modules or can we use the distribution ones? - I was thinking maybe making separate packages for all of this (MS, SA, Clam and Perl mods), then putting it all up in a single repo - what do other people think? No time frames/promises...I've got to sit down and figure out the best way to achieve this without borking the base packages etc. This is just something that's bugged me for ages and after reading this thread, it's piqued my interest (again!). Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/3b03b4e9/smime.bin From ssilva at sgvwater.com Thu Feb 21 23:24:16 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 21 23:24:50 2008 Subject: Problem with the version 4.46.2 In-Reply-To: <33D48A86-8DBC-4BBF-B79B-0AC1C804491B@gray.net.au> References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> <47BDEEBC.7020301@ecs.soton.ac.uk> <33D48A86-8DBC-4BBF-B79B-0AC1C804491B@gray.net.au> Message-ID: on 2/21/2008 2:58 PM James Gray spake the following: > On 22/02/2008, at 8:35 AM, Julian Field wrote: >> Anthony Cartmell wrote: >>>> Unfortunately the Debian maintainers have the view that MailScanner is >>>> "unstable" as I produce releases too frequently for them. >>> >>> That reminds me of a long discussion we had, a few months ago, about >>> frequently-released operating systems and whether their release >>> schedule made them "unstable"... >>> >>> FWIW (not much) I love MailScanner's release schedule :) >> Thank you :-) >> >> Would you really prefer to have to wait a year before feature requests >> were implemented, just to keep some "distorted" Debian admins happy? > > I don't have any "pure" Debian systems running but I have a number of > Ubuntu server installs I can play with. Most are running Ubuntu 6.06LTS > (aka. "Dapper"). I'd be willing to investigate the whole packaging so > that it plays nice with Debian/Ubuntu's little quirks. > > Just a few questions: > - Did you want to bundle SpamAssassin and ClamAV too? > - Do we need to use your Perl modules or can we use the distribution ones? > - I was thinking maybe making separate packages for all of this (MS, SA, > Clam and Perl mods), then putting it all up in a single repo - what do > other people think? > > No time frames/promises...I've got to sit down and figure out the best > way to achieve this without borking the base packages etc. This is just > something that's bugged me for ages and after reading this thread, it's > piqued my interest (again!). > > Cheers, > > James > > The repo thing has been tried for CentOS, and it borked some things. But then again, it depended on another "third party" repo, so it might work if you had everything in one repo. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080221/9e213ca2/signature.bin From micoots at yahoo.com Fri Feb 22 00:38:50 2008 From: micoots at yahoo.com (Michael Mansour) Date: Fri Feb 22 00:39:00 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: Message-ID: <537972.77557.qm@web33315.mail.mud.yahoo.com> Hi, --- Scott Silva wrote: > on 2/21/2008 3:22 AM Andy Wright spake the > following: > > Scott Silva wrote: > >>> > >> I would just be happy if I could set Mailwatch to > not protect me from > >> myself and allow me to release virus content. I > think I saw a patch > >> somewhere, but I sure can't find it. > >> > > > > Scott, if you're still looking for a way to do > this you can edit line > > 326 of details.php in your mailwatch html > directory - find the line; > > > > if($item['dangerous'] !== "Y") { > > > > and change the "Y" to something else - I altered > mine to "r", then > > you'll be able to release all items nomatter how > they're flagged. > > > > Andy. > Thank you! I knew I saw it somewhere. There's also this bit that needs changing, otherwise you don't get the link to view the message: // If the file is in message/rfc822 format and isn't dangerous - create a link to allow it to be viewed if($item['dangerous'] == "N" && preg_match('!message/rfc822!',$item['type'])) { echo " ".substr($item['path'],strlen($quarantinedir)+1)."\n"; } else { I just made the "else" part the same as the first item. Regards, Michael. > Now to get the multi-release patches working in > 1.0.4. > I'll probably get it just in time for 2.0 to come > out. > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail From micoots at yahoo.com Fri Feb 22 01:59:33 2008 From: micoots at yahoo.com (Michael Mansour) Date: Fri Feb 22 01:59:42 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: Message-ID: <107395.41019.qm@web33306.mail.mud.yahoo.com> Hi, --- Scott Silva wrote: > on 2/21/2008 3:22 AM Andy Wright spake the > following: > > Scott Silva wrote: > >>> > >> I would just be happy if I could set Mailwatch to > not protect me from > >> myself and allow me to release virus content. I > think I saw a patch > >> somewhere, but I sure can't find it. > >> > > > > Scott, if you're still looking for a way to do > this you can edit line > > 326 of details.php in your mailwatch html > directory - find the line; > > > > if($item['dangerous'] !== "Y") { > > > > and change the "Y" to something else - I altered > mine to "r", then > > you'll be able to release all items nomatter how > they're flagged. > > > > Andy. > Thank you! I knew I saw it somewhere. > > Now to get the multi-release patches working in > 1.0.4. > I'll probably get it just in time for 2.0 to come > out. Which "Report" would I use in MailWatch to show me all the Viruses for all domains? I've tried to use the "Virus Report" but am not sure how to use it. Thanks. Michael. > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail From james at gray.net.au Fri Feb 22 03:31:56 2008 From: james at gray.net.au (James Gray) Date: Fri Feb 22 03:32:20 2008 Subject: Problem with the version 4.46.2 In-Reply-To: References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> <47BDEEBC.7020301@ecs.soton.ac.uk> <33D48A86-8DBC-4BBF-B79B-0AC1C804491B@gray.net.au> Message-ID: <10F4091F-E7FD-4126-BFBB-413F6205870F@gray.net.au> On 22/02/2008, at 10:24 AM, Scott Silva wrote: > on 2/21/2008 2:58 PM James Gray spake the following: >> On 22/02/2008, at 8:35 AM, Julian Field wrote: >>> Anthony Cartmell wrote: >>>>> Unfortunately the Debian maintainers have the view that >>>>> MailScanner is >>>>> "unstable" as I produce releases too frequently for them. >>>> >>>> That reminds me of a long discussion we had, a few months ago, >>>> about frequently-released operating systems and whether their >>>> release schedule made them "unstable"... >>>> >>>> FWIW (not much) I love MailScanner's release schedule :) >>> Thank you :-) >>> >>> Would you really prefer to have to wait a year before feature >>> requests were implemented, just to keep some "distorted" Debian >>> admins happy? >> I don't have any "pure" Debian systems running but I have a number >> of Ubuntu server installs I can play with. Most are running Ubuntu >> 6.06LTS (aka. "Dapper"). I'd be willing to investigate the whole >> packaging so that it plays nice with Debian/Ubuntu's little quirks. >> Just a few questions: >> - Did you want to bundle SpamAssassin and ClamAV too? >> - Do we need to use your Perl modules or can we use the >> distribution ones? >> - I was thinking maybe making separate packages for all of this >> (MS, SA, Clam and Perl mods), then putting it all up in a single >> repo - what do other people think? >> No time frames/promises...I've got to sit down and figure out the >> best way to achieve this without borking the base packages etc. >> This is just something that's bugged me for ages and after reading >> this thread, it's piqued my interest (again!). >> Cheers, >> James > The repo thing has been tried for CentOS, and it borked some things. > But then again, it depended on another "third party" repo, so it > might work if you had everything in one repo. The other option would be to just use a Debian package as a wrapper for Julian's installer scripts. However, this would make it very difficult to return a system to a "pure" Debian/Ubuntu on removal. Hence the reason I was thinking about putting all the Perl/SA/Clam/MS components in separate debs. I also wouldn't be relying on any 3rd party repo's. My plan was a one-stop-shop for MailScanner+SA+Clam (and the underlying Perl modules). Debian (and I assume Ubuntu too) have guidelines for custom packages that use later versions of base packages (eg, the perl modules) so that if distribution updates the package to a later version than Julian's Clam/SA/Perl, it all still plays nice. Plus the init scripts and "/etc/default" are a relatively debian-specific thing too - all of which I've done for my Ubuntu systems, but just never bothered to wrap it up in a deb. Most of the ground-work is there; just need to sort out the package creation fru-fru (al-la "spec file"...although debs are different) and versioning/tagging etc. Then once it's all packaged I need to work out some sort of hosting (maybe mailscanner.info...if the packages are any good :P). Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/ec8e4087/smime.bin From mi6 at orcon.net.nz Fri Feb 22 04:02:32 2008 From: mi6 at orcon.net.nz (Charlie) Date: Fri Feb 22 04:02:47 2008 Subject: Cannot allow 'exe' files Message-ID: <094901c87507$c14e8ab0$0200a8c0@CharlieCompaq> Hi, firstly, thanks for all the replies to my previous question which I will address once I fix this new problem that has come up: I have just reinstalled MailScanner but it is not allowing any executable files (e.g. com, exe) to be sent *even though* I have changed the relevant configuration file 'filename.rules.conf', and am pretty sure I have successfully restarted MailScanner. The error I receive back from the server is: The following e-mails were found to have: Bad Filename Detected (and then in the Quarantine section it says: No programs allowed) The changes I did to 'filename.rules.conf' were to comment out these two lines as follows: #deny \.com$ Windows/DOS Executable #deny \.exe$ Windows/DOS Executable I'm not sure what else to try. Thanks! From james at gray.net.au Fri Feb 22 04:34:56 2008 From: james at gray.net.au (James Gray) Date: Fri Feb 22 04:35:10 2008 Subject: Cannot allow 'exe' files In-Reply-To: <094901c87507$c14e8ab0$0200a8c0@CharlieCompaq> References: <094901c87507$c14e8ab0$0200a8c0@CharlieCompaq> Message-ID: On 22/02/2008, at 3:02 PM, Charlie wrote: > I have just reinstalled MailScanner but it is not allowing any > executable files (e.g. com, exe) to be sent *even though* I have > changed the relevant configuration file 'filename.rules.conf', and > am pretty sure I have successfully restarted MailScanner. > > The error I receive back from the server is: > The following e-mails were found to have: Bad Filename Detected > (and then in the Quarantine section it says: No programs allowed) > > The changes I did to 'filename.rules.conf' were to comment out these > two lines as follows: > #deny \.com$ Windows/DOS Executable > #deny \.exe$ Windows/DOS Executable > > I'm not sure what else to try. Hi Charlie, Make sure you comment out the following lines in /etc/MailScanner/ filetype.rules.conf deny self-extract No self-extracting archives No self- extracting archives allowed deny executable No executables No programs allowed Alternatively, you can replace them with: allow self-extract - - allow executable - - The second option is more obvious as what you're allowing and denying, but both are equally effective. I wont go into the "why this is a bad idea" .... I assume you have your reasons :) Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/91034315/smime.bin From r.berber at computer.org Fri Feb 22 04:36:36 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Feb 22 04:36:54 2008 Subject: Cannot allow 'exe' files In-Reply-To: <094901c87507$c14e8ab0$0200a8c0@CharlieCompaq> References: <094901c87507$c14e8ab0$0200a8c0@CharlieCompaq> Message-ID: Charlie wrote: > I have just reinstalled MailScanner but it is not allowing any > executable files (e.g. com, exe) to be sent *even though* I have changed > the relevant configuration file 'filename.rules.conf', and am pretty > sure I have successfully restarted MailScanner. > > The error I receive back from the server is: > The following e-mails were found to have: Bad Filename Detected > (and then in the Quarantine section it says: No programs allowed) > > The changes I did to 'filename.rules.conf' were to comment out these two > lines as follows: > #deny \.com$ Windows/DOS Executable > #deny \.exe$ Windows/DOS Executable > > I'm not sure what else to try. # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = #/usr/bin/file -- Ren? Berber From alxfrag at gmail.com Fri Feb 22 07:44:56 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 22 07:45:11 2008 Subject: Mailscanner warnings In-Reply-To: <47BDF6CB.4060400@ecs.soton.ac.uk> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> <47BD3CB0.2000009@gmail.com> <47BDF466.2060907@gmail.com> <47BDF6CB.4060400@ecs.soton.ac.uk> Message-ID: <47BE7D78.5030803@gmail.com> Julian Field wrote: > > > AlxFrag wrote: >> Ugo Bellavance wrote: >>> AlxFrag wrote: >>>>> >>>> i've solved the problem thanks! the only thing i had to specify is >>>> Virus Scanners = clamd instead of Virus Scanners = clamav. >>> >>> If you found a problem with the doc, please fix it or ask us to fix it. >>> >>> Regards, >>> >>> Ugo >>> >> Another problem i had is that in the older version the clamd socket >> was /tmp/clamd while in this version is /tmp/clamd.socket :) > But this is configurable in MailScanner, so shouldn't matter. Should it? > > Jules > You're right :) From mailing_lists+mailscanner at caleotech.com Fri Feb 22 09:25:58 2008 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Fri Feb 22 09:26:17 2008 Subject: RHEL 3, sendmail and lock type Message-ID: <64910.172.16.1.23.1203672358.squirrel@www.caleotech.com> Hi, What is the correct lock type to use for RHEL3 with sendmail (sendmail-8.12.11-4.RHEL3.6) and Mailscanner 4.66.5 ? The doc say sendmail <= 8.12 --> flock, sendmail > 8.12 --> posix. Redhat is porting a lot of stuff from higher version tree's, don't know about sendmail though. Jens From ljosnet at gmail.com Fri Feb 22 09:31:54 2008 From: ljosnet at gmail.com (emm1) Date: Fri Feb 22 09:32:02 2008 Subject: DefenderMX Message-ID: <910ee2ac0802220131u76b51e27v19ef181d16820cdd@mail.gmail.com> Hello, I'm looking for someone that is knowledgable about FSL.com DefenderMX. I have a customer that wants to receive all mail including spam but he wants the spam to be marked as SPAM so he can filter it himself with some rules in Outlook I guess. I noticed in the prefs for the domain that I can choose to use "I want All Spam (silly me) - Receive all possible messages unmarked" Does this mean he gets all mail delivered including SPAM but nothing will be marked as SPAM? Thanks! From uxbod at splatnix.net Fri Feb 22 09:40:06 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 22 09:40:32 2008 Subject: DefenderMX In-Reply-To: <910ee2ac0802220131u76b51e27v19ef181d16820cdd@mail.gmail.com> Message-ID: <23392283.151203673206425.JavaMail.root@office.splatnix.net> What about asking FSL ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "emm1" wrote: > Hello, I'm looking for someone that is knowledgable about FSL.com > DefenderMX. I have a customer that wants to receive all mail > including > spam but he wants the spam to be marked as SPAM so he can filter it > himself with some rules in Outlook I guess. I noticed in the prefs > for > the domain that I can choose to use "I want All Spam (silly me) - > Receive all possible messages unmarked" > > Does this mean he gets all mail delivered including SPAM but nothing > will be marked as SPAM? > > Thanks! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ljosnet at gmail.com Fri Feb 22 09:49:26 2008 From: ljosnet at gmail.com (emm1) Date: Fri Feb 22 09:49:34 2008 Subject: DefenderMX In-Reply-To: <23392283.151203673206425.JavaMail.root@office.splatnix.net> References: <910ee2ac0802220131u76b51e27v19ef181d16820cdd@mail.gmail.com> <23392283.151203673206425.JavaMail.root@office.splatnix.net> Message-ID: <910ee2ac0802220149s3d4b4a3ajd50d56937adf78a7@mail.gmail.com> I sent them support email yesterday but I havenet received a reply yet. I wanted to try out here also because this is kind of important and cant wait. :) On Fri, Feb 22, 2008 at 9:40 AM, --[ UxBoD ]-- wrote: > What about asking FSL ? > > Regards, > > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 > // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > > ----- "emm1" wrote: > > > Hello, I'm looking for someone that is knowledgable about FSL.com > > DefenderMX. I have a customer that wants to receive all mail > > including > > spam but he wants the spam to be marked as SPAM so he can filter it > > himself with some rules in Outlook I guess. I noticed in the prefs > > for > > the domain that I can choose to use "I want All Spam (silly me) - > > Receive all possible messages unmarked" > > > > Does this mean he gets all mail delivered including SPAM but nothing > > will be marked as SPAM? > > > > Thanks! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From uxbod at splatnix.net Fri Feb 22 09:57:38 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 22 09:58:05 2008 Subject: DefenderMX In-Reply-To: <910ee2ac0802220149s3d4b4a3ajd50d56937adf78a7@mail.gmail.com> Message-ID: <28468879.181203674258974.JavaMail.root@office.splatnix.net> phone ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "emm1" wrote: > I sent them support email yesterday but I havenet received a reply > yet. I wanted to try out here also because this is kind of important > and cant wait. :) > > On Fri, Feb 22, 2008 at 9:40 AM, --[ UxBoD ]-- > wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From tgc at statsbiblioteket.dk Fri Feb 22 10:15:15 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Fri Feb 22 10:15:25 2008 Subject: RHEL 3, sendmail and lock type In-Reply-To: <64910.172.16.1.23.1203672358.squirrel@www.caleotech.com> References: <64910.172.16.1.23.1203672358.squirrel@www.caleotech.com> Message-ID: <47BEA0B3.4060901@statsbiblioteket.dk> Jens Ahlin wrote: > Hi, > > What is the correct lock type to use for RHEL3 with sendmail > (sendmail-8.12.11-4.RHEL3.6) and Mailscanner 4.66.5 ? The doc say sendmail > <= 8.12 --> flock, sendmail > 8.12 --> posix. > http://lists.mailscanner.info/pipermail/mailscanner/2006-November/067124.html -tgc From btj at havleik.no Fri Feb 22 11:43:42 2008 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Fri Feb 22 11:44:26 2008 Subject: Very long filenames? Message-ID: <20080222124342.61710bcb@laptop-btj> Why does mailscanner stop this file? The original e-mail attachment "Hovedregelen e.doc" is on the list of unacceptable attachments for this site and has been replaced by this warning message. If you wish to receive a copy of the original attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Fri Feb 22 09:49:33 2008 the virus scanner said: MailScanner: Very long filenames are good signs of attacks against Microsoft e-mail packages (Hovedregelen e.doc) The only option I can find in filenames.rules.conf is this..: deny .{150,} Very long filename, possible OE attack My regexp isn't what it should be, so what does this mean? I don't think this filename is long....? Regards, BTJ -- ----------------------------------------------------------------------------------------------- Bj?rn T Johansen btj@havleik.no ----------------------------------------------------------------------------------------------- Someone wrote: "I understand that if you play a Windows CD backwards you hear strange Satanic messages" To which someone replied: "It's even worse than that; play it forwards and it installs Windows" ----------------------------------------------------------------------------------------------- From MailScanner at ecs.soton.ac.uk Fri Feb 22 12:09:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 22 12:09:52 2008 Subject: Very long filenames? In-Reply-To: <20080222124342.61710bcb@laptop-btj> References: <20080222124342.61710bcb@laptop-btj> Message-ID: <47BEBB72.8000000@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The filename reported has been sanitised before inclusion in the report. This is to ensure that no attacks can be launched by doing nasty things like putting a valid MIME section in a very long filename, and then getting MailScanner to report that (complete) filename in an email report. Bj?rn T Johansen wrote: > Why does mailscanner stop this file? > > > > > The original e-mail attachment "Hovedregelen e.doc" > > is on the list of unacceptable attachments for this site and has been > > replaced by this warning message. > > > > If you wish to receive a copy of the original attachment, please > > e-mail helpdesk and include the whole of this message > > in your request. Alternatively, you can call them, with > > the contents of this message to hand when you call. > > > > At Fri Feb 22 09:49:33 2008 the virus scanner said: > > MailScanner: Very long filenames are good signs of attacks against > Microsoft e-mail packages (Hovedregelen e.doc) > > > > The only option I can find in filenames.rules.conf is this..: > > deny .{150,} Very long filename, possible OE attack > > > My regexp isn't what it should be, so what does this mean? I don't think this filename is long....? > > > Regards, > > BTJ > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHvrtzEfZZRxQVtlQRAjmzAKDMc/Zr7cmDvUBavYXigp5q4HdeawCaA4fU Rd/A7sUY4olZ+10PaLieGfg= =LFn3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Fri Feb 22 11:25:06 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Feb 22 12:10:33 2008 Subject: OT: bayes in MySQL with replication Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F503@server02.bhl.local> I know this is way off topic, but I'm guessing others have had this and have solved it... Since our 2 mail servers are on different sites and the VPN between them hasn't been overly reliable I've been trialling the bayes in MySQL with Master - Master replication. (MySQL 5.0) This seems to work fine for a few hours and I then get... 080222 10:38:07 [ERROR] Slave: Error 'Duplicate entry '1-????c' for key 1' on query. Default database: 'sa_bayes'. Query: 'INSERT INTO bayes_token (id, token, spam_count, ham_count, atime) VALUES ('1','????c','0','1','1203675610')', Error_code: 1062 080222 10:38:07 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.000006' position 8791360 and SQL replication stops. Is there any way of avoiding this or of specifying a default action in case of a clash like this? Currently each mailserver connects to the local copy of the database. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/e6676811/attachment.html From mailing_lists+mailscanner at caleotech.com Fri Feb 22 12:14:50 2008 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Fri Feb 22 12:15:04 2008 Subject: RHEL 3, sendmail and lock type In-Reply-To: <47BEA0B3.4060901@statsbiblioteket.dk> References: <64910.172.16.1.23.1203672358.squirrel@www.caleotech.com> <47BEA0B3.4060901@statsbiblioteket.dk> Message-ID: <49215.172.16.1.23.1203682490.squirrel@www.caleotech.com> > Jens Ahlin wrote: >> Hi, >> >> What is the correct lock type to use for RHEL3 with sendmail >> (sendmail-8.12.11-4.RHEL3.6) and Mailscanner 4.66.5 ? The doc say >> sendmail >> <= 8.12 --> flock, sendmail > 8.12 --> posix. >> > http://lists.mailscanner.info/pipermail/mailscanner/2006-November/067124.html > > -tgc > -- So what you are saying is that flock is the one to use. The reason for asking is that broken queue files are building up in the mqueue.in directory, only the df files are present not the qf files. I don't know if this is related to a new problem causing messages to be delayed several hours. ( in the maillog I see A LOT of "SpamAssassin cache hit for message" for the messages that gets delayed. ) The server is not busy, load average < 0.3. Mail is not lost, just delayed, the broken queue files are all junk mail. I have flock specified in MailScanner.conf. If I change to default value "Lock Type = " mail is still processed and delivered using POSIX. Any ideas ? Jens From btj at havleik.no Fri Feb 22 12:37:45 2008 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Fri Feb 22 12:38:23 2008 Subject: Very long filenames? In-Reply-To: <47BEBB72.8000000@ecs.soton.ac.uk> References: <20080222124342.61710bcb@laptop-btj> <47BEBB72.8000000@ecs.soton.ac.uk> Message-ID: <20080222133745.4dcb0ec4@laptop-btj> But how long is max length? And is there a way to find the original filename? BTJ On Fri, 22 Feb 2008 12:09:22 +0000 Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The filename reported has been sanitised before inclusion in the report. > This is to ensure that no attacks can be launched by doing nasty things > like putting a valid MIME section in a very long filename, and then > getting MailScanner to report that (complete) filename in an email report. > > Bj?rn T Johansen wrote: > > Why does mailscanner stop this file? > > > > > > > > > > The original e-mail attachment "Hovedregelen e.doc" > > > > is on the list of unacceptable attachments for this site and has been > > > > replaced by this warning message. > > > > > > > > If you wish to receive a copy of the original attachment, please > > > > e-mail helpdesk and include the whole of this message > > > > in your request. Alternatively, you can call them, with > > > > the contents of this message to hand when you call. > > > > > > > > At Fri Feb 22 09:49:33 2008 the virus scanner said: > > > > MailScanner: Very long filenames are good signs of attacks against > > Microsoft e-mail packages (Hovedregelen e.doc) > > > > > > > > The only option I can find in filenames.rules.conf is this..: > > > > deny .{150,} Very long filename, possible OE attack > > > > > > My regexp isn't what it should be, so what does this mean? I don't think this filename is long....? > > > > > > Regards, > > > > BTJ > > > > > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHvrtzEfZZRxQVtlQRAjmzAKDMc/Zr7cmDvUBavYXigp5q4HdeawCaA4fU > Rd/A7sUY4olZ+10PaLieGfg= > =LFn3 > -----END PGP SIGNATURE----- > From J.Ede at birchenallhowden.co.uk Fri Feb 22 12:00:13 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Feb 22 12:45:32 2008 Subject: OT: bayes in MySQL with replication Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> (sent 2ce as I think it was blocked first time due to random binary characters) I know this is way off topic, but I'm guessing others have had this and have solved it... Since our 2 mail servers are on different sites and the VPN between them hasn't been overly reliable I've been trialling the bayes in MySQL with Master - Master replication. (MySQL 5.0) This seems to work fine for a few hours and I then get... 080222 10:38:07 [ERROR] Slave: Error 'Duplicate entry '' for key 1' on query. Default database: 'sa_bayes'. Query: 'INSERT INTO bayes_token (id, token, spam_count, ham_count, atime) VALUES ('1','','0','1','1203675610')', Error_code: 1062 080222 10:38:07 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.000006' position 8791360 and SQL replication stops. Is there any way of avoiding this or of specifying a default action in case of a clash like this? Currently each mailserver connects to the local copy of the database. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/bddc1d95/attachment.html From gmatt at nerc.ac.uk Fri Feb 22 13:10:02 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Feb 22 13:10:44 2008 Subject: RHEL 3, sendmail and lock type In-Reply-To: <49215.172.16.1.23.1203682490.squirrel@www.caleotech.com> References: <64910.172.16.1.23.1203672358.squirrel@www.caleotech.com> <47BEA0B3.4060901@statsbiblioteket.dk> <49215.172.16.1.23.1203682490.squirrel@www.caleotech.com> Message-ID: <47BEC9AA.40602@nerc.ac.uk> Jens Ahlin wrote: > So what you are saying is that flock is the one to use. The reason for > asking is that broken queue files are building up in the mqueue.in > directory, only the df files are present not the qf files. I don't know if > this is related to a new problem causing messages to be delayed several > hours. ( in the maillog I see A LOT of "SpamAssassin cache hit for > message" for the messages that gets delayed. ) The server is not busy, > load average < 0.3. Mail is not lost, just delayed, the broken queue files > are all junk mail. yes... that happens. I'm on CentOS 4.6 which uses the stock redhat sendmail 8.13.1. I'm using posix locking (correct for 8.13) but still see a slow build up of df files. I have a script that cleans up these files which I run a couple of times a year. I have been told that this was a bug in older versions of sendmail and I assume that RH never bothered to backport the patch. However, I can't confirm that. It has never been a problem for me - I'm 99.9% certain that the broken messages are actually dealt with correctly, just not properly cleaned up. here's my bash script: #!/bin/bash # clean up orphaned df* files in mqueue.in # no known cause for these files yet. /etc/init.d/MailScanner stop sleep 2 dir="/var/spool/mqueue.in" file=`find $dir -mtime +1` for i in ${file} do m=`basename ${i}` j=${m:2} if [ ! -e "${dir}/qf${j}" ]; then mv ${i} /var/tmp/ fi done echo df -hl /etc/init.d/MailScanner start exit 0 > > I have flock specified in MailScanner.conf. If I change to default value > "Lock Type = " mail is still processed and delivered using POSIX. > > Any ideas ? > > Jens -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From william at raidbr.com.br Fri Feb 22 14:38:12 2008 From: william at raidbr.com.br (William A. Knob) Date: Fri Feb 22 14:34:46 2008 Subject: SQLBlackWhitelist using wildcards In-Reply-To: <47BDED5C.60602@ecs.soton.ac.uk> References: <47BDDBDF.2060008@raidbr.com.br> <47BDE10F.6060201@ecs.soton.ac.uk> <47BDED5C.60602@ecs.soton.ac.uk> Message-ID: <47BEDE54.206@raidbr.com.br> Jules, Does not exists a way to make this code check subdomains too? My problem is: i've blocked "domain.com" but the emails still comin` from with "xxx.domain.com", "yyy.domain.com" and a lot of others... How can I block these subdomains using the SQL stuff? That's my problem... Regards, Julian Field escreveu: > Scott Silva wrote: >> on 2/21/2008 12:37 PM Julian Field spake the following: >>> Unfortunately you can't do that without slowing it down a lot. The >>> SQLBlackWhiteList stuff, instead of allowing wildcards and hence >>> having to check every entry in the list for every message, reduces >>> the whole problem to a couple of hash table lookups which are very >>> fast, as it knows that there aren't any wildcards. >>> >>> If you allow the use of wildcards, every entry has to be matched >>> against every address of every message. This is slow and is why >>> MailScanner rulesets shouldn't ideally have more than several >>> hundred (or maybe a thousand) entries. The SQL stuff does not allow >>> wildcards much, with the result that it can just do table lookups to >>> find if the address is listed or not. This is enormously faster than >>> searching every entry of a ruleset. >>> >>> The reason the SQL black+whitelist support is fast, not because of >>> it being SQL (which actually makes it run slower) but because it >>> doesn't support wildcards. >>> >>> I hope that explains my design philosophy a bit for this feature. >>> >>> Jules. >>> >>> William A. Knob wrote: >>>> Hi all! >>>> >>>> People, I want to use "wildcards" on my black/whitelist SQL >>>> tables to use with Mailscanner... Anybody knows how can I do that? >>>> Or anyone has made a modification on the "SQLBlackWhiteList.pm" >>>> script to do that stuff? >>>> >>>> Regards; >>>> >>>> >>> >>> Jules >>> >> Does matching only a domain slow it down? >> IE... using 'domain.com' to match '*@domain.com' instead of the >> default of 'user@domain.com'. > I have finally found the original code, it was written for a specific > customer. > It reduces the search process to a string of hash table lookups, like > this: > > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$to}{'default'}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > return 1 if $BlackWhite->{$todomain}{'default'}; > return 1 if $BlackWhite->{'default'}{$from}; > return 1 if $BlackWhite->{'default'}{$fromdomain}; > return 1 if $BlackWhite->{'default'}{$ip}; > > So if the exact address user@domain.com or domain.com or the numerical > IP address is listed, it will match. > > I can't remember too much about this code, I wrote it quite a long > time ago. > > Jules > -- *William A. Knob - Divisão Desenvolvimento* Raidbr Soluções em Informática Ltda. Rua José Albino Reuse, 1125. Cinquentenário. Caxias do Sul - RS Fone/ Fax: (54) 3223.7074 Visite nosso site: www.raidbr.com.br -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From t.d.lee at durham.ac.uk Fri Feb 22 14:49:29 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Feb 22 14:49:55 2008 Subject: http proxy:suggestion Message-ID: Julian: A suggestion to assist large sites which sit behind tight firewalls... The "cron.daily" scripts "update_phishing_sites" and "update_spamassassin" need to reach out to remote websites. But at some large sites, the general practice is for web browsers to divert via a cache service. In this context the MS "update*" scripts are web clients (pseudo-browsers) and so the site-friendly way for the sites to work would be to honour any "http_proxy" environment variable. That is almost, but not quite, already in place. (Run manually, with explicit "http_proxy", it works.) What still seems absent is recognising "http_proxy" when run under "cron". Those scripts already do: if [ -f /etc/sysconfig/MailScanner ] ; then . /etc/sysconfig/MailScanner fi But that file seems oriented to variables specific to "MailScanner.conf". Could there also be a "/etc/sysconfig/MailScannerEnv" (or similar) whose purpose would be for environment variables for scripts? (I suppose the whole lot could be overloaded into the existing "sysconfig" file; my reason for suggesting a second file was a clean separation between script/envir variables and MS.conf variables.) Just a thought. What would be your recommendation for getting "http_proxy" recognised by those scripts under cron? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From rcooper at dwford.com Fri Feb 22 14:55:04 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Feb 22 14:55:20 2008 Subject: bayes in MySQL with replication In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> Message-ID: <050d01c87562$e8546930$0301a8c0@SAHOMELT> _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Friday, February 22, 2008 7:00 AM To: MailScanner discussion Subject: OT: bayes in MySQL with replication (sent 2ce as I think it was blocked first time due to random binary characters) I know this is way off topic, but I'm guessing others have had this and have solved it... Since our 2 mail servers are on different sites and the VPN between them hasn't been overly reliable I've been trialling the bayes in MySQL with Master - Master replication. (MySQL 5.0) This seems to work fine for a few hours and I then get... 080222 10:38:07 [ERROR] Slave: Error 'Duplicate entry '' for key 1' on query. Default database: 'sa_bayes'. Query: 'INSERT INTO bayes_token (id, token, spam_count, ham_count, atime) VALUES ('1','','0','1','1203675610')', Error_code: 1062 080222 10:38:07 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.000006' position 8791360 and SQL replication stops. Is there any way of avoiding this or of specifying a default action in case of a clash like this? Currently each mailserver connects to the local copy of the database. Jason [Rick Cooper] Add slave-skip-errors = 1062 To your mysql config file under the [mysqld] section. that line says skip duplication errors, you might even want slave-skip-errors = 1053,1062 (skip master shutting down and data duplication errors) Look here for other replication config options that might interest you http://dev.mysql.com/doc/refman/5.1/en/replication-options.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/4dced07a/attachment.html From samp at arial-concept.com Fri Feb 22 15:01:45 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Fri Feb 22 15:04:04 2008 Subject: [Solved] Re: Problem with the version 4.46.2 In-Reply-To: <33D48A86-8DBC-4BBF-B79B-0AC1C804491B@gray.net.au> References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> <47BDEEBC.7020301@ecs.soton.ac.uk> <33D48A86-8DBC-4BBF-B79B-0AC1C804491B@gray.net.au> Message-ID: <1203692505.5500.85.camel@mars-linux> Le vendredi 22 f?vrier 2008 ? 09:58 +1100, James Gray a ?crit : > On 22/02/2008, at 8:35 AM, Julian Field wrote: > > Anthony Cartmell wrote: > >>> Unfortunately the Debian maintainers have the view that > >>> MailScanner is > >>> "unstable" as I produce releases too frequently for them. > >> > >> That reminds me of a long discussion we had, a few months ago, > >> about frequently-released operating systems and whether their > >> release schedule made them "unstable"... > >> > >> FWIW (not much) I love MailScanner's release schedule :) > > Thank you :-) > > > > Would you really prefer to have to wait a year before feature > > requests were implemented, just to keep some "distorted" Debian > > admins happy? > > I don't have any "pure" Debian systems running but I have a number of > Ubuntu server installs I can play with. Most are running Ubuntu > 6.06LTS (aka. "Dapper"). I'd be willing to investigate the whole > packaging so that it plays nice with Debian/Ubuntu's little quirks. > > Just a few questions: > - Did you want to bundle SpamAssassin and ClamAV too? > - Do we need to use your Perl modules or can we use the distribution > ones? > - I was thinking maybe making separate packages for all of this (MS, > SA, Clam and Perl mods), then putting it all up in a single repo - > what do other people think? > > No time frames/promises...I've got to sit down and figure out the best > way to achieve this without borking the base packages etc. This is > just something that's bugged me for ages and after reading this > thread, it's piqued my interest (again!). I set the myhostame variable in /etc/postfix/main.cf and set /etc/mailname and then it's work. It was my fault by misconfiguration, sorry, sorry, and thanks for your help, I hope my poor experience will be useful for other user like me. Sam. -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From shuttlebox at gmail.com Fri Feb 22 15:13:20 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Feb 22 15:13:29 2008 Subject: http proxy:suggestion In-Reply-To: References: Message-ID: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> On Fri, Feb 22, 2008 at 3:49 PM, David Lee wrote: > > Julian: A suggestion to assist large sites which sit behind tight > firewalls... > > The "cron.daily" scripts "update_phishing_sites" and "update_spamassassin" > need to reach out to remote websites. But at some large sites, the > general practice is for web browsers to divert via a cache service. In > this context the MS "update*" scripts are web clients (pseudo-browsers) > and so the site-friendly way for the sites to work would be to honour any > "http_proxy" environment variable. > > That is almost, but not quite, already in place. (Run manually, with > explicit "http_proxy", it works.) > > What still seems absent is recognising "http_proxy" when run under "cron". > > Those scripts already do: > if [ -f /etc/sysconfig/MailScanner ] ; then > . /etc/sysconfig/MailScanner > fi > > But that file seems oriented to variables specific to "MailScanner.conf". > > Could there also be a "/etc/sysconfig/MailScannerEnv" (or similar) whose > purpose would be for environment variables for scripts? I'm all for supporting environment variables like http_proxy but if the scripts should be overhauled it would be better if they were made in a more Unix generic way. Sysconfig isn't even a Linux standard but a Red Hat one. :-) -- /peter From mark at msapiro.net Fri Feb 22 15:21:51 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 22 15:22:02 2008 Subject: Very long filenames? In-Reply-To: <20080222133745.4dcb0ec4@laptop-btj> Message-ID: Bj?rn T Johansen wrote: >But how long is max length? And is there a way to find the original filename? >> > The only option I can find in filenames.rules.conf is this..: >> > >> > deny .{150,} Very long filename, possible OE attack That regexp matches anything 150 or more characters long. so the max length is 149. If the message was quarantined, I expect the original name is in the quarantined message. If not, there is a MailScanner entry in maillog, but I don't know if it has the original or the sanitized name. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailing_lists+mailscanner at caleotech.com Fri Feb 22 15:26:59 2008 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Fri Feb 22 15:27:11 2008 Subject: RHEL 3, sendmail and lock type In-Reply-To: <47BEC9AA.40602@nerc.ac.uk> References: <64910.172.16.1.23.1203672358.squirrel@www.caleotech.com> <47BEA0B3.4060901@statsbiblioteket.dk> <49215.172.16.1.23.1203682490.squirrel@www.caleotech.com> <47BEC9AA.40602@nerc.ac.uk> Message-ID: <49689.172.16.1.23.1203694019.squirrel@www.caleotech.com> > Jens Ahlin wrote: >> So what you are saying is that flock is the one to use. The reason for >> asking is that broken queue files are building up in the mqueue.in >> directory, only the df files are present not the qf files. I don't know >> if >> this is related to a new problem causing messages to be delayed several >> hours. ( in the maillog I see A LOT of "SpamAssassin cache hit for >> message" for the messages that gets delayed. ) The server is not busy, >> load average < 0.3. Mail is not lost, just delayed, the broken queue >> files >> are all junk mail. > > yes... that happens. I'm on CentOS 4.6 which uses the stock redhat > sendmail 8.13.1. I'm using posix locking (correct for 8.13) but still > see a slow build up of df files. I have a script that cleans up these > files which I run a couple of times a year. > > I have been told that this was a bug in older versions of sendmail and I > assume that RH never bothered to backport the patch. However, I can't > confirm that. > > It has never been a problem for me - I'm 99.9% certain that the broken > messages are actually dealt with correctly, just not properly cleaned up. > > here's my bash script: > > #!/bin/bash > # clean up orphaned df* files in mqueue.in > # no known cause for these files yet. > > /etc/init.d/MailScanner stop > > sleep 2 > dir="/var/spool/mqueue.in" > > file=`find $dir -mtime +1` > for i in ${file} > do m=`basename ${i}` > j=${m:2} > if [ ! -e "${dir}/qf${j}" ]; then > mv ${i} /var/tmp/ > fi > done > echo > df -hl > > /etc/init.d/MailScanner start > > exit 0 > > >> >> I have flock specified in MailScanner.conf. If I change to default value >> "Lock Type = " mail is still processed and delivered using POSIX. >> >> Any ideas ? >> >> Jens > > > -- > Greg Matthews 01491 692445 > Head of UNIX/Linux, iTSS Wallingford > > -- Ok. Thanks for the info. I'll try to pursue the delay problem and just ignore the orphaned df files. I think I have found a message that somewhat confuses mailscanner, I have to test this further during low traffic hours. I have a set of qf/df files that maybe is the culprit. Jens From J.Ede at birchenallhowden.co.uk Fri Feb 22 15:46:54 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Feb 22 15:49:30 2008 Subject: bayes in MySQL with replication In-Reply-To: <050d01c87562$e8546930$0301a8c0@SAHOMELT> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> <050d01c87562$e8546930$0301a8c0@SAHOMELT> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> Many thanks for that... just what I was looking for... I also saw a 080222 15:38:55 [ERROR] Slave: Error 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0), ' at line 2' on query. Default database: 'sa_bayes'. Query: 'INSERT INTO bayes_token (id ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0), ham_count = GREATEST(ham_count + '1', 0), atime = GREATEST(atime, '1203694258')?', Error_code: 1064 080222 15:38:55 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.000011' position 5334725 error. I'm guessing I can add 1064 to that list too although I can't see what the syntax is wrong Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 22 February 2008 14:55 To: 'MailScanner discussion' Subject: RE: bayes in MySQL with replication ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Friday, February 22, 2008 7:00 AM To: MailScanner discussion Subject: OT: bayes in MySQL with replication (sent 2ce as I think it was blocked first time due to random binary characters) I know this is way off topic, but I'm guessing others have had this and have solved it... Since our 2 mail servers are on different sites and the VPN between them hasn't been overly reliable I've been trialling the bayes in MySQL with Master - Master replication. (MySQL 5.0) This seems to work fine for a few hours and I then get... 080222 10:38:07 [ERROR] Slave: Error 'Duplicate entry '' for key 1' on query. Default database: 'sa_bayes'. Query: 'INSERT INTO bayes_token (id, token, spam_count, ham_count, atime) VALUES ('1','','0','1','1203675610')', Error_code: 1062 080222 10:38:07 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.000006' position 8791360 and SQL replication stops. Is there any way of avoiding this or of specifying a default action in case of a clash like this? Currently each mailserver connects to the local copy of the database. Jason [Rick Cooper] Add slave-skip-errors = 1062 To your mysql config file under the [mysqld] section. that line says skip duplication errors, you might even want slave-skip-errors = 1053,1062 (skip master shutting down and data duplication errors) Look here for other replication config options that might interest you http://dev.mysql.com/doc/refman/5.1/en/replication-options.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/ef12fe38/attachment.html From MailScanner at ecs.soton.ac.uk Fri Feb 22 16:37:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 22 16:38:20 2008 Subject: RHEL 3, sendmail and lock type In-Reply-To: <49689.172.16.1.23.1203694019.squirrel@www.caleotech.com> References: <64910.172.16.1.23.1203672358.squirrel@www.caleotech.com> <47BEA0B3.4060901@statsbiblioteket.dk> <49215.172.16.1.23.1203682490.squirrel@www.caleotech.com> <47BEC9AA.40602@nerc.ac.uk> <49689.172.16.1.23.1203694019.squirrel@www.caleotech.com> Message-ID: <47BEFA50.1010102@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jens Ahlin wrote: >> Jens Ahlin wrote: >> >>> So what you are saying is that flock is the one to use. The reason for >>> asking is that broken queue files are building up in the mqueue.in >>> directory, only the df files are present not the qf files. I don't know >>> if >>> this is related to a new problem causing messages to be delayed several >>> hours. ( in the maillog I see A LOT of "SpamAssassin cache hit for >>> message" for the messages that gets delayed. ) The server is not busy, >>> load average < 0.3. Mail is not lost, just delayed, the broken queue >>> files >>> are all junk mail. >>> >> yes... that happens. I'm on CentOS 4.6 which uses the stock redhat >> sendmail 8.13.1. I'm using posix locking (correct for 8.13) but still >> see a slow build up of df files. I have a script that cleans up these >> files which I run a couple of times a year. >> >> I have been told that this was a bug in older versions of sendmail and I >> assume that RH never bothered to backport the patch. However, I can't >> confirm that. >> >> It has never been a problem for me - I'm 99.9% certain that the broken >> messages are actually dealt with correctly, just not properly cleaned up. >> >> here's my bash script: >> >> #!/bin/bash >> # clean up orphaned df* files in mqueue.in >> # no known cause for these files yet. >> >> /etc/init.d/MailScanner stop >> >> sleep 2 >> dir="/var/spool/mqueue.in" >> >> file=`find $dir -mtime +1` >> for i in ${file} >> do m=`basename ${i}` >> j=${m:2} >> if [ ! -e "${dir}/qf${j}" ]; then >> mv ${i} /var/tmp/ >> fi >> done >> echo >> df -hl >> >> /etc/init.d/MailScanner start >> >> exit 0 >> >> >> >>> I have flock specified in MailScanner.conf. If I change to default value >>> "Lock Type = " mail is still processed and delivered using POSIX. >>> >>> Any ideas ? >>> >>> Jens >>> >> -- >> Greg Matthews 01491 692445 >> Head of UNIX/Linux, iTSS Wallingford >> >> -- >> > > Ok. Thanks for the info. I'll try to pursue the delay problem and just > ignore the orphaned df files. I think I have found a message that somewhat > confuses mailscanner, I have to test this further during low traffic > hours. I have a set of qf/df files that maybe is the culprit. > I'm always interested to hear of specific messages that cause problems. Narrow down the problem as far as you can, then send me a link to the message queue files along with what the problem is, and I'll take a look. I've not got much planned for this weekend. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHvvpQEfZZRxQVtlQRAvpcAJ991+mVUu0Gyy8wCMx+ahx9HjC5HwCg2FHw 2cyX+G/PgWM/X6t0WmEmONE= =7bkv -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 22 16:38:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 22 16:39:12 2008 Subject: http proxy:suggestion In-Reply-To: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> Message-ID: <47BEFA91.1010200@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On Fri, Feb 22, 2008 at 3:49 PM, David Lee wrote: > >> Julian: A suggestion to assist large sites which sit behind tight >> firewalls... >> >> The "cron.daily" scripts "update_phishing_sites" and "update_spamassassin" >> need to reach out to remote websites. But at some large sites, the >> general practice is for web browsers to divert via a cache service. In >> this context the MS "update*" scripts are web clients (pseudo-browsers) >> and so the site-friendly way for the sites to work would be to honour any >> "http_proxy" environment variable. >> >> That is almost, but not quite, already in place. (Run manually, with >> explicit "http_proxy", it works.) >> >> What still seems absent is recognising "http_proxy" when run under "cron". >> >> Those scripts already do: >> if [ -f /etc/sysconfig/MailScanner ] ; then >> . /etc/sysconfig/MailScanner >> fi >> >> But that file seems oriented to variables specific to "MailScanner.conf". >> >> Could there also be a "/etc/sysconfig/MailScannerEnv" (or similar) whose >> purpose would be for environment variables for scripts? >> > > I'm all for supporting environment variables like http_proxy but if > the scripts should be overhauled it would be better if they were made > in a more Unix generic way. Sysconfig isn't even a Linux standard but > a Red Hat one. :-) > I believe SuSE use /etc/sysconfig too. I don't use a proxy at all, so have no easy way to test any of this. If you want to modify the scripts and send me the modified ones, I'll take a look at your changes certainly. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHvvqSEfZZRxQVtlQRAnZIAKCW54n0/4xt1ao5dlXo4hZiCGY4bQCdFfRl hvDVXq/zCQe+5Ynrs6DF6U0= =+2S+ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 22 16:48:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 22 16:48:24 2008 Subject: Very long filenames? In-Reply-To: References: Message-ID: <47BEFCC2.6070101@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Bj?rn T Johansen wrote: > > >> But how long is max length? And is there a way to find the original filename? >> > > > >>>> The only option I can find in filenames.rules.conf is this..: >>>> >>>> deny .{150,} Very long filename, possible OE attack >>>> > > > That regexp matches anything 150 or more characters long. so the max > length is 149. > > If the message was quarantined, I expect the original name is in the > quarantined message. If not, there is a MailScanner entry in maillog, > but I don't know if it has the original or the sanitized name. > The original filename is put in the log. Only sanitised names are ever passed back to the user. As far as I am aware, there are no attacks that can be launched by putting nasty strings in the call to syslogd. It is just truncated to the maximum length of the syslog entry. But there are many attacked that can be launched by putting arbitrary strings into email messages sent to the user. Just imagine a long filename that contained newline sequences and MIME boundaries, you could put an entire attachment into a maliciously crafted filename. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHvvzCEfZZRxQVtlQRAg+vAKDVT7ZdG8k83RVIT2TUtHNHh/2WggCZAU6p 0OdHUi0qCrB6uePvHACAlh4= =KXan -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 22 16:49:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 22 16:50:31 2008 Subject: bayes in MySQL with replication In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> <050d01c87562$e8546930$0301a8c0@SAHOMELT> <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> Message-ID: <47BEFD1C.6060408@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Ede wrote: > > Many thanks for that... just what I was looking for... > > I also saw a > > 080222 15:38:55 [ERROR] Slave: Error 'You have an error in your SQL > syntax; check the manual that corresponds to your MySQL server version > for the right syntax to use near 'ON DUPLICATE KEY UPDATE spam_count = > GREATEST(spam_count + '0', 0), > > ' at line 2' on query. Default database: 'sa_bayes'. Query: 'INSERT > INTO bayes_token > > (id ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0), > > ham_count = GREATEST(ham_count + '1', 0), > > atime = GREATEST(atime, '1203694258')?', Error_code: 1064 > That capital A with an accent of some sort right at the end of the query it reports looks very suspicious to me... > > 080222 15:38:55 [ERROR] Error running query, slave SQL thread aborted. > Fix the problem, and restart the slave SQL thread with "SLAVE START". > We stopped at log 'mysql-bin.000011' position 5334725 > > error. I?m guessing I can add 1064 to that list too although I can?t > see what the syntax is wrong > > Jason > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Rick Cooper > *Sent:* 22 February 2008 14:55 > *To:* 'MailScanner discussion' > *Subject:* RE: bayes in MySQL with replication > > ------------------------------------------------------------------------ > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Jason Ede > *Sent:* Friday, February 22, 2008 7:00 AM > *To:* MailScanner discussion > *Subject:* OT: bayes in MySQL with replication > > (sent 2ce as I think it was blocked first time due to random > binary characters) > > I know this is way off topic, but I?m guessing others have had > this and have solved it... > > Since our 2 mail servers are on different sites and the VPN > between them hasn?t been overly reliable I?ve been trialling the > bayes in MySQL with Master ? Master replication. (MySQL 5.0) > > This seems to work fine for a few hours and I then get... > > 080222 10:38:07 [ERROR] Slave: Error 'Duplicate entry ' binary>' for key 1' on query. Default database: 'sa_bayes'. Query: > 'INSERT INTO bayes_token > > (id, token, spam_count, ham_count, atime) > > VALUES ('1','','0','1','1203675610')', Error_code: 1062 > > 080222 10:38:07 [ERROR] Error running query, slave SQL thread > aborted. Fix the problem, and restart the slave SQL thread with > "SLAVE START". We stopped at log 'mysql-bin.000006' position 8791360 > > and SQL replication stops. Is there any way of avoiding this or of > specifying a default action in case of a clash like this? > > Currently each mailserver connects to the local copy of the database. > > Jason > > > [Rick Cooper] > > Add > > slave-skip-errors = 1062 > > To your mysql config file under the [mysqld] section. that line > says skip duplication errors, you might even want > slave-skip-errors = 1053,1062 (skip master shutting down and data > duplication errors) > > Look here for other replication config options that might interest you > > http://dev.mysql.com/doc/refman/5.1/en/replication-options.html > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , > and is > believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: windows-1252 wj8DBQFHvv0dEfZZRxQVtlQRAgc1AKDLterpDwhURRIpdo3urLG58emFIQCfQ+yf 8ohSY6szukEZOeKvCdLSYmI= =2DWB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Fri Feb 22 17:05:30 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Feb 22 17:06:00 2008 Subject: bayes in MySQL with replication In-Reply-To: <47BEFD1C.6060408@ecs.soton.ac.uk> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> <050d01c87562$e8546930$0301a8c0@SAHOMELT> <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> <47BEFD1C.6060408@ecs.soton.ac.uk> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F535@server02.bhl.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 22 February 2008 16:50 To: MailScanner discussion Subject: Re: bayes in MySQL with replication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 080222 15:38:55 [ERROR] Slave: Error 'You have an error in your SQL > syntax; check the manual that corresponds to your MySQL server version > for the right syntax to use near 'ON DUPLICATE KEY UPDATE spam_count = > GREATEST(spam_count + '0', 0), > > ' at line 2' on query. Default database: 'sa_bayes'. Query: 'INSERT > INTO bayes_token > > (id ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0), > > ham_count = GREATEST(ham_count + '1', 0), > > atime = GREATEST(atime, '1203694258')?', Error_code: 1064 > That capital A with an accent of some sort right at the end of the query it reports looks very suspicious to me... > > 080222 15:38:55 [ERROR] Error running query, slave SQL thread aborted. > Fix the problem, and restart the slave SQL thread with "SLAVE START". > We stopped at log 'mysql-bin.000011' position 5334725 > I was kinda suspecting that... Although I'd have thought other people would have come across this if there was a problem in the bayes SQL code, but I can't seem to find that problem reported.. I'll try some more digging. Jason From rcooper at dwford.com Fri Feb 22 17:07:59 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Feb 22 17:08:13 2008 Subject: bayes in MySQL with replication In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local><050d01c87562$e8546930$0301a8c0@SAHOMELT> <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> Message-ID: <054601c87575$7a67de30$0301a8c0@SAHOMELT> _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Friday, February 22, 2008 10:47 AM To: MailScanner discussion Subject: RE: bayes in MySQL with replication Many thanks for that... just what I was looking for... I also saw a 080222 15:38:55 [ERROR] Slave: Error 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0), ' at line 2' on query. Default database: 'sa_bayes'. Query: 'INSERT INTO bayes_token (id ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0), ham_count = GREATEST(ham_count + '1', 0), atime = GREATEST(atime, '1203694258')?', Error_code: 1064 080222 15:38:55 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.000011' position 5334725 error. I?m guessing I can add 1064 to that list too although I can?t see what the syntax is wrong [...] I have never seen ON DUPLICATE KEY syntax like that? INSERT INTO bayes_token (id, ham_count, atime) VALUES \ ( GREATEST(spam_count + '0', 0),GREATEST(ham_count + '1', 0), \ GREATEST(atime, '1203694258') ) \ ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0), \ ham_count = GREATEST(ham_count + '1', 0), atime = GREATEST(atime, '1203694258'); would be how I would write it. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/bd2c5b2c/attachment.html From Howard at Harper-Adams.ac.uk Fri Feb 22 16:59:00 2008 From: Howard at Harper-Adams.ac.uk (Howard Robinson) Date: Fri Feb 22 17:30:31 2008 Subject: Sophos Error message Message-ID: <47BEFF53.20E8.005B.0@harper-adams.ac.uk> Dear list I have updated Sophos using Linux.intel.libc6.tar.Z using Julian's routine /usr/sbin/Sophos.install It appeared to run through okay but seemed fast! Anyway on restarting MailScanner I get the following in the Maillog and emails refused to move in or out. "SophosSAVI ERROR:: getting version: One of the files in a split-virus data set could not be located (557)" Any ideas I had a quick look at WIKI but nothing appeared to be relevant . In the end I had to rem out sophos from list of virus scanners used to get email flowing again. Two others are still there and so we are not unprotected but I like Sophos and usually it updates ok Any help appreciated. Thanks Have a good weekend. Regards Howard Robinson, (Senior Technical Development Officer), Harper Adams University College, Edgmond, Newport, Shropshire , TF10 8NB. Tel. Direct 01952 815253 Tel. Switch Board 01952 820280 Fax 01952 814783 Email hrobinson@harper-adams.ac.uk Web www.harper-adams.ac.uk From t.d.lee at durham.ac.uk Fri Feb 22 17:52:14 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Feb 22 17:52:41 2008 Subject: http proxy:suggestion In-Reply-To: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> Message-ID: On Fri, 22 Feb 2008, shuttlebox wrote: > On Fri, Feb 22, 2008 at 3:49 PM, David Lee wrote: > > > > [...] > > Those scripts already do: > > if [ -f /etc/sysconfig/MailScanner ] ; then > > . /etc/sysconfig/MailScanner > > fi > > > > But that file seems oriented to variables specific to "MailScanner.conf". > > > > Could there also be a "/etc/sysconfig/MailScannerEnv" (or similar) whose > > purpose would be for environment variables for scripts? > > I'm all for supporting environment variables like http_proxy but if > the scripts should be overhauled it would be better if they were made > in a more Unix generic way. Sysconfig isn't even a Linux standard but > a Red Hat one. :-) "The great thing about standards is that there are so many to choose from." (Don't know who originally said it, but it seemed relevant...) I think this pathnaming issue is an area where each OS (perhaps even flavour within an OS) is different. For instance, for this particular directory, Redhat-based systems (including Fedora, Centos) seem to use "/etc/sysconfig/", whereas Solaris seems to use "/etc/default". There just isn't a nice, single "standard". In the world of portability, this is something that the developers and packagers handle by abstraction; in a typical automake/autoconf package, represented as (for instance) "@SYSCONFIG_DIR@". By the time it installs on the end-user system that has been substituted with the correct value, which is different on different OSes. That's certainly what we do in the maintenance and packaging of the "heartbeat" (aka "Linux-HA") package. Each end-system automatically ends up with the correct value for the pathname. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From t.d.lee at durham.ac.uk Fri Feb 22 18:01:22 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Feb 22 18:01:55 2008 Subject: http proxy:suggestion In-Reply-To: <47BEFA91.1010200@ecs.soton.ac.uk> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> Message-ID: On Fri, 22 Feb 2008, Julian Field wrote: > I believe SuSE use /etc/sysconfig too. I don't use a proxy at all, so > have no easy way to test any of this. If you want to modify the scripts > and send me the modified ones, I'll take a look at your changes certainly. Julian: I'm happy to code it and test it and send you a patch. But what I need from you is guidance along the lines of: "MS should have a file called FILE-MS whose purpose is PURPOSE-MS and another file called FILE-ENV whose purpose is PURPOSE-ENV." The purposes are probably something like: PURPOSE-MS: set variables used within "MailScanner.conf" PURPOSE-ENV: set variables (environment) used by scripts. And advice on file names. "FILE-MS" is already "MailScanner"; but what should "FILE-ENV" be called? On the other hand we could do the dirty fudge of throwing everything into the existing single file. In reality for this particular issue that means testing whether the existing "/etc/sysconfig/MailScanner" can simply take an additional "http_proxy" specification which (a) works (b) doesn't break anything else. If you can advise on those items, I'll try to code it and test it. Best wishes. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From rcooper at dwford.com Fri Feb 22 18:52:25 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Feb 22 18:52:38 2008 Subject: http proxy:suggestion In-Reply-To: <47BEFA91.1010200@ecs.soton.ac.uk> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> Message-ID: <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Friday, February 22, 2008 11:39 AM > To: MailScanner discussion > Subject: Re: http proxy:suggestion > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > shuttlebox wrote: > > On Fri, Feb 22, 2008 at 3:49 PM, David Lee > wrote: > > > >> Julian: A suggestion to assist large sites which sit behind tight > >> firewalls... > >> > >> The "cron.daily" scripts "update_phishing_sites" and > "update_spamassassin" > >> need to reach out to remote websites. But at some large > sites, the > >> general practice is for web browsers to divert via a > cache service. In > >> this context the MS "update*" scripts are web clients > (pseudo-browsers) > >> and so the site-friendly way for the sites to work would > be to honour any > >> "http_proxy" environment variable. > >> > >> That is almost, but not quite, already in place. (Run > manually, with > >> explicit "http_proxy", it works.) > >> > >> What still seems absent is recognising "http_proxy" when > run under "cron". > >> > >> Those scripts already do: > >> if [ -f /etc/sysconfig/MailScanner ] ; then > >> . /etc/sysconfig/MailScanner > >> fi > >> > >> But that file seems oriented to variables specific to > "MailScanner.conf". > >> > >> Could there also be a "/etc/sysconfig/MailScannerEnv" > (or similar) whose > >> purpose would be for environment variables for scripts? > >> > > > > I'm all for supporting environment variables like http_proxy but if > > the scripts should be overhauled it would be better if > they were made > > in a more Unix generic way. Sysconfig isn't even a Linux > standard but > > a Red Hat one. :-) > > > I believe SuSE use /etc/sysconfig too. I don't use a proxy > at all, so > have no easy way to test any of this. If you want to modify > the scripts > and send me the modified ones, I'll take a look at your > changes certainly. > > > Jules > All of our mail servers are behind firewalls/proxies (authenticating, forced, squid) and I personally just add an accept statement for the relevant servers to pass around the outbound redirect to proxy for relevent web traffice. That said, why not use the (.)?wgetrc and (.)?curlrc files to enter the default proxy/user/password information on systems that need this information? I have done this in the past for a specific server for a specific reason. Or are those items OS specific? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From william at raidbr.com.br Fri Feb 22 19:29:55 2008 From: william at raidbr.com.br (William A. Knob) Date: Fri Feb 22 19:26:44 2008 Subject: Again: Subdomains on the SQLBlackWhiteList.pm stuff Message-ID: <47BF22B3.3020308@raidbr.com.br> Hi all, Sorry a lot of emails about the same subject but I'm REALLY wants that stuff working... I need so much to add "subdomains" on my black/whitelist databases of SQL stuff. How can it does this? What kind of change we need to make on the SQL stuff to get this working fine? Please help me; Regards and sorry, -- *William A. Knob - Divis?o Desenvolvimento* Raidbr Solu??es em Inform?tica Ltda. Rua Jos? Albino Reuse, 1125. Cinquenten?rio. Caxias do Sul - RS Fone/ Fax: (54) 3223.7074 Visite nosso site: www.raidbr.com.br -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From MailScanner at ecs.soton.ac.uk Fri Feb 22 21:50:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 22 21:51:29 2008 Subject: Again: Subdomains on the SQLBlackWhiteList.pm stuff In-Reply-To: <47BF22B3.3020308@raidbr.com.br> References: <47BF22B3.3020308@raidbr.com.br> Message-ID: <47BF43B9.2030501@ecs.soton.ac.uk> William A. Knob wrote: > Hi all, > > Sorry a lot of emails about the same subject but I'm REALLY wants > that stuff working... I need so much to add "subdomains" on my > black/whitelist databases of SQL stuff. How can it does this? What > kind of change we need to make on the SQL stuff to get this working fine? > > Please help me; > > Regards and sorry, To add *.domain.com support requires a complete re-write of the SQL stuff. It totally breaks the design philosophy of the existing code. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Sat Feb 23 00:27:33 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 23 00:28:18 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <107395.41019.qm@web33306.mail.mud.yahoo.com> References: <107395.41019.qm@web33306.mail.mud.yahoo.com> Message-ID: on 2/21/2008 5:59 PM Michael Mansour spake the following: > Hi, > > --- Scott Silva wrote: > >> on 2/21/2008 3:22 AM Andy Wright spake the >> following: >>> Scott Silva wrote: >>>> I would just be happy if I could set Mailwatch to >> not protect me from >>>> myself and allow me to release virus content. I >> think I saw a patch >>>> somewhere, but I sure can't find it. >>>> >>> Scott, if you're still looking for a way to do >> this you can edit line >>> 326 of details.php in your mailwatch html >> directory - find the line; >>> if($item['dangerous'] !== "Y") { >>> >>> and change the "Y" to something else - I altered >> mine to "r", then >>> you'll be able to release all items nomatter how >> they're flagged. >>> Andy. >> Thank you! I knew I saw it somewhere. >> >> Now to get the multi-release patches working in >> 1.0.4. >> I'll probably get it just in time for 2.0 to come >> out. > > Which "Report" would I use in MailWatch to show me all > the Viruses for all domains? > > I've tried to use the "Virus Report" but am not sure > how to use it. > As you have seen, the virus report is only a "top ten" report over whatever period you filter for. Are you looking for a total per day, or just a running total over whatever period your database covers? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/082443a4/signature.bin From mailscanner2 at eltofts.homelinux.com Sat Feb 23 00:27:44 2008 From: mailscanner2 at eltofts.homelinux.com (Andy Wright) Date: Sat Feb 23 00:28:28 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <107395.41019.qm@web33306.mail.mud.yahoo.com> References: <107395.41019.qm@web33306.mail.mud.yahoo.com> Message-ID: <47BF6880.90009@eltofts.homelinux.com> Michael Mansour wrote: > Which "Report" would I use in MailWatch to show me all > the Viruses for all domains? > > I've tried to use the "Virus Report" but am not sure > how to use it. > > Thanks. > > Michael. > > You should also have a filter named "contained a virus (>0 = TRUE)", just choose that and "is greater than" , "0" Andy. From rcooper at dwford.com Sat Feb 23 00:28:50 2008 From: rcooper at dwford.com (Rick Cooper) Date: Sat Feb 23 00:29:06 2008 Subject: bayes in MySQL with replication In-Reply-To: <47BEFD1C.6060408@ecs.soton.ac.uk> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> <050d01c87562$e8546930$0301a8c0@SAHOMELT><4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> <47BEFD1C.6060408@ecs.soton.ac.uk> Message-ID: <05cc01c875b3$100073c0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Friday, February 22, 2008 11:50 AM > To: MailScanner discussion > Subject: Re: bayes in MySQL with replication > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Jason Ede wrote: > > > > Many thanks for that... just what I was looking for... > > > > I also saw a > > > > 080222 15:38:55 [ERROR] Slave: Error 'You have an error in > your SQL > > syntax; check the manual that corresponds to your MySQL > server version > > for the right syntax to use near 'ON DUPLICATE KEY UPDATE > spam_count = > > GREATEST(spam_count + '0', 0), > > > > ' at line 2' on query. Default database: 'sa_bayes'. > Query: 'INSERT > > INTO bayes_token > > > > (id ON DUPLICATE KEY UPDATE spam_count = > GREATEST(spam_count + '0', 0), > > > > ham_count = GREATEST(ham_count + '1', 0), > > > > atime = GREATEST(atime, '1203694258')?', Error_code: 1064 > > > That capital A with an accent of some sort right at the end > of the query > it reports looks very suspicious to me... [...] The part that mysql is complaining about starts 'ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0)'. It makes sense to me because the entire Syntax looks wacked. Unless there is something I missed all this time, the syntax For that statement goes INSERT INTO table (item1,item2,...) VALUES (value1,value2,...) ON DUPLICATE KEY UPDATE field1='value', field2='value',... Unless there way it is written is a special mysql short hand I have never seen before. Could be ;->). Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Sat Feb 23 00:31:44 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 23 00:35:16 2008 Subject: Cannot allow 'exe' files In-Reply-To: References: <094901c87507$c14e8ab0$0200a8c0@CharlieCompaq> Message-ID: on 2/21/2008 8:36 PM ? spake the following: > Charlie wrote: > >> I have just reinstalled MailScanner but it is not allowing any >> executable files (e.g. com, exe) to be sent *even though* I have >> changed the relevant configuration file 'filename.rules.conf', and am >> pretty sure I have successfully restarted MailScanner. >> >> The error I receive back from the server is: >> The following e-mails were found to have: Bad Filename Detected >> (and then in the Quarantine section it says: No programs allowed) >> >> The changes I did to 'filename.rules.conf' were to comment out these >> two lines as follows: >> #deny \.com$ Windows/DOS Executable >> #deny \.exe$ Windows/DOS Executable >> >> I'm not sure what else to try. > > # Where the "file" command is installed. > # This is used for checking the content type of files, regardless of their > # filename. > # To disable Filetype checking, set this value to blank. > File Command = #/usr/bin/file That is like doing brain surgery with a chainsaw. That will disable "all" filetype checks. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080222/c6034b4b/signature.bin From J.Ede at birchenallhowden.co.uk Sat Feb 23 10:22:19 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Sat Feb 23 10:22:43 2008 Subject: bayes in MySQL with replication In-Reply-To: <05cc01c875b3$100073c0$0301a8c0@SAHOMELT> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> <050d01c87562$e8546930$0301a8c0@SAHOMELT><4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> <47BEFD1C.6060408@ecs.soton.ac.uk> <05cc01c875b3$100073c0$0301a8c0@SAHOMELT> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F53A@server02.bhl.local> It's the standard bayes MySQL module. I've looked at both ends and I can't see where that code is generated. Jason -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 23 February 2008 00:29 To: 'MailScanner discussion' Subject: RE: bayes in MySQL with replication > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Friday, February 22, 2008 11:50 AM > To: MailScanner discussion > Subject: Re: bayes in MySQL with replication > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Jason Ede wrote: > > > > Many thanks for that... just what I was looking for... > > > > I also saw a > > > > 080222 15:38:55 [ERROR] Slave: Error 'You have an error in > your SQL > > syntax; check the manual that corresponds to your MySQL > server version > > for the right syntax to use near 'ON DUPLICATE KEY UPDATE > spam_count = > > GREATEST(spam_count + '0', 0), > > > > ' at line 2' on query. Default database: 'sa_bayes'. > Query: 'INSERT > > INTO bayes_token > > > > (id ON DUPLICATE KEY UPDATE spam_count = > GREATEST(spam_count + '0', 0), > > > > ham_count = GREATEST(ham_count + '1', 0), > > > > atime = GREATEST(atime, '1203694258')?', Error_code: 1064 > > > That capital A with an accent of some sort right at the end > of the query > it reports looks very suspicious to me... [...] The part that mysql is complaining about starts 'ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + '0', 0)'. It makes sense to me because the entire Syntax looks wacked. Unless there is something I missed all this time, the syntax For that statement goes INSERT INTO table (item1,item2,...) VALUES (value1,value2,...) ON DUPLICATE KEY UPDATE field1='value', field2='value',... Unless there way it is written is a special mysql short hand I have never seen before. Could be ;->). Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Sat Feb 23 16:23:06 2008 From: rcooper at dwford.com (Rick Cooper) Date: Sat Feb 23 16:23:20 2008 Subject: bayes in MySQL with replication In-Reply-To: <47BEFD1C.6060408@ecs.soton.ac.uk> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local> <050d01c87562$e8546930$0301a8c0@SAHOMELT><4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local> <47BEFD1C.6060408@ecs.soton.ac.uk> Message-ID: <01b401c87638$5f8b4cf0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Friday, February 22, 2008 11:50 AM > To: MailScanner discussion > Subject: Re: bayes in MySQL with replication > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Jason Ede wrote: > > > > Many thanks for that... just what I was looking for... > > > > I also saw a > > > > 080222 15:38:55 [ERROR] Slave: Error 'You have an error in > your SQL > > syntax; check the manual that corresponds to your MySQL > server version > > for the right syntax to use near 'ON DUPLICATE KEY UPDATE > spam_count = > > GREATEST(spam_count + '0', 0), > > > > ' at line 2' on query. Default database: 'sa_bayes'. > Query: 'INSERT > > INTO bayes_token > > > > (id ON DUPLICATE KEY UPDATE spam_count = > GREATEST(spam_count + '0', 0), > > > > ham_count = GREATEST(ham_count + '1', 0), > > > > atime = GREATEST(atime, '1203694258')?', Error_code: 1064 > > > That capital A with an accent of some sort right at the end > of the query > it reports looks very suspicious to me... That really didn't look suspicous to me, I don't know his OS but I can tell you that character will appear all over the place in say, CENTOS if you leave the LANG setting at the default. I never bothered trying to see exactly what white space character is being Interpreted but you will see it when you, say cat or grep a log or, most annoying, if you look at any man page. Setting LANG=en_US.iso88591 makes them all go away nicely. So I assumed that was the issue here. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Sat Feb 23 16:39:33 2008 From: rcooper at dwford.com (Rick Cooper) Date: Sat Feb 23 16:39:47 2008 Subject: bayes in MySQL with replication In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F53A@server02.bhl.local> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F509@server02.bhl.local><050d01c87562$e8546930$0301a8c0@SAHOMELT><4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F527@server02.bhl.local><47BEFD1C.6060408@ecs.soton.ac.uk><05cc01c875b3$100073c0$0301a8c0@SAHOMELT> <4CAB0118AEC63A4FAAE77E6BCBDF760C135C60F53A@server02.bhl.local> Message-ID: <01b501c8763a$abd54280$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Saturday, February 23, 2008 5:22 AM > To: MailScanner discussion > Subject: RE: bayes in MySQL with replication > > It's the standard bayes MySQL module. I've looked at both > ends and I can't see where that code is generated. > > Jason > [...] I just looked through that code my self and I only find two instances of ON DUPLICATE... my $sql = "INSERT INTO bayes_token (id, token, spam_count, ham_count, atime) VALUES (?,?,?,?,?) ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count + ?, 0), ham_count = GREATEST(ham_count + ?, 0), atime = GREATEST(atime, ?)"; Both have the correct syntax. That is really odd. It explains why every install doesn't puke when it hits that code, because SA isn't generating that code at all. And the way the syntax is corrupted doesn't look random at all. Makes you wonder where that is coming from, skipping syntax errors would certainly keep the slave up, but that update clearly failed and I wouldn't want to see that continue if I were you as your bayes database would obviously be inaccurate. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikew at crucis.net Sun Feb 24 02:24:45 2008 From: mikew at crucis.net (Mike Watson) Date: Sun Feb 24 02:24:53 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail Message-ID: <47C0D56D.2040102@crucis.net> I've been using MailScanner for some years. My old mail server (Fedora 3/MS 4.37.7-1/SA 3.0.4-2.fc3/sendmail 8.13) works fine but it is running out of room. I built a new mail server running Fedora 7, MS 4.66.5-3, and Spamassassin 3.2.4-1.fc7 with sendmail 8.14. Sendmail works and I can send and receive mail through it. But---MailScanner, although returning a good status, is either not running or not being invoked. There are no MailScanner or Spamassassin headers being added to e-mail, nor is there any info provided in maillog. I'm at a quandary. The MS install appears to run correctly without error. The customizations to the .conf files are the same as on the working box. Is there another install step that I missed? Here is the output of MailScanner -v: [root@cygni ~]# MailScanner -v Running on Linux cygni.crucis.net 2.6.21-7.fc7xen #1 SMP Tue Feb 12 12:32:24 EST 2008 i686 athlon i386 GNU/Linux This is Fedora release 7 (Moonshine) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.66.5 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.19 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.815 DB_File 1.13 DBD::SQLite 1.56 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS missing Inline missing IO::String 1.04 IO::Zlib missing IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query 0.19 Math::BigRat missing Module::Build missing Net::CIDR::Lite 0.61 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML [root@cygni ~]# Mike W -- -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner From ugob at lubik.ca Sun Feb 24 04:26:35 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Sun Feb 24 04:26:56 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C0D56D.2040102@crucis.net> References: <47C0D56D.2040102@crucis.net> Message-ID: Mike Watson wrote: > I've been using MailScanner for some years. My old mail server (Fedora > 3/MS 4.37.7-1/SA 3.0.4-2.fc3/sendmail 8.13) works fine but it is running > out of room. I built a new mail server running Fedora 7, MS 4.66.5-3, > and Spamassassin 3.2.4-1.fc7 with sendmail 8.14. > > Sendmail works and I can send and receive mail through it. > But---MailScanner, although returning a good status, is either not > running or not being invoked. There are no MailScanner or Spamassassin > headers being added to e-mail, nor is there any info provided in maillog. > > I'm at a quandary. The MS install appears to run correctly without > error. The customizations to the .conf files are the same as on the > working box. Is there another install step that I missed? > Have you stopped the 'sendmail' service? From dyioulos at firstbhph.com Sun Feb 24 16:23:58 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Sun Feb 24 16:24:20 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C0D56D.2040102@crucis.net> References: <47C0D56D.2040102@crucis.net> Message-ID: <20080224161937.M60002@firstbhph.com> On Sat, 23 Feb 2008 20:24:45 -0600, Mike Watson wrote > I've been using MailScanner for some years. My old mail server (Fedora > 3/MS 4.37.7-1/SA 3.0.4-2.fc3/sendmail 8.13) works fine but it is running > out of room. I built a new mail server running Fedora 7, MS 4.66.5-3, > and Spamassassin 3.2.4-1.fc7 with sendmail 8.14. > > Sendmail works and I can send and receive mail through it. > But---MailScanner, although returning a good status, is either not > running or not being invoked. There are no MailScanner or Spamassassin > headers being added to e-mail, nor is there any info provided in maillog. > > I'm at a quandary. The MS install appears to run correctly without > error. The customizations to the .conf files are the same as on the > working box. Is there another install step that I missed? > > Here is the output of MailScanner -v: > > [root@cygni ~]# MailScanner -v > Running on > Linux cygni.crucis.net 2.6.21-7.fc7xen #1 SMP Tue Feb 12 12:32:24 EST > 2008 i686 athlon i386 GNU/Linux > This is Fedora release 7 (Moonshine) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.66.5 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.04 Carp > 1.119 Convert::BinHex > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.74 File::Basename > 2.09 File::Copy > 2.01 FileHandle > 1.08 File::Path > 0.19 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.02 Mail::Header > 1.86 Math::BigInt > 3.07 MIME::Base64 > 5.425 MIME::Decoder > 5.425 MIME::Decoder::UU > 5.425 MIME::Head > 5.425 MIME::Parser > 3.07 MIME::QuotedPrint > 5.425 MIME::Tools > 0.11 Net::CIDR > 1.09 POSIX > 1.18 Scalar::Util > 1.78 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.30 Archive::Tar > 0.21 bignum > missing Business::ISBN > missing Business::ISBN::Data > 0.17 Convert::TNEF > missing Data::Dump > 1.815 DB_File > 1.13 DBD::SQLite > 1.56 DBI > 1.14 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > missing Inline > missing IO::String > 1.04 IO::Zlib > missing IP::Country > missing Mail::ClamAV > 3.002004 Mail::SpamAssassin > missing Mail::SPF > missing Mail::SPF::Query > 0.19 Math::BigRat > missing Module::Build > missing Net::CIDR::Lite > 0.61 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.64 Test::Harness > missing Test::Manifest > 1.95 Text::Balanced > 1.35 URI > missing version > missing YAML > [root@cygni ~]# > > Mike W > > -- > -- > > "Lose not thy airspeed, lest the ground rises up and smites thee." > -- William Kershner > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- I beiieve it's the other way around - MailScanner invokes Sendmail. Make sure that Sendmail isn't running on its own, just MS, SA, and anti-virus progie. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Feb 24 16:49:12 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 24 16:49:55 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C0D56D.2040102@crucis.net> References: <47C0D56D.2040102@crucis.net> Message-ID: <47C1A008.7010209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would start with this: 1. Log in as root, or "su -" (the "-" is very important, without it you don't get all of root's environment such as its "$PATH") 2. chkconfig sendmail off 3. chkconfig MailScanner on 4. service sendmail stop 5. service MailScanner restart That will stop your mail bypassing MailScanner. I would also advise you install some more of the optional Perl modules, you are missing rather a lot at the moment. It will catch more spam if you install the missing modules. You don't need "SAVI" unless you're using Sophos, and you only need "Mail::ClamAV" if you're using "Virus Scanners = clamavmodule", and you won't need Net::LDAP. But other than those, I would install the rest of them. If you have anything such as spamd running, you can switch that off. MailScanner talks to SpamAssassin more efficiently than that daemon, so it's just wasting resources at the moment if it's running. Mike Watson wrote: > I've been using MailScanner for some years. My old mail server > (Fedora 3/MS 4.37.7-1/SA 3.0.4-2.fc3/sendmail 8.13) works fine but it > is running out of room. I built a new mail server running Fedora 7, > MS 4.66.5-3, and Spamassassin 3.2.4-1.fc7 with sendmail 8.14. > > Sendmail works and I can send and receive mail through it. > But---MailScanner, although returning a good status, is either not > running or not being invoked. There are no MailScanner or > Spamassassin headers being added to e-mail, nor is there any info > provided in maillog. > > I'm at a quandary. The MS install appears to run correctly without > error. The customizations to the .conf files are the same as on the > working box. Is there another install step that I missed? > > Here is the output of MailScanner -v: > > > [root@cygni ~]# MailScanner -v > Running on > Linux cygni.crucis.net 2.6.21-7.fc7xen #1 SMP Tue Feb 12 12:32:24 EST > 2008 i686 athlon i386 GNU/Linux > This is Fedora release 7 (Moonshine) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.66.5 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.04 Carp > 1.119 Convert::BinHex > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.74 File::Basename > 2.09 File::Copy > 2.01 FileHandle > 1.08 File::Path > 0.19 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.02 Mail::Header > 1.86 Math::BigInt > 3.07 MIME::Base64 > 5.425 MIME::Decoder > 5.425 MIME::Decoder::UU > 5.425 MIME::Head > 5.425 MIME::Parser > 3.07 MIME::QuotedPrint > 5.425 MIME::Tools > 0.11 Net::CIDR > 1.09 POSIX > 1.18 Scalar::Util > 1.78 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.30 Archive::Tar > 0.21 bignum > missing Business::ISBN > missing Business::ISBN::Data > 0.17 Convert::TNEF > missing Data::Dump > 1.815 DB_File > 1.13 DBD::SQLite > 1.56 DBI > 1.14 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > missing Inline > missing IO::String > 1.04 IO::Zlib > missing IP::Country > missing Mail::ClamAV > 3.002004 Mail::SpamAssassin > missing Mail::SPF > missing Mail::SPF::Query > 0.19 Math::BigRat > missing Module::Build > missing Net::CIDR::Lite > 0.61 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.64 Test::Harness > missing Test::Manifest > 1.95 Text::Balanced > 1.35 URI > missing version > missing YAML > [root@cygni ~]# > > > Mike W > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHwaATEfZZRxQVtlQRAjCMAJwNVT7qjAYSgyEyjNpF6YrZ7VvyGACg6F5d /5aOdOLMrbbpbOZ7gD+bbkE= =cA0n -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikew at crucis.net Mon Feb 25 01:05:13 2008 From: mikew at crucis.net (Mike Watson) Date: Mon Feb 25 01:05:43 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: References: <47C0D56D.2040102@crucis.net> Message-ID: <47C21449.9050905@crucis.net> I'm not sure I understand your question. I know that sendmail must be started by MailScanner. I use the init startup script to control the process---MailScanner starts, then sendmail. I don't start/stop sendmail outside of this script. The script was supplied as part of the MailScanner package. Mike W -- "Lose not thy airspeed, lest the ground rises up and smites thee." -- William Kershner Ugo Bellavance wrote: > Mike Watson wrote: >> I've been using MailScanner for some years. My old mail server >> (Fedora 3/MS 4.37.7-1/SA 3.0.4-2.fc3/sendmail 8.13) works fine but it >> is running out of room. I built a new mail server running Fedora 7, >> MS 4.66.5-3, and Spamassassin 3.2.4-1.fc7 with sendmail 8.14. >> >> Sendmail works and I can send and receive mail through it. >> But---MailScanner, although returning a good status, is either not >> running or not being invoked. There are no MailScanner or >> Spamassassin headers being added to e-mail, nor is there any info >> provided in maillog. >> >> I'm at a quandary. The MS install appears to run correctly without >> error. The customizations to the .conf files are the same as on the >> working box. Is there another install step that I missed? >> > > Have you stopped the 'sendmail' service? > From mikew at crucis.net Mon Feb 25 01:10:23 2008 From: mikew at crucis.net (Mike Watson) Date: Mon Feb 25 01:14:25 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C1A008.7010209@ecs.soton.ac.uk> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> Message-ID: <47C2157F.9060902@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not at the server at the moment, but I'll run the sequence below and record the result. I have clamav and f-prot for anti-virus. I do get intermittant log entries from sendmail not being able to bind to the port, but sendmail has been up everytime I check the port via telnet. I'm not a Perl guru. Is there a FAQ about using CSPAN so I can load the missing modules? Mike W - -- "Lose not thy airspeed, lest the ground rises up and smites thee." ~ -- William Kershner Julian Field wrote: | I would start with this: | 1. Log in as root, or "su -" (the "-" is very important, without it | you don't get all of root's environment such as its "$PATH") | 2. chkconfig sendmail off | 3. chkconfig MailScanner on | 4. service sendmail stop | 5. service MailScanner restart | That will stop your mail bypassing MailScanner. | | I would also advise you install some more of the optional Perl modules, | you are missing rather a lot at the moment. It will catch more spam if | you install the missing modules. You don't need "SAVI" unless you're | using Sophos, and you only need "Mail::ClamAV" if you're using "Virus | Scanners = clamavmodule", and you won't need Net::LDAP. But other than | those, I would install the rest of them. | | If you have anything such as spamd running, you can switch that off. | MailScanner talks to SpamAssassin more efficiently than that daemon, so | it's just wasting resources at the moment if it's running. | | Mike Watson wrote: | > I've been using MailScanner for some years. My old mail server | > (Fedora 3/MS 4.37.7-1/SA 3.0.4-2.fc3/sendmail 8.13) works fine but it | > is running out of room. I built a new mail server running Fedora 7, | > MS 4.66.5-3, and Spamassassin 3.2.4-1.fc7 with sendmail 8.14. | | > Sendmail works and I can send and receive mail through it. | > But---MailScanner, although returning a good status, is either not | > running or not being invoked. There are no MailScanner or | > Spamassassin headers being added to e-mail, nor is there any info | > provided in maillog. | | > I'm at a quandary. The MS install appears to run correctly without | > error. The customizations to the .conf files are the same as on the | > working box. Is there another install step that I missed? | | > Here is the output of MailScanner -v: | | | > [root@cygni ~]# MailScanner -v | > Running on | > Linux cygni.crucis.net 2.6.21-7.fc7xen #1 SMP Tue Feb 12 12:32:24 EST | > 2008 i686 athlon i386 GNU/Linux | > This is Fedora release 7 (Moonshine) | > This is Perl version 5.008008 (5.8.8) | | > This is MailScanner version 4.66.5 | > Module versions are: | > 1.00 AnyDBM_File | > 1.16 Archive::Zip | > 1.04 Carp | > 1.119 Convert::BinHex | > 2.27 Date::Parse | > 1.00 DirHandle | > 1.05 Fcntl | > 2.74 File::Basename | > 2.09 File::Copy | > 2.01 FileHandle | > 1.08 File::Path | > 0.19 File::Temp | > 0.90 Filesys::Df | > 1.35 HTML::Entities | > 3.56 HTML::Parser | > 2.37 HTML::TokeParser | > 1.23 IO | > 1.14 IO::File | > 1.13 IO::Pipe | > 2.02 Mail::Header | > 1.86 Math::BigInt | > 3.07 MIME::Base64 | > 5.425 MIME::Decoder | > 5.425 MIME::Decoder::UU | > 5.425 MIME::Head | > 5.425 MIME::Parser | > 3.07 MIME::QuotedPrint | > 5.425 MIME::Tools | > 0.11 Net::CIDR | > 1.09 POSIX | > 1.18 Scalar::Util | > 1.78 Socket | > 1.4 Sys::Hostname::Long | > 0.18 Sys::Syslog | > 1.86 Time::HiRes | > 1.02 Time::localtime | | > Optional module versions are: | > 1.30 Archive::Tar | > 0.21 bignum | > missing Business::ISBN | > missing Business::ISBN::Data | > 0.17 Convert::TNEF | > missing Data::Dump | > 1.815 DB_File | > 1.13 DBD::SQLite | > 1.56 DBI | > 1.14 Digest | > 1.01 Digest::HMAC | > 2.36 Digest::MD5 | > 2.11 Digest::SHA1 | > missing Encode::Detect | > missing Error | > missing ExtUtils::CBuilder | > missing ExtUtils::ParseXS | > missing Inline | > missing IO::String | > 1.04 IO::Zlib | > missing IP::Country | > missing Mail::ClamAV | > 3.002004 Mail::SpamAssassin | > missing Mail::SPF | > missing Mail::SPF::Query | > 0.19 Math::BigRat | > missing Module::Build | > missing Net::CIDR::Lite | > 0.61 Net::DNS | > missing Net::DNS::Resolver::Programmable | > missing Net::LDAP | > missing NetAddr::IP | > missing Parse::RecDescent | > missing SAVI | > 2.64 Test::Harness | > missing Test::Manifest | > 1.95 Text::Balanced | > 1.35 URI | > missing version | > missing YAML | > [root@cygni ~]# | | | > Mike W | | | Jules | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHwhV9akodlddMd1ARAtECAJ9PugZEWcLfgDpioLzDxIrTF0ZoJwCfZCYD zMI6Yn/kbIVFcSEVG69TZ4E= =VMyP -----END PGP SIGNATURE----- From mikew at crucis.net Mon Feb 25 01:51:00 2008 From: mikew at crucis.net (Mike Watson) Date: Mon Feb 25 01:51:29 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C2157F.9060902@crucis.net> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> Message-ID: <47C21F04.8040409@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian, I found that Spamassassin was running as a daemon. I stopped it and changed chkconfig to insure it wouldn't start again at startup. I entered the sequence below. Created an e-mail, and MailScanner worked. The sequence below seems to be the same as that done in the initscript supplied by MailScanner. Was there any difference? Could it just be the fact that Spamassassin was running as a daemon? Mike W. - -- "Lose not thy airspeed, lest the ground rises up and smites thee." ~ -- William Kershner Mike Watson wrote: | I'm not at the server at the moment, but I'll run the sequence below and record the result. I have clamav and f-prot for anti-virus. I do get intermittant log entries from sendmail not being able to bind to the port, but sendmail has been up everytime I check the port via telnet. | | I'm not a Perl guru. Is there a FAQ about using CSPAN so I can load the missing modules? | | Mike W -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHwh8BakodlddMd1ARAhHPAKDKJCs46jsiCEHYaeuoXYxZ5dDA1QCgvqlT yl79bXAImZarhzOfrpG/6F4= =2XeL -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner@CYGNI, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Feb 25 05:49:37 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 25 05:50:07 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C2157F.9060902@crucis.net> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> Message-ID: <47C256F1.6030304@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Watson wrote: | I'm not at the server at the moment, but I'll run the sequence below and | record the result. I have clamav and f-prot for anti-virus. I do get | intermittant log entries from sendmail not being able to bind to the | port, but sendmail has been up everytime I check the port via telnet. | | I'm not a Perl guru. Is there a FAQ about using CSPAN so I can load the | missing modules? On Fedora one could use rpmforge as it would contain most of the perl modules. (I can't say I prefer to do it that way as I would not choose a short lived distro like Fedora for a server ever.) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHwlbwBvzDRVjxmYERAn4UAKCj4MeVA0dB6gRcd/l3jaVW/7PlFgCffiOz GyxNv2Jdw9rWkVp/tCCsvtk= =xM1A -----END PGP SIGNATURE----- From webmaster at ew3d.com Mon Feb 25 06:03:51 2008 From: webmaster at ew3d.com (John Hinton) Date: Mon Feb 25 06:04:02 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C256F1.6030304@vanderkooij.org> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> <47C256F1.6030304@vanderkooij.org> Message-ID: <47C25A47.3040506@ew3d.com> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mike Watson wrote: > | I'm not at the server at the moment, but I'll run the sequence below > and > | record the result. I have clamav and f-prot for anti-virus. I do get > | intermittant log entries from sendmail not being able to bind to the > | port, but sendmail has been up everytime I check the port via telnet. > | > | I'm not a Perl guru. Is there a FAQ about using CSPAN so I can load > the > | missing modules? > > On Fedora one could use rpmforge as it would contain most of the perl > modules. (I can't say I prefer to do it that way as I would not choose a > short lived distro like Fedora for a server ever.) > > Hugo. Mike, Having just done an install on a CentOS 5 box.... The dag repository is very good. I pulled as many perl modules from there as possible. I still have an issue with yum update and about three of the perl modules installed by mailscanner. I'm going to have to exclude them from updates until versions catch up or pass the installed versions. Also, Webmin has a very nice perl area under 'Others'. It will pull down and install any module that I have ever needed. Another way is from the command line. Man cpan and it will tell you the methods for installing perl modules from the command line. It's pretty simple... but there are a lot of modules! ;) I installed both MailScanner and MailWatch. Running the SpamAssassin Lint test built into MailWatch showed me any missing modules. I was able to use dag for all but two of them. Seems like there was a command to run from the command line to show this same output, but I don't remember what it was. Best, John Hinton From uxbod at splatnix.net Mon Feb 25 08:02:38 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 25 08:03:02 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C25A47.3040506@ew3d.com> Message-ID: <29743132.31203926558167.JavaMail.root@office.splatnix.net> spamassassin -D --lint | grep -i missing Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "John Hinton" wrote: > Hugo van der Kooij wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Mon Feb 25 13:51:19 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Feb 25 13:51:59 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <29743132.31203926558167.JavaMail.root@office.splatnix.net> References: <29743132.31203926558167.JavaMail.root@office.splatnix.net> Message-ID: <47C2C7D7.7090806@USherbrooke.ca> --[ UxBoD ]-- a ?crit : > spamassassin -D --lint | grep -i missing > > Regards, > > You should rather use: spamassassin -D --lint 2>&1 | grep -i missing Otherwise grep can't do its job (at least on RHEL5)... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From uxbod at splatnix.net Mon Feb 25 13:58:24 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 25 13:58:45 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C2C7D7.7090806@USherbrooke.ca> Message-ID: <27019332.791203947904071.JavaMail.root@office.splatnix.net> doh! true. nice catch Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Denis Beauchemin" wrote: --[ UxBoD ]-- a ?crit : > spamassassin -D --lint | grep -i missing > > Regards, > > You should rather use: spamassassin -D --lint 2>&1 | grep -i missing Otherwise grep can't do its job (at least on RHEL5)... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Mon Feb 25 14:34:51 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 25 14:35:19 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C21F04.8040409@crucis.net> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> <47C21F04.8040409@crucis.net> Message-ID: Mike Watson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian, I found that Spamassassin was running as a daemon. I stopped it > and changed chkconfig to insure it wouldn't start again at startup. Ok > I entered the sequence below. Created an e-mail, and MailScanner > worked. The sequence below seems to be the same as that done in the > initscript supplied by MailScanner. Was there any difference? Could it > just be the fact that Spamassassin was running as a daemon? The sequence is not done by the init script, but it is displayed in the install.sh script, you have to do that manually. SpamAssassin has nothing to do with that. > > Mike W. > - -- > > "Lose not thy airspeed, lest the ground rises up and smites thee." > ~ -- William Kershner > > > > Mike Watson wrote: > | I'm not at the server at the moment, but I'll run the sequence below > and record the result. I have clamav and f-prot for anti-virus. I do > get intermittant log entries from sendmail not being able to bind to the > port, but sendmail has been up everytime I check the port via telnet. > | > | I'm not a Perl guru. Is there a FAQ about using CSPAN so I can load > the missing modules? > | > | Mike W > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHwh8BakodlddMd1ARAhHPAKDKJCs46jsiCEHYaeuoXYxZ5dDA1QCgvqlT > yl79bXAImZarhzOfrpG/6F4= > =2XeL > -----END PGP SIGNATURE----- > > From gmatt at nerc.ac.uk Mon Feb 25 15:16:06 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Feb 25 15:16:33 2008 Subject: small bug in 4.66.5 Message-ID: <47C2DBB6.1060405@nerc.ac.uk> infection reporting for ClamAVModule seems to have changed in 4.66.5 (just upgraded from 4.62.9-2): Feb 25 10:03:58 mailr-w MailScanner[9708]: ClamAVModule::INFECTED:: Email.Spam.Sanesecurity.Url_1331:: ./m1PA3YS5011217/ Feb 25 11:17:49 mailr-w MailScanner[11304]: ::INFECTED:: Email.Hdr.Sanesecurity.07111002:: ./m1PBHY8C011316/ not good for log scrapers. will have a quick look at the code GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From gmatt at nerc.ac.uk Mon Feb 25 15:39:13 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Feb 25 15:39:35 2008 Subject: small bug in 4.66.5 In-Reply-To: <47C2DBB6.1060405@nerc.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> Message-ID: <47C2E121.6000301@nerc.ac.uk> hmmm.... looks like this may have been in 4.62 as well as I found what looked like my own modifications in SweepViruses.pm in that version too. It looks like $Name is not getting populated in sub ProcessClamAVModOutput. The following patch corrects the log entry but doesnt address the underlying cause: --- /tmp/SweepViruses.pm 2008-02-25 15:35:28.000000000 +0000 +++ ./SweepViruses.pm 2008-02-25 15:23:30.000000000 +0000 @@ -1444,7 +1444,8 @@ ($keyword, $virusname, $filename) = split(/:: /, $line, 3); if ($keyword =~ /^error/i && $logout !~ /rar module failure/i) { - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); return 1; } elsif ($keyword =~ /^info/i || $logout =~ /rar module failure/i) { return 0; @@ -1452,7 +1453,8 @@ return 0; } else { # Must be an infection reports - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); ($dot, $id, $part, @rest) = split(/\//, $filename); $report = $Name . ': ' if $Name; Not sure if I'll have time to look at this further - hopefully Julian can cast some light. GREG Greg Matthews wrote: > infection reporting for ClamAVModule seems to have changed in 4.66.5 > (just upgraded from 4.62.9-2): > > Feb 25 10:03:58 mailr-w MailScanner[9708]: ClamAVModule::INFECTED:: > Email.Spam.Sanesecurity.Url_1331:: ./m1PA3YS5011217/ > Feb 25 11:17:49 mailr-w MailScanner[11304]: ::INFECTED:: > Email.Hdr.Sanesecurity.07111002:: ./m1PBHY8C011316/ > > not good for log scrapers. > > will have a quick look at the code > > GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From glenn.steen at gmail.com Mon Feb 25 15:47:05 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 25 15:47:16 2008 Subject: [Solved] Re: Problem with the version 4.46.2 In-Reply-To: <1203692505.5500.85.camel@mars-linux> References: <578081c56792d146baef7e723d754e46@solidstatelogic.com> <47BD975A.20508@ecs.soton.ac.uk> <47BDEEBC.7020301@ecs.soton.ac.uk> <33D48A86-8DBC-4BBF-B79B-0AC1C804491B@gray.net.au> <1203692505.5500.85.camel@mars-linux> Message-ID: <223f97700802250747o4fefe359ud6f33012e06d55a7@mail.gmail.com> On 22/02/2008, Sam Przyswa wrote: > > Le vendredi 22 f?vrier 2008 ? 09:58 +1100, James Gray a ?crit : > > > On 22/02/2008, at 8:35 AM, Julian Field wrote: > > > Anthony Cartmell wrote: > > >>> Unfortunately the Debian maintainers have the view that > > >>> MailScanner is > > >>> "unstable" as I produce releases too frequently for them. > > >> > > >> That reminds me of a long discussion we had, a few months ago, > > >> about frequently-released operating systems and whether their > > >> release schedule made them "unstable"... > > >> > > >> FWIW (not much) I love MailScanner's release schedule :) > > > Thank you :-) > > > > > > Would you really prefer to have to wait a year before feature > > > requests were implemented, just to keep some "distorted" Debian > > > admins happy? > > > > I don't have any "pure" Debian systems running but I have a number of > > Ubuntu server installs I can play with. Most are running Ubuntu > > 6.06LTS (aka. "Dapper"). I'd be willing to investigate the whole > > packaging so that it plays nice with Debian/Ubuntu's little quirks. > > > > Just a few questions: > > - Did you want to bundle SpamAssassin and ClamAV too? > > - Do we need to use your Perl modules or can we use the distribution > > ones? > > - I was thinking maybe making separate packages for all of this (MS, > > SA, Clam and Perl mods), then putting it all up in a single repo - > > what do other people think? > > > > No time frames/promises...I've got to sit down and figure out the best > > way to achieve this without borking the base packages etc. This is > > just something that's bugged me for ages and after reading this > > thread, it's piqued my interest (again!). > > > I set the myhostame variable in /etc/postfix/main.cf and > set /etc/mailname and then it's work. > > It was my fault by misconfiguration, sorry, sorry, and thanks for your > help, I hope my poor experience will be useful for other user like me. > > > Sam. > Well, if James (Gray) is "aggravated" enough to do the .deb repo thing... I'd say it was a Good Thing (tm) you did Sam;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Howard at harper-adams.ac.uk Mon Feb 25 17:38:23 2008 From: Howard at harper-adams.ac.uk (Howard Robinson) Date: Mon Feb 25 17:39:32 2008 Subject: Fwd: Sophos Error message References: <47BEFF53.20E8.005B.0@harper-adams.ac.uk> Message-ID: <47C2FD0E.20E8.005B.0@harper-adams.ac.uk> Hello again I am still having problems with the error below. I have had a good look at the web and it seems that it would be better to uninstall Sophos then start again. Is there a recommended way of doing this with out it having a knock on effect with MailScanner? >>> "Howard Robinson" 22/02/2008 16:59 >>> Dear list I have updated Sophos using Linux.intel.libc6.tar.Z using Julian's routine /usr/sbin/Sophos.install It appeared to run through okay but seemed fast! Anyway on restarting MailScanner I get the following in the Maillog and emails refused to move in or out. "SophosSAVI ERROR:: getting version: One of the files in a split-virus data set could not be located (557)" Any ideas I had a quick look at WIKI but nothing appeared to be relevant . In the end I had to rem out sophos from list of virus scanners used to get email flowing again. Two others are still there and so we are not unprotected but I like Sophos and usually it updates ok Any help appreciated. Thanks Howard Robinson, (Senior Technical Development Officer), Harper Adams University College, Edgmond, Newport, Shropshire , TF10 8NB. Tel. Direct 01952 815253 Tel. Switch Board 01952 820280 Fax 01952 814783 Email hrobinson@harper-adams.ac.uk Web www.harper-adams.ac.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dyioulos at firstbhph.com Mon Feb 25 17:41:54 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Mon Feb 25 17:42:15 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C2157F.9060902@crucis.net> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> Message-ID: <200802251241.55463.dyioulos@firstbhph.com> It's not a good idea to top-post. That said, see below. On Sunday 24 February 2008 8:10 pm, Mike Watson wrote: > I'm not at the server at the moment, but I'll run the sequence below and > record the result. I have clamav and f-prot for anti-virus. I do get > intermittant log entries from sendmail not being able to bind to the > port, but sendmail has been up everytime I check the port via telnet. > > I'm not a Perl guru. Is there a FAQ about using CSPAN so I can load the > missing modules? > > Mike W > -- > > "Lose not thy airspeed, lest the ground rises up and smites thee." > ~ -- William Kershner > > Julian Field wrote: > | I would start with this: > | 1. Log in as root, or "su -" (the "-" is very important, without it > | you don't get all of root's environment such as its "$PATH") > | 2. chkconfig sendmail off > | 3. chkconfig MailScanner on > | 4. service sendmail stop > | 5. service MailScanner restart > | That will stop your mail bypassing MailScanner. > | > | I would also advise you install some more of the optional Perl modules, > | you are missing rather a lot at the moment. It will catch more spam if > | you install the missing modules. You don't need "SAVI" unless you're > | using Sophos, and you only need "Mail::ClamAV" if you're using "Virus > | Scanners = clamavmodule", and you won't need Net::LDAP. But other than > | those, I would install the rest of them. > | > | If you have anything such as spamd running, you can switch that off. > | MailScanner talks to SpamAssassin more efficiently than that daemon, so > | it's just wasting resources at the moment if it's running. > | > | Mike Watson wrote: > | > I've been using MailScanner for some years. My old mail server > | > (Fedora 3/MS 4.37.7-1/SA 3.0.4-2.fc3/sendmail 8.13) works fine but it > | > is running out of room. I built a new mail server running Fedora 7, > | > MS 4.66.5-3, and Spamassassin 3.2.4-1.fc7 with sendmail 8.14. > | > > | > Sendmail works and I can send and receive mail through it. > | > But---MailScanner, although returning a good status, is either not > | > running or not being invoked. There are no MailScanner or > | > Spamassassin headers being added to e-mail, nor is there any info > | > provided in maillog. > | > > | > I'm at a quandary. The MS install appears to run correctly without > | > error. The customizations to the .conf files are the same as on the > | > working box. Is there another install step that I missed? > | > > | > Here is the output of MailScanner -v: > | > > | > > | > [root@cygni ~]# MailScanner -v > | > Running on > | > Linux cygni.crucis.net 2.6.21-7.fc7xen #1 SMP Tue Feb 12 12:32:24 EST > | > 2008 i686 athlon i386 GNU/Linux > | > This is Fedora release 7 (Moonshine) > | > This is Perl version 5.008008 (5.8.8) > | > > | > This is MailScanner version 4.66.5 > | > Module versions are: > | > 1.00 AnyDBM_File > | > 1.16 Archive::Zip > | > 1.04 Carp > | > 1.119 Convert::BinHex > | > 2.27 Date::Parse > | > 1.00 DirHandle > | > 1.05 Fcntl > | > 2.74 File::Basename > | > 2.09 File::Copy > | > 2.01 FileHandle > | > 1.08 File::Path > | > 0.19 File::Temp > | > 0.90 Filesys::Df > | > 1.35 HTML::Entities > | > 3.56 HTML::Parser > | > 2.37 HTML::TokeParser > | > 1.23 IO > | > 1.14 IO::File > | > 1.13 IO::Pipe > | > 2.02 Mail::Header > | > 1.86 Math::BigInt > | > 3.07 MIME::Base64 > | > 5.425 MIME::Decoder > | > 5.425 MIME::Decoder::UU > | > 5.425 MIME::Head > | > 5.425 MIME::Parser > | > 3.07 MIME::QuotedPrint > | > 5.425 MIME::Tools > | > 0.11 Net::CIDR > | > 1.09 POSIX > | > 1.18 Scalar::Util > | > 1.78 Socket > | > 1.4 Sys::Hostname::Long > | > 0.18 Sys::Syslog > | > 1.86 Time::HiRes > | > 1.02 Time::localtime > | > > | > Optional module versions are: > | > 1.30 Archive::Tar > | > 0.21 bignum > | > missing Business::ISBN > | > missing Business::ISBN::Data > | > 0.17 Convert::TNEF > | > missing Data::Dump > | > 1.815 DB_File > | > 1.13 DBD::SQLite > | > 1.56 DBI > | > 1.14 Digest > | > 1.01 Digest::HMAC > | > 2.36 Digest::MD5 > | > 2.11 Digest::SHA1 > | > missing Encode::Detect > | > missing Error > | > missing ExtUtils::CBuilder > | > missing ExtUtils::ParseXS > | > missing Inline > | > missing IO::String > | > 1.04 IO::Zlib > | > missing IP::Country > | > missing Mail::ClamAV > | > 3.002004 Mail::SpamAssassin > | > missing Mail::SPF > | > missing Mail::SPF::Query > | > 0.19 Math::BigRat > | > missing Module::Build > | > missing Net::CIDR::Lite > | > 0.61 Net::DNS > | > missing Net::DNS::Resolver::Programmable > | > missing Net::LDAP > | > missing NetAddr::IP > | > missing Parse::RecDescent > | > missing SAVI > | > 2.64 Test::Harness > | > missing Test::Manifest > | > 1.95 Text::Balanced > | > 1.35 URI > | > missing version > | > missing YAML > | > [root@cygni ~]# > | > > | > > | > Mike W > | > | Jules > > -- To start the CPAN shell: perl -MCPAN -e shell If it's your first time running the shell, you'll have to do some set-up via questions the shell asks. Default values should be fine. To install a module: install (in some instances, "force install ) HTH. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikew at crucis.net Mon Feb 25 17:47:37 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Mon Feb 25 17:47:51 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C256F1.6030304@vanderkooij.org> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> <47C256F1.6030304@vanderkooij.org> Message-ID: <47C2FF39.8050205@crucis.net> While Fedora versions are short-lived, I keep them much longer. Next time it will be CentOS. mw "Lose not thy airspeed lest the ground rises up and smites thee." - Anon. Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mike Watson wrote: > | I'm not at the server at the moment, but I'll run the sequence below > and > | record the result. I have clamav and f-prot for anti-virus. I do get > | intermittant log entries from sendmail not being able to bind to the > | port, but sendmail has been up everytime I check the port via telnet. > | > | I'm not a Perl guru. Is there a FAQ about using CSPAN so I can load > the > | missing modules? > > On Fedora one could use rpmforge as it would contain most of the perl > modules. (I can't say I prefer to do it that way as I would not choose a > short lived distro like Fedora for a server ever.) > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFHwlbwBvzDRVjxmYERAn4UAKCj4MeVA0dB6gRcd/l3jaVW/7PlFgCffiOz > GyxNv2Jdw9rWkVp/tCCsvtk= > =xM1A > -----END PGP SIGNATURE----- From mikew at crucis.net Mon Feb 25 17:57:43 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Mon Feb 25 17:57:56 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> <47C21F04.8040409@crucis.net> Message-ID: <47C30197.10003@crucis.net> Is this a one time task or must the init script be modified? Mike W "Lose not thy airspeed lest the ground rises up and smites thee." - Anon. Ugo Bellavance wrote: > Mike Watson wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Julian, I found that Spamassassin was running as a daemon. I stopped >> it and changed chkconfig to insure it wouldn't start again at startup. > > Ok > >> I entered the sequence below. Created an e-mail, and MailScanner >> worked. The sequence below seems to be the same as that done in the >> initscript supplied by MailScanner. Was there any difference? Could >> it just be the fact that Spamassassin was running as a daemon? > > The sequence is not done by the init script, but it is displayed in > the install.sh script, you have to do that manually. SpamAssassin has > nothing to do with that. > >> >> Mike W. >> - -- >> >> "Lose not thy airspeed, lest the ground rises up and smites thee." >> ~ -- William Kershner >> >> >> >> Mike Watson wrote: >> | I'm not at the server at the moment, but I'll run the sequence >> below and record the result. I have clamav and f-prot for >> anti-virus. I do get intermittant log entries from sendmail not >> being able to bind to the port, but sendmail has been up everytime I >> check the port via telnet. >> | >> | I'm not a Perl guru. Is there a FAQ about using CSPAN so I can >> load the missing modules? >> | >> | Mike W >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.5 (MingW32) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iD8DBQFHwh8BakodlddMd1ARAhHPAKDKJCs46jsiCEHYaeuoXYxZ5dDA1QCgvqlT >> yl79bXAImZarhzOfrpG/6F4= >> =2XeL >> -----END PGP SIGNATURE----- >> >> > From webmaster at ew3d.com Mon Feb 25 18:07:14 2008 From: webmaster at ew3d.com (John Hinton) Date: Mon Feb 25 18:07:26 2008 Subject: Server side Email Tools for Clients Message-ID: <47C303D2.1000208@ew3d.com> Now that I have what so far appears to be a nicely configured MailScanner/MailWatch system running, I'd like to work on the delivery areas for clients. First, I'm running CentOS 5.x and sendmail in a pretty standard setup up until the installation of MailScanner. I would like to be able to accomplish four things. I would like to have email delivered to a spam box or two for each client. At present I'm doing this with procmail rules. I would like to have old spam automatically removed from these boxes. At present I'm running a couple of custom scripts which do this. I would like to send reports to clients which reminds them about the stored spam and perhaps even provides the subject lines from those emails, maybe even sorted with lowest scores at the top, so they are reminded that they might have ham which wasn't received. At present I have no method of doing this. I would like to provide a user interface so that they can move email from spam to ham and ham to spam for training. At present I have no method for doing this. Does anyone have a suggestion for any program which might be able to accomplish this? As always, we are dealing with end users, so KISS is important and flexibility as for instance some might not want to receive reports... or might not want their mail sorted at all. I hope this isn't too 'off topic' for this list. But it does seem to be the next step. Alternatively, perhaps a link to where I should look would be great. Thanks, John Hinton From steve at fsl.com Mon Feb 25 18:52:41 2008 From: steve at fsl.com (Stephen Swaney) Date: Mon Feb 25 18:52:51 2008 Subject: Fwd: Sophos Error message In-Reply-To: <47C2FD0E.20E8.005B.0@harper-adams.ac.uk> References: <47BEFF53.20E8.005B.0@harper-adams.ac.uk> <47C2FD0E.20E8.005B.0@harper-adams.ac.uk> Message-ID: <47C30E79.3010704@fsl.com> Howard Robinson wrote: > Hello again > I am still having problems with the error below. > I have had a good look at the web and it seems that it would be better to uninstall Sophos then start again. > Is there a recommended way of doing this with out it having a knock on effect with MailScanner? > > > >>>> "Howard Robinson" 22/02/2008 16:59 >>> >>>> > Dear list > I have updated Sophos using Linux.intel.libc6.tar.Z using Julian's routine /usr/sbin/Sophos.install > > It appeared to run through okay but seemed fast! > Anyway on restarting MailScanner I get the following in the Maillog and emails refused to move in or out. > > "SophosSAVI ERROR:: getting version: One of the files in a split-virus data set could not be located (557)" > > Any ideas > I had a quick look at WIKI but nothing appeared to be relevant . > > In the end I had to rem out sophos from list of virus scanners used to get email flowing again. Two others are still there and so we are not unprotected but I like Sophos and usually it updates ok > > Any help appreciated. > > Thanks > Howard Robinson, > (Senior Technical Development Officer), > Harper Adams University College, > Edgmond, > Newport, > Shropshire , > TF10 8NB. > > Tel. Direct 01952 815253 > Tel. Switch Board 01952 820280 > Fax 01952 814783 > Email hrobinson@harper-adams.ac.uk > Web www.harper-adams.ac.uk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Howard, Have you updated to the latest Sophos Version 6.0? What Version of MailScanner are you running? Does selecting sophos instead of sophossavi process mail? Have you rebuilt Sophos SAVI after updating Sophos. Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com From J.Ede at birchenallhowden.co.uk Mon Feb 25 19:21:59 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Feb 25 19:22:22 2008 Subject: Server side Email Tools for Clients Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C640AE3@server02.bhl.local> I'd look at mailwatch at mailwatch.sourceforge.net jason -----Original Message----- From: John Hinton Sent: 25 February 2008 18:10 To: MailScanner discussion Subject: Server side Email Tools for Clients Now that I have what so far appears to be a nicely configured MailScanner/MailWatch system running, I'd like to work on the delivery areas for clients. First, I'm running CentOS 5.x and sendmail in a pretty standard setup up until the installation of MailScanner. I would like to be able to accomplish four things. I would like to have email delivered to a spam box or two for each client. At present I'm doing this with procmail rules. I would like to have old spam automatically removed from these boxes. At present I'm running a couple of custom scripts which do this. I would like to send reports to clients which reminds them about the stored spam and perhaps even provides the subject lines from those emails, maybe even sorted with lowest scores at the top, so they are reminded that they might have ham which wasn't received. At present I have no method of doing this. I would like to provide a user interface so that they can move email from spam to ham and ham to spam for training. At present I have no method for doing this. Does anyone have a suggestion for any program which might be able to accomplish this? As always, we are dealing with end users, so KISS is important and flexibility as for instance some might not want to receive reports... or might not want their mail sorted at all. I hope this isn't too 'off topic' for this list. But it does seem to be the next step. Alternatively, perhaps a link to where I should look would be great. Thanks, John Hinton -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ugob at lubik.ca Mon Feb 25 21:28:54 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 25 21:29:20 2008 Subject: Server side Email Tools for Clients In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C640AE3@server02.bhl.local> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C640AE3@server02.bhl.local> Message-ID: Jason Ede wrote: > I'd look at mailwatch at mailwatch.sourceforge.net He's using it already. The MailWatch quarantine report should meet your requirement for the 'send' report part. From ugob at lubik.ca Mon Feb 25 21:30:12 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 25 21:35:12 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: <47C30197.10003@crucis.net> References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> <47C21F04.8040409@crucis.net> <47C30197.10003@crucis.net> Message-ID: Mike - W0TMW wrote: > Is this a one time task or must the init script be modified? One time task to tell the system to not start the sendmail service anymore and to enable MailScanner service at boot and start it. Ugo From mikew at crucis.net Mon Feb 25 21:47:05 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Mon Feb 25 21:47:18 2008 Subject: MailScanner 4.88.5-3 not being invoked by sendmail In-Reply-To: References: <47C0D56D.2040102@crucis.net> <47C1A008.7010209@ecs.soton.ac.uk> <47C2157F.9060902@crucis.net> <47C21F04.8040409@crucis.net> <47C30197.10003@crucis.net> Message-ID: <47C33759.7060807@crucis.net> Ugo Bellavance wrote: > Mike - W0TMW wrote: >> Is this a one time task or must the init script be modified? > > One time task to tell the system to not start the sendmail service > anymore and to enable MailScanner service at boot and start it. > > Ugo > Thank you, Mike W From micoots at yahoo.com Mon Feb 25 23:02:58 2008 From: micoots at yahoo.com (Michael Mansour) Date: Mon Feb 25 23:03:09 2008 Subject: Having one config file per domain support in MailScanner ? Message-ID: <76074.43497.qm@web33306.mail.mud.yahoo.com> Hi, Does MailScanner support having one config per domain? ie. instead of putting everything into the one config file like: /etc/MailScanner/rules/someMSoption.rules From: blah@domain1.com no From: blah@domain2.com no FromOrTo: default yes you can have it like: /etc/MailScanner/rules/MSoption1.rules From: blah@domain1.com no FromOrTo: default yes /etc/MailScanner/rules/MSoption1.rules From: blah@domain2.com no FromOrTo: default yes Julian??? Thanks. Michael. Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail From alex at nkpanama.com Tue Feb 26 00:01:36 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Feb 26 00:02:33 2008 Subject: Somewhat OT: Clustering and HA Message-ID: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> Dear list, From time to time people have been discussing how to set up MailScanner so that you can get a highly-available configuration. NFS and locking have been discussed along with other details regarding how "shared" the configuration is between clusters. I'd like to see if it would be possible to use a "pretty standard" config of centos(or rh)+ms+sendmail+dovecot+clamav+spamassassin +mailwatch(maybe)/etc. and how I could either "install from scratch" as a cluster or possibly "upconvert" one. Any docs you might suggest where one would look at different Linux clustering scenarios, so I can pick it up from there? I could document my progress on the list or the wiki. From hvdkooij at vanderkooij.org Tue Feb 26 06:56:45 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Feb 26 06:57:19 2008 Subject: Having one config file per domain support in MailScanner ? In-Reply-To: <76074.43497.qm@web33306.mail.mud.yahoo.com> References: <76074.43497.qm@web33306.mail.mud.yahoo.com> Message-ID: <47C3B82D.5030706@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Mansour wrote: | Hi, | | Does MailScanner support having one config per domain? | ie. instead of putting everything into the one config | file like: | | /etc/MailScanner/rules/someMSoption.rules | From: blah@domain1.com no | From: blah@domain2.com no | FromOrTo: default yes | | you can have it like: | | /etc/MailScanner/rules/MSoption1.rules | From: blah@domain1.com no | FromOrTo: default yes | | /etc/MailScanner/rules/MSoption1.rules | From: blah@domain2.com no | FromOrTo: default yes But what does one gain this way? (Besides from your duplicate use of the same file ;-) And how do you expect it to behave? Because you redefined the default. I could see some logic in getting the data from SQL instead of fixed files. Then you can fill the table anyway you like it. In fact about 5 minutes after I installed MailWatch I started to itch to add a lot of tables to the database and write up some code to make use of it. But as MailWatch 2.0 was just under development I decided to sit it out. I am not sure how much of it is going to be in MailWatch 2.0 but ~ that would be my way to work the issue. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHw7gsBvzDRVjxmYERAlywAJ9NpQn9kOl1zuWwsevi7Yl3e+RK3ACgjJ59 y401+swWyJUS39SjZSGbD6w= =xw77 -----END PGP SIGNATURE----- From martinh at solidstatelogic.com Tue Feb 26 09:20:31 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Feb 26 09:20:48 2008 Subject: Having one config file per domain support in MailScanner ? In-Reply-To: <76074.43497.qm@web33306.mail.mud.yahoo.com> Message-ID: See http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading for a starter.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Michael Mansour > Sent: 25 February 2008 23:03 > To: MailScanner discussion > Subject: Having one config file per domain support in MailScanner ? > > Hi, > > Does MailScanner support having one config per domain? > ie. instead of putting everything into the one config > file like: > > /etc/MailScanner/rules/someMSoption.rules > From: blah@domain1.com no > From: blah@domain2.com no > FromOrTo: default yes > > you can have it like: > > /etc/MailScanner/rules/MSoption1.rules > From: blah@domain1.com no > FromOrTo: default yes > > /etc/MailScanner/rules/MSoption1.rules > From: blah@domain2.com no > FromOrTo: default yes > > Julian??? > > Thanks. > > Michael. > > > > Get the name you always wanted with the new y7mail email address. > www.yahoo7.com.au/y7mail > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From t.d.lee at durham.ac.uk Tue Feb 26 10:29:08 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Feb 26 10:29:37 2008 Subject: http proxy:suggestion In-Reply-To: <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> Message-ID: On Fri, 22 Feb 2008, Rick Cooper wrote: > > wrote: > > > [...] > > >> What still seems absent is recognising "http_proxy" when > > run under "cron". > > >> > > >> Those scripts already do: > > >> if [ -f /etc/sysconfig/MailScanner ] ; then > > >> . /etc/sysconfig/MailScanner > > >> fi > > >> > > >> But that file seems oriented to variables specific to > > "MailScanner.conf". > > >> > > >> Could there also be a "/etc/sysconfig/MailScannerEnv" > > (or similar) whose > > >> purpose would be for environment variables for scripts? > > [...] That said, why not use the (.)?wgetrc and (.)?curlrc files to > enter the default proxy/user/password information on systems that need this > information? I have done this in the past for a specific server for a > specific reason. Good idea. Thanks. I've just tried it (/etc/wgetrc) and it seems to work... for the 'update_phishing_sites' and 'update_bad_phishing_sites' cron jobs. That just leaves the MS 'update_spamassassin' cron job; is there some way to arrange for it, when run under 'cron', to obtain 'http_proxy' somehow from somewhere? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From darren at torsion.co.uk Tue Feb 26 12:12:17 2008 From: darren at torsion.co.uk (Darren Walker) Date: Tue Feb 26 12:52:40 2008 Subject: Rules Question In-Reply-To: References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com><47BEFA91.1010200@ecs.soton.ac.uk><056c01c87584$110bd4a0$0301a8c0@SAHOMELT> Message-ID: <013501c87870$d9c78120$1001a8c0@Lappy2> Hi This may sound an odd question, but if we have a rule set as follows from the EXAMPLES file # Only virus scan some domains # Set "Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules". Does this mean that the domains excluded from the list are not virus scanned, but are still scanned by spamassassin, or do we need to create a list a follows # Only spam scan some domains # Set "? = /etc/MailScanner/rules/spam.scanning.rules". If so what do we replace the ? with - the option seems to use spamasassin or not. Thanks Darren -- This message has been scanned for viruses and dangerous content by Torsion Internet Ltd, and is believed to be clean. From rcooper at dwford.com Tue Feb 26 12:54:34 2008 From: rcooper at dwford.com (Rick Cooper) Date: Tue Feb 26 12:55:22 2008 Subject: http proxy:suggestion In-Reply-To: References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com><47BEFA91.1010200@ecs.soton.ac.uk><056c01c87584$110bd4a0$0301a8c0@SAHOMELT> Message-ID: <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of David Lee > Sent: Tuesday, February 26, 2008 5:29 AM > To: MailScanner discussion > Subject: RE: http proxy:suggestion > > On Fri, 22 Feb 2008, Rick Cooper wrote: > > > > wrote: > > > > [...] > > > >> What still seems absent is recognising "http_proxy" when > > > run under "cron". > > > >> > > > >> Those scripts already do: > > > >> if [ -f /etc/sysconfig/MailScanner ] ; then > > > >> . /etc/sysconfig/MailScanner > > > >> fi > > > >> > > > >> But that file seems oriented to variables specific to > > > "MailScanner.conf". > > > >> > > > >> Could there also be a "/etc/sysconfig/MailScannerEnv" > > > (or similar) whose > > > >> purpose would be for environment variables for scripts? > > > > [...] That said, why not use the (.)?wgetrc and (.)?curlrc files to > > enter the default proxy/user/password information on > systems that need this > > information? I have done this in the past for a specific > server for a > > specific reason. > > Good idea. Thanks. I've just tried it (/etc/wgetrc) and it seems to > work... for the 'update_phishing_sites' and > 'update_bad_phishing_sites' > cron jobs. > > That just leaves the MS 'update_spamassassin' cron job; is > there some way > to arrange for it, when run under 'cron', to obtain > 'http_proxy' somehow > from somewhere? > > Well if you are running linux you can just add the ENV item at the top of the correct user's crontab. It seems like solaris doesn't allow for that. Remember it's not exported though, it's in the format of VAR=VALUE Since sa-update uses LWP I don't believe there are any rc files to handle that. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Feb 26 13:40:46 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Feb 26 13:42:04 2008 Subject: Rules Question In-Reply-To: <013501c87870$d9c78120$1001a8c0@Lappy2> Message-ID: <372b4a3f757066479ca27ff4832a795c@solidstatelogic.com> HI Yes you need set up a rule with both sets. If you do this you'll still be subject to the mailscanner 'scans' for filetypes etc. There's a big on/off switch in the top level "Scan Messages" setting. Be aware though most spam fakes the from address and can indeed be from:fred@domain.com to:fred@domain.com So doing this with domains can undesired effects, it's better to use ip-addresses is at possible. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Darren Walker > Sent: 26 February 2008 12:12 > To: MailScanner discussion > Subject: Rules Question > > Hi > > This may sound an odd question, but if we have a rule set as follows from > the EXAMPLES file > > # Only virus scan some domains > > # Set "Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules". > > Does this mean that the domains excluded from the list are not virus > scanned, but are still scanned by spamassassin, or do we need to create a > list a follows > > # Only spam scan some domains > > # Set "? = /etc/MailScanner/rules/spam.scanning.rules". > > If so what do we replace the ? with - the option seems to use spamasassin > or > not. > > Thanks > > Darren > > > > -- > This message has been scanned for viruses and > dangerous content by Torsion Internet Ltd, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From mi6 at orcon.net.nz Tue Feb 26 14:36:49 2008 From: mi6 at orcon.net.nz (Charlie) Date: Tue Feb 26 14:37:29 2008 Subject: Tnef setting and forwarding Outlook contacts Message-ID: <209901c87885$06348d70$0200a8c0@CharlieCompaq> Hi, thanks for all the previous help with other requests. I have reinstalled MailScanner, but have run into an old problem. Whenever I try to 'forward' a contact from Outlook (by clicking on 'Contacts' then right-clicking a particular contact and then choosing 'Forward'), the attachment's name is changed (by the way, it shouldn't be changed) to be 'Untitled Attachment' when I have the following setting in MailScanner.conf: Deliver Unparsable TNEF = no However, when I make it 'Deliver Unparsable TNEF = yes' the attachment is removed entirely! Is this a new bug? In the previous version when I changed Deliver Unparsable TNEF to 'yes' the correctly named and formatted attachment was delivered. Now, nothing is delivered. Cheers! From glenn.steen at gmail.com Tue Feb 26 14:45:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 26 14:45:47 2008 Subject: http proxy:suggestion In-Reply-To: <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> Message-ID: <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> On 26/02/2008, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of David Lee > > Sent: Tuesday, February 26, 2008 5:29 AM > > To: MailScanner discussion > > > Subject: RE: http proxy:suggestion > > > > On Fri, 22 Feb 2008, Rick Cooper wrote: > > > > > > wrote: > > > > > [...] > > > > >> What still seems absent is recognising "http_proxy" when > > > > run under "cron". > > > > >> > > > > >> Those scripts already do: > > > > >> if [ -f /etc/sysconfig/MailScanner ] ; then > > > > >> . /etc/sysconfig/MailScanner > > > > >> fi > > > > >> > > > > >> But that file seems oriented to variables specific to > > > > "MailScanner.conf". > > > > >> > > > > >> Could there also be a "/etc/sysconfig/MailScannerEnv" > > > > (or similar) whose > > > > >> purpose would be for environment variables for scripts? > > > > > > [...] That said, why not use the (.)?wgetrc and (.)?curlrc files to > > > enter the default proxy/user/password information on > > systems that need this > > > information? I have done this in the past for a specific > > server for a > > > specific reason. > > > > Good idea. Thanks. I've just tried it (/etc/wgetrc) and it seems to > > work... for the 'update_phishing_sites' and > > 'update_bad_phishing_sites' > > cron jobs. > > > > That just leaves the MS 'update_spamassassin' cron job; is > > there some way > > to arrange for it, when run under 'cron', to obtain > > 'http_proxy' somehow > > from somewhere? > > > > > > > Well if you are running linux you can just add the ENV item at the top of > the correct user's crontab. It seems like solaris doesn't allow for that. > Remember it's not exported though, it's in the format of > > VAR=VALUE > > Since sa-update uses LWP I don't believe there are any rc files to handle > that. > > > Rick > Correct me if I'm wrong, but this "issue" is only an issue on platforms where the install will actually set up the cron jobs for you, right? I don't think the stock source install does that... So what Solaris or whatever use for cron is rather immaterial, since it'll be you (as admin) that will be doing those entries anyway... And the timetested sh -c ";" would work well enough... Right? Or am I missing something obvious? To my eyes, the http_proxy setting for LWP could well go anywhere, on the installs that need them. Having another conf file to massage afterwards would just confuse the matter (IMO:-). So put it in the sysconfig file... commented out with something nice above for us to read:-)... Less changes for Jules, little real "semantic" problems... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Tue Feb 26 14:47:02 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Feb 26 14:47:37 2008 Subject: Tnef setting and forwarding Outlook contacts In-Reply-To: <209901c87885$06348d70$0200a8c0@CharlieCompaq> Message-ID: <9ee5ed4c54696742acf45d519a5bb0c9@solidstatelogic.com> Hi The TNEF expander works in interesting ways.... Some people have more success with the internal setting and some with the external. Try flipping it to the alternate setting to what you have in MailScanner.conf. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Charlie > Sent: 26 February 2008 14:37 > To: MailScanner discussion > Subject: Tnef setting and forwarding Outlook contacts > > Hi, thanks for all the previous help with other requests. > > I have reinstalled MailScanner, but have run into an old problem. > Whenever I try to 'forward' a contact from Outlook (by clicking on > 'Contacts' then right-clicking a particular contact and then choosing > 'Forward'), the attachment's name is changed (by the way, it shouldn't be > changed) to be 'Untitled Attachment' when I have the following setting in > MailScanner.conf: > Deliver Unparsable TNEF = no > > However, when I make it 'Deliver Unparsable TNEF = yes' the attachment is > removed entirely! > > Is this a new bug? In the previous version when I changed Deliver > Unparsable > TNEF to 'yes' the correctly named and formatted attachment was delivered. > Now, nothing is delivered. > > Cheers! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From rcooper at dwford.com Tue Feb 26 15:34:37 2008 From: rcooper at dwford.com (Rick Cooper) Date: Tue Feb 26 15:35:14 2008 Subject: http proxy:suggestion In-Reply-To: <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com><47BEFA91.1010200@ecs.soton.ac.uk><056c01c87584$110bd4a0$0301a8c0@SAHOMELT><087d01c87876$bcfeac20$0301a8c0@SAHOMELT> <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> Message-ID: <08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Glenn Steen > Sent: Tuesday, February 26, 2008 9:45 AM > To: MailScanner discussion > Subject: Re: http proxy:suggestion > > On 26/02/2008, Rick Cooper wrote: > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > > > Behalf Of David Lee > > > Sent: Tuesday, February 26, 2008 5:29 AM > > > To: MailScanner discussion > > > > > Subject: RE: http proxy:suggestion > > > > > > On Fri, 22 Feb 2008, Rick Cooper wrote: > > > > > > > > wrote: > > > > > > [...] > > > > > >> What still seems absent is recognising > "http_proxy" when > > > > > run under "cron". > > > > > >> > > > > > >> Those scripts already do: > > > > > >> if [ -f /etc/sysconfig/MailScanner ] ; then > > > > > >> . /etc/sysconfig/MailScanner > > > > > >> fi > > > > > >> > > > > > >> But that file seems oriented to variables specific to > > > > > "MailScanner.conf". > > > > > >> > > > > > >> Could there also be a "/etc/sysconfig/MailScannerEnv" > > > > > (or similar) whose > > > > > >> purpose would be for environment variables > for scripts? > > > > > > > > [...] That said, why not use the (.)?wgetrc and > (.)?curlrc files to > > > > enter the default proxy/user/password information on > > > systems that need this > > > > information? I have done this in the past for a specific > > > server for a > > > > specific reason. > > > > > > Good idea. Thanks. I've just tried it (/etc/wgetrc) > and it seems to > > > work... for the 'update_phishing_sites' and > > > 'update_bad_phishing_sites' > > > cron jobs. > > > > > > That just leaves the MS 'update_spamassassin' cron job; is > > > there some way > > > to arrange for it, when run under 'cron', to obtain > > > 'http_proxy' somehow > > > from somewhere? > > > > > > > > > > > > Well if you are running linux you can just add the ENV > item at the top of > > the correct user's crontab. It seems like solaris doesn't > allow for that. > > Remember it's not exported though, it's in the format of > > > > VAR=VALUE > > > > Since sa-update uses LWP I don't believe there are any rc > files to handle > > that. > > > > > > Rick > > > Correct me if I'm wrong, but this "issue" is only an issue on > platforms where the install will actually set up the cron jobs for > you, right? I don't think the stock source install does that... So > what Solaris or whatever use for cron is rather immaterial, since > it'll be you (as admin) that will be doing those entries > anyway... And > the timetested sh -c ";" would work well > enough... Right? > Or am I missing something obvious? To my eyes, the http_proxy setting > for LWP could well go anywhere, on the installs that need > them. Having > another conf file to massage afterwards would just confuse the matter > (IMO:-). So put it in the sysconfig file... commented out with > something nice above for us to read:-)... Less changes for Jules, > little real "semantic" problems... > I think the original problem was that all distros don't use the sysconfig file... Mostly a redhat thing, and I think someone said deb. Using the sh -c option would work but the script he specifically mentioned clearly states at the top not to edit it, I assume this means it's overwritten on upgrade. If he adds the environment proxy stuff at the top of the crontab for the user that runs the script in question it would be immune to upgrade tampering. The easiest answer is to allow the server in question to pass the proxy. I assume http(s) traffic is being redirected via an Iptables rule and simply adding a PREROUTINING rule (before the redirect) that does an ACCEPT for that server on outbound connections to the ports being trapped would exempt it from forced proxy usage and the problem is then mute. It's just an opinion but I have found that, even in this day and age, *many* programs are not proxy friendly and in the case of wget or curl you can handle that with an rc file, not so with LWP, or others without specific ENV items. If you need it and your OS supports it then crontab is a good place for them because they are then available to scripts/programs that require them and do not make specific configuration allowances for them. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Tue Feb 26 15:36:40 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 26 15:37:58 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> Message-ID: Alex Neuman wrote: > Dear list, > > From time to time people have been discussing how to set up MailScanner > so that you can get a highly-available configuration. NFS and locking > have been discussed along with other details regarding how "shared" the > configuration is between clusters. XML-RPC in mailwatch allows to do a MailScanner setup with central DB. > I'd like to see if it would be possible to use a "pretty standard" > config of centos(or > rh)+ms+sendmail+dovecot+clamav+spamassassin+mailwatch(maybe)/etc. and > how I could either "install from scratch" as a cluster or possibly > "upconvert" one. I'd set a series of MailScanner servers, a seperate MySQL server, and two or more HA'd dovecot servers in backend. Depends of your load of course. Ugo From ricky.boone at gmail.com Tue Feb 26 16:04:38 2008 From: ricky.boone at gmail.com (Ricky Boone) Date: Tue Feb 26 16:05:14 2008 Subject: Virus Infected Message Notifications Message-ID: <7d9a8b360802260804i39f5b2dbkb4f4c23612fa7898@mail.gmail.com> This may seem like a _really_ stupid question, but I'll ask anyways. ;) I cannot seem to get messages that are "infected" (eicar) to notify the recipient of the infected message. Messages with bad filenames/filetypes, phishing, etc. notify the user without a problem ({Filename?}, {Disarm?}, etc.). But if a message has an infection, _nothing_ gets to the recipient. Notices, however, to the "local postmaster" go through just fine. I've gone over my config a dozen times now, and I cannot figure out what is causing the message to be dropped altogether. None of the config items that stand out seem to make any difference ("Silent Viruses", "Still Deliver Silent Viruses", various "Action" directives, etc.). Comparing the MailScanner.conf file doesn't show anything out of the ordinary either, with the exception of the "Virus Scanning" directive, which is set to a rule (for Mailwatch purposes). I can provide my MailScanner.conf file, however I would prefer it was not posted to this list, so it would be sent off-list (if requested). Any ideas? From bpirie at rma.edu Tue Feb 26 16:16:38 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Tue Feb 26 16:16:37 2008 Subject: Virus Infected Message Notifications In-Reply-To: <7d9a8b360802260804i39f5b2dbkb4f4c23612fa7898@mail.gmail.com> References: <7d9a8b360802260804i39f5b2dbkb4f4c23612fa7898@mail.gmail.com> Message-ID: <47C43B66.3070808@rma.edu> What is Deliver Disinfected Files = set to? Brendan Ricky Boone wrote: > This may seem like a _really_ stupid question, but I'll ask anyways. ;) > > I cannot seem to get messages that are "infected" (eicar) to notify > the recipient of the infected message. Messages with bad > filenames/filetypes, phishing, etc. notify the user without a problem > ({Filename?}, {Disarm?}, etc.). But if a message has an infection, > _nothing_ gets to the recipient. Notices, however, to the "local > postmaster" go through just fine. > > I've gone over my config a dozen times now, and I cannot figure out > what is causing the message to be dropped altogether. None of the > config items that stand out seem to make any difference ("Silent > Viruses", "Still Deliver Silent Viruses", various "Action" directives, > etc.). Comparing the MailScanner.conf file doesn't show anything out > of the ordinary either, with the exception of the "Virus Scanning" > directive, which is set to a rule (for Mailwatch purposes). > > I can provide my MailScanner.conf file, however I would prefer it was > not posted to this list, so it would be sent off-list (if requested). > > Any ideas? From anance at SYSSRC.com Tue Feb 26 16:25:31 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Tue Feb 26 16:26:08 2008 Subject: Symantec Scan Engine Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> I found this post in the archives but never saw a resolution: Scan Engine reports that is sees the tests as viruses but MailScanner simply passes the message through. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You need to send me a fully licenced copy of the package, including any licence keys I will need to install it. I personally guarantee that I will not use it for anything other than development, and I guarantee that no-one else will get access to it. Remember, I've got a reputation to protect. Please send it all to me off-list! Jeff Meyer wrote: > I noticed that MailScanner has support for Symantec Scan Engine, but > it doesn't appear to be working correctly. > > First, had to make a change to the symscanengine-wrapper: > changed: > prog=savsecls/savsecls > to: > prog=ssecls/ssecls > > Then when testing the wrapper: > /usr/lib/MailScanner/symscanengine-wrapper /opt/SYMScan /temp > eveything works, even tried on eicar test file and it found it. > > However, when running it with MailScanner, nothing appears to be > getting logged when testing with eicar files. McAfee, Bitdefender and > ClamAV all log there results, but symantec doesn't. I would like to > see when symantec does catch something and when it doesn't. > > What do I need to do to change this. > > Jeff > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFI2k+EfZZRxQVtlQRAmjgAJ9uXuwpt7CpRybVVooicKE0qZ/TZwCgpqoN 6rhfvTQiBVB2g9yILPnBpbs= =N9Ji -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080226/5703267f/attachment.html From ricky.boone at gmail.com Tue Feb 26 16:27:31 2008 From: ricky.boone at gmail.com (Ricky Boone) Date: Tue Feb 26 16:28:07 2008 Subject: Virus Infected Message Notifications In-Reply-To: <47C43B66.3070808@rma.edu> References: <7d9a8b360802260804i39f5b2dbkb4f4c23612fa7898@mail.gmail.com> <47C43B66.3070808@rma.edu> Message-ID: <7d9a8b360802260827i3f5020d8s401528ecc6109bea@mail.gmail.com> On Tue, Feb 26, 2008 at 11:16 AM, Brendan Pirie wrote: > What is Deliver Disinfected Files = set to? Currently set to 'no', but I did try setting it to 'yes' (and restarting MailScanner) with no change in behavior. From MailScanner at ecs.soton.ac.uk Tue Feb 26 16:46:12 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 26 16:47:03 2008 Subject: Fwd: Sophos Error message In-Reply-To: <47C2FD0E.20E8.005B.0@harper-adams.ac.uk> References: <47BEFF53.20E8.005B.0@harper-adams.ac.uk> <47C2FD0E.20E8.005B.0@harper-adams.ac.uk> Message-ID: <47C44254.4080300@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I failed to get to the bottom of this one and re-cloned the machine, as it was faster to do :-) Check your /etc/ld.so.conf and hose /opt/sophos-av, /usr/local/lib/libsav*, /etc/sav* for starters, then reinstall the latest version of version 6. Make sure you haven't got any sav processes running. service sav-protect stop service sav-web stop service sav-rms stop chkconfig --del sav-web chkconfig --del sav-protect chkconfig --del sav-rms Delete all /usr/local/Sophos* files. Do an "ldconfig" to flush the lib cache. Delete /usr/local/bin/savscanm and /usr/bin/savscan. Once you've deleted all the old one and reinstalled the new one, try "savscan" on a file or two first to see if that works. If it does, then rebuild perl-SAVI as well. Good luck! Howard Robinson wrote: > Hello again > I am still having problems with the error below. > I have had a good look at the web and it seems that it would be better to uninstall Sophos then start again. > Is there a recommended way of doing this with out it having a knock on effect with MailScanner? > > > >>>> "Howard Robinson" 22/02/2008 16:59 >>> >>>> > Dear list > I have updated Sophos using Linux.intel.libc6.tar.Z using Julian's routine /usr/sbin/Sophos.install > > It appeared to run through okay but seemed fast! > Anyway on restarting MailScanner I get the following in the Maillog and emails refused to move in or out. > > "SophosSAVI ERROR:: getting version: One of the files in a split-virus data set could not be located (557)" > > Any ideas > I had a quick look at WIKI but nothing appeared to be relevant . > > In the end I had to rem out sophos from list of virus scanners used to get email flowing again. Two others are still there and so we are not unprotected but I like Sophos and usually it updates ok > > Any help appreciated. > > Thanks > Howard Robinson, > (Senior Technical Development Officer), > Harper Adams University College, > Edgmond, > Newport, > Shropshire , > TF10 8NB. > > Tel. Direct 01952 815253 > Tel. Switch Board 01952 820280 > Fax 01952 814783 > Email hrobinson@harper-adams.ac.uk > Web www.harper-adams.ac.uk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHxEJUEfZZRxQVtlQRAuQYAJ9H+MZV0NboannwqmLd++nd+Car9wCeI0kI Y7N5qCFbZ3GQeAaI7xg2MWE= =xpHJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Tue Feb 26 16:46:29 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 26 16:47:27 2008 Subject: Symantec Scan Engine In-Reply-To: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> Message-ID: Alexander Nance wrote: > I found this post in the archives but never saw a resolution: > > Scan Engine reports that is sees the tests as viruses but MailScanner > simply passes the message through. What does MailScanner --lint say? Ugo From MailScanner at ecs.soton.ac.uk Tue Feb 26 16:49:46 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 26 16:50:10 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> Message-ID: <47C4432A.7060703@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You don't need NFS and locking to run a MailScanner cluster. You just have n independent MX servers all with the same MX priority (or 1 MX record pointing to multiple A records), and have them deliver onwards to the same mail servers for client email access. Don't start trying to share queues between multiple machines: it's asking for trouble, a nightmare to manage reliably and unnecessary. That's my opinion, anyway :-) Alex Neuman wrote: > Dear list, > > From time to time people have been discussing how to set up > MailScanner so that you can get a highly-available configuration. NFS > and locking have been discussed along with other details regarding how > "shared" the configuration is between clusters. > > I'd like to see if it would be possible to use a "pretty standard" > config of centos(or > rh)+ms+sendmail+dovecot+clamav+spamassassin+mailwatch(maybe)/etc. and > how I could either "install from scratch" as a cluster or possibly > "upconvert" one. > > Any docs you might suggest where one would look at different Linux > clustering scenarios, so I can pick it up from there? I could document > my progress on the list or the wiki. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHxEMqEfZZRxQVtlQRAvUoAKC44JSvlJIqVIwnVSUxJd6X2NiQ9QCeNYhg Cry7iUb/GTDznyiQF7hjMRk= =axhN -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Feb 26 16:55:43 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 26 16:56:02 2008 Subject: Virus Infected Message Notifications In-Reply-To: <7d9a8b360802260804i39f5b2dbkb4f4c23612fa7898@mail.gmail.com> References: <7d9a8b360802260804i39f5b2dbkb4f4c23612fa7898@mail.gmail.com> Message-ID: <47C4448F.4040705@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ricky Boone wrote: > This may seem like a _really_ stupid question, but I'll ask anyways. ;) > > I cannot seem to get messages that are "infected" (eicar) to notify > the recipient of the infected message. This is usually down to the setting of "Silent Viruses". By default this contains "All-Viruses" which stops recipient notifications of viruses. Just remove this value and "service MailScanner reload" and you should find recipients start getting notified. > Messages with bad > filenames/filetypes, phishing, etc. notify the user without a problem > ({Filename?}, {Disarm?}, etc.). But if a message has an infection, > _nothing_ gets to the recipient. Notices, however, to the "local > postmaster" go through just fine. > > I've gone over my config a dozen times now, and I cannot figure out > what is causing the message to be dropped altogether. None of the > config items that stand out seem to make any difference ("Silent > Viruses", "Still Deliver Silent Viruses", various "Action" directives, > etc.). Comparing the MailScanner.conf file doesn't show anything out > of the ordinary either, with the exception of the "Virus Scanning" > directive, which is set to a rule (for Mailwatch purposes). > > I can provide my MailScanner.conf file, however I would prefer it was > not posted to this list, so it would be sent off-list (if requested). > > Any ideas? > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHxESPEfZZRxQVtlQRAo5TAKDKF6uxwNAwJPGOLC3CVSQnG5i8UQCfdnFx vdHQR0SleEvAjmo96ezmrJU= =YN7X -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From anance at SYSSRC.com Tue Feb 26 17:18:15 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Tue Feb 26 17:18:52 2008 Subject: Symantec Scan Engine In-Reply-To: References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> It replies that the scanengine is discovered properly. It is not having a problem sending the file through to be processed, it is just ignoring the result response. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance Sent: Tuesday, February 26, 2008 11:46 AM To: mailscanner@lists.mailscanner.info Subject: Re: Symantec Scan Engine Alexander Nance wrote: > I found this post in the archives but never saw a resolution: > > Scan Engine reports that is sees the tests as viruses but MailScanner > simply passes the message through. What does MailScanner --lint say? Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ricky.boone at gmail.com Tue Feb 26 18:12:02 2008 From: ricky.boone at gmail.com (Ricky Boone) Date: Tue Feb 26 18:12:56 2008 Subject: Virus Infected Message Notifications In-Reply-To: <47C4448F.4040705@ecs.soton.ac.uk> References: <7d9a8b360802260804i39f5b2dbkb4f4c23612fa7898@mail.gmail.com> <47C4448F.4040705@ecs.soton.ac.uk> Message-ID: <7d9a8b360802261012h5abd301asc1fbba4d65d3fdfd@mail.gmail.com> Disregard, this was an ID10T error on my part. ;) The test site I was using (declude.com) was backdating the messages, and my email client was throwing it to the opposite side of the list of emails. I didn't notice it until I tried against another mailbox. From MailScanner at ecs.soton.ac.uk Tue Feb 26 18:38:37 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 26 18:39:29 2008 Subject: Symantec Scan Engine In-Reply-To: <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> Message-ID: <47C45CAD.50302@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Did you ever send me a copy of the software to develop from? Alexander Nance wrote: > It replies that the scanengine is discovered properly. It is not having > a problem sending the file through to be processed, it is just ignoring > the result response. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo > Bellavance > Sent: Tuesday, February 26, 2008 11:46 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: Symantec Scan Engine > > Alexander Nance wrote: > >> I found this post in the archives but never saw a resolution: >> >> Scan Engine reports that is sees the tests as viruses but MailScanner >> simply passes the message through. >> > > What does MailScanner --lint say? > > Ugo > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxFyvEfZZRxQVtlQRAmiGAJ9qsbEXldtdsO/v2JR2U1MUfYL7dwCfaiM7 wcxPWp6zk8fsfKS9HxaZYV4= =JM4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From greg at blastzone.com Tue Feb 26 18:44:43 2008 From: greg at blastzone.com (Greg Deputy) Date: Tue Feb 26 18:45:23 2008 Subject: small bug in 4.66.5 In-Reply-To: <47C2E121.6000301@nerc.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> Message-ID: <3eb901c878a7$a74bbf90$f5e33eb0$@com> So this would explain no virus scanning being called out in the logs? This suddenly started on my installation on 2/23, but not sure why it stopped logging virus scanning at that time. I confirmed messages are being scanned and I'm getting notifications of found viruses, but nothing in the logs. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Matthews Sent: Monday, February 25, 2008 7:39 AM To: MailScanner discussion Subject: Re: small bug in 4.66.5 hmmm.... looks like this may have been in 4.62 as well as I found what looked like my own modifications in SweepViruses.pm in that version too. It looks like $Name is not getting populated in sub ProcessClamAVModOutput. The following patch corrects the log entry but doesnt address the underlying cause: --- /tmp/SweepViruses.pm 2008-02-25 15:35:28.000000000 +0000 +++ ./SweepViruses.pm 2008-02-25 15:23:30.000000000 +0000 @@ -1444,7 +1444,8 @@ ($keyword, $virusname, $filename) = split(/:: /, $line, 3); if ($keyword =~ /^error/i && $logout !~ /rar module failure/i) { - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); return 1; } elsif ($keyword =~ /^info/i || $logout =~ /rar module failure/i) { return 0; @@ -1452,7 +1453,8 @@ return 0; } else { # Must be an infection reports - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); ($dot, $id, $part, @rest) = split(/\//, $filename); $report = $Name . ': ' if $Name; Not sure if I'll have time to look at this further - hopefully Julian can cast some light. GREG Greg Matthews wrote: > infection reporting for ClamAVModule seems to have changed in 4.66.5 > (just upgraded from 4.62.9-2): > > Feb 25 10:03:58 mailr-w MailScanner[9708]: ClamAVModule::INFECTED:: > Email.Spam.Sanesecurity.Url_1331:: ./m1PA3YS5011217/ > Feb 25 11:17:49 mailr-w MailScanner[11304]: ::INFECTED:: > Email.Hdr.Sanesecurity.07111002:: ./m1PBHY8C011316/ > > not good for log scrapers. > > will have a quick look at the code > > GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From anance at SYSSRC.com Tue Feb 26 18:56:24 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Tue Feb 26 18:56:59 2008 Subject: Symantec Scan Engine In-Reply-To: <47C45CAD.50302@ecs.soton.ac.uk> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> <47C45CAD.50302@ecs.soton.ac.uk> Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA552E@exchange.SYSSRCAD.SYSSRC.com> I was not the one that did the initial request, it is however available for a 30 day trial directly from Symantec. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, February 26, 2008 1:39 PM To: MailScanner discussion Subject: Re: Symantec Scan Engine -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Did you ever send me a copy of the software to develop from? Alexander Nance wrote: > It replies that the scanengine is discovered properly. It is not having > a problem sending the file through to be processed, it is just ignoring > the result response. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo > Bellavance > Sent: Tuesday, February 26, 2008 11:46 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: Symantec Scan Engine > > Alexander Nance wrote: > >> I found this post in the archives but never saw a resolution: >> >> Scan Engine reports that is sees the tests as viruses but MailScanner >> simply passes the message through. >> > > What does MailScanner --lint say? > > Ugo > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxFyvEfZZRxQVtlQRAmiGAJ9qsbEXldtdsO/v2JR2U1MUfYL7dwCfaiM7 wcxPWp6zk8fsfKS9HxaZYV4= =JM4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From greg at blastzone.com Tue Feb 26 20:24:15 2008 From: greg at blastzone.com (Greg Deputy) Date: Tue Feb 26 20:24:56 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <3eb901c878a7$a74bbf90$f5e33eb0$@com> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> Message-ID: <003801c878b5$8e92acd0$abb80670$@com> Also not seeing the typical 'Virus Scanning completed at X bytes per second' or 'Batch completed at X bytes per second' messages in the log. Is this a known issue, or do I have something else going on? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Deputy Sent: Tuesday, February 26, 2008 10:45 AM To: 'MailScanner discussion' Subject: RE: small bug in 4.66.5 So this would explain no virus scanning being called out in the logs? This suddenly started on my installation on 2/23, but not sure why it stopped logging virus scanning at that time. I confirmed messages are being scanned and I'm getting notifications of found viruses, but nothing in the logs. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Matthews Sent: Monday, February 25, 2008 7:39 AM To: MailScanner discussion Subject: Re: small bug in 4.66.5 hmmm.... looks like this may have been in 4.62 as well as I found what looked like my own modifications in SweepViruses.pm in that version too. It looks like $Name is not getting populated in sub ProcessClamAVModOutput. The following patch corrects the log entry but doesnt address the underlying cause: --- /tmp/SweepViruses.pm 2008-02-25 15:35:28.000000000 +0000 +++ ./SweepViruses.pm 2008-02-25 15:23:30.000000000 +0000 @@ -1444,7 +1444,8 @@ ($keyword, $virusname, $filename) = split(/:: /, $line, 3); if ($keyword =~ /^error/i && $logout !~ /rar module failure/i) { - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); return 1; } elsif ($keyword =~ /^info/i || $logout =~ /rar module failure/i) { return 0; @@ -1452,7 +1453,8 @@ return 0; } else { # Must be an infection reports - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); ($dot, $id, $part, @rest) = split(/\//, $filename); $report = $Name . ': ' if $Name; Not sure if I'll have time to look at this further - hopefully Julian can cast some light. GREG Greg Matthews wrote: > infection reporting for ClamAVModule seems to have changed in 4.66.5 > (just upgraded from 4.62.9-2): > > Feb 25 10:03:58 mailr-w MailScanner[9708]: ClamAVModule::INFECTED:: > Email.Spam.Sanesecurity.Url_1331:: ./m1PA3YS5011217/ > Feb 25 11:17:49 mailr-w MailScanner[11304]: ::INFECTED:: > Email.Hdr.Sanesecurity.07111002:: ./m1PBHY8C011316/ > > not good for log scrapers. > > will have a quick look at the code > > GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Tue Feb 26 21:31:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 26 21:32:12 2008 Subject: Symantec Scan Engine In-Reply-To: <15BDDC14871D2A49BFCEEEF409EB298303EA552E@exchange.SYSSRCAD.SYSSRC.com> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> <47C45CAD.50302@ecs.soton.ac.uk> <15BDDC14871D2A49BFCEEEF409EB298303EA552E@exchange.SYSSRCAD.SYSSRC.com> Message-ID: <47C4852D.70003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To save me lots of time, can you give me the direct URL to it please (or else the click route if there's no static URL). Alexander Nance wrote: > I was not the one that did the initial request, it is however available > for a 30 day trial directly from Symantec. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, February 26, 2008 1:39 PM > To: MailScanner discussion > Subject: Re: Symantec Scan Engine > > > * PGP Bad Signature, Signed by an unverified key: 02/26/08 at 18:38:39 > > Did you ever send me a copy of the software to develop from? > > Alexander Nance wrote: > >> It replies that the scanengine is discovered properly. It is not >> > having > >> a problem sending the file through to be processed, it is just >> > ignoring > >> the result response. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo >> Bellavance >> Sent: Tuesday, February 26, 2008 11:46 AM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Symantec Scan Engine >> >> Alexander Nance wrote: >> >> >>> I found this post in the archives but never saw a resolution: >>> >>> Scan Engine reports that is sees the tests as viruses but MailScanner >>> > > >>> simply passes the message through. >>> >>> >> What does MailScanner --lint say? >> >> Ugo >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxIUvEfZZRxQVtlQRAs+KAKD8yOoRKiAOGXVhtwQ2r/dz8iue8ACgl11u cZVd5wEmWbzAZQ7koRjMc0E= =S5S7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Feb 26 21:32:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 26 21:32:56 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <003801c878b5$8e92acd0$abb80670$@com> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> Message-ID: <47C4856A.3000104@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does this only happen with the ClamAVModule scanner? Greg Deputy wrote: > Also not seeing the typical 'Virus Scanning completed at X bytes per second' > or 'Batch completed at X bytes per second' messages in the log. > > Is this a known issue, or do I have something else going on? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Deputy > Sent: Tuesday, February 26, 2008 10:45 AM > To: 'MailScanner discussion' > Subject: RE: small bug in 4.66.5 > > So this would explain no virus scanning being called out in the logs? This > suddenly started on my installation on 2/23, but not sure why it stopped > logging virus scanning at that time. I confirmed messages are being scanned > and I'm getting notifications of found viruses, but nothing in the logs. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg > Matthews > Sent: Monday, February 25, 2008 7:39 AM > To: MailScanner discussion > Subject: Re: small bug in 4.66.5 > > hmmm.... > > looks like this may have been in 4.62 as well as I found what looked > like my own modifications in SweepViruses.pm in that version too. > > It looks like $Name is not getting populated in sub > ProcessClamAVModOutput. The following patch corrects the log entry but > doesnt address the underlying cause: > > --- /tmp/SweepViruses.pm 2008-02-25 15:35:28.000000000 +0000 > +++ ./SweepViruses.pm 2008-02-25 15:23:30.000000000 +0000 > @@ -1444,7 +1444,8 @@ > ($keyword, $virusname, $filename) = split(/:: /, $line, 3); > > if ($keyword =~ /^error/i && $logout !~ /rar module failure/i) { > - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); > return 1; > } elsif ($keyword =~ /^info/i || $logout =~ /rar module failure/i) { > return 0; > @@ -1452,7 +1453,8 @@ > return 0; > } else { > # Must be an infection reports > - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); > > ($dot, $id, $part, @rest) = split(/\//, $filename); > $report = $Name . ': ' if $Name; > > Not sure if I'll have time to look at this further - hopefully Julian > can cast some light. > > GREG > > Greg Matthews wrote: > >> infection reporting for ClamAVModule seems to have changed in 4.66.5 >> (just upgraded from 4.62.9-2): >> >> Feb 25 10:03:58 mailr-w MailScanner[9708]: ClamAVModule::INFECTED:: >> Email.Spam.Sanesecurity.Url_1331:: ./m1PA3YS5011217/ >> Feb 25 11:17:49 mailr-w MailScanner[11304]: ::INFECTED:: >> Email.Hdr.Sanesecurity.07111002:: ./m1PBHY8C011316/ >> >> not good for log scrapers. >> >> will have a quick look at the code >> >> GREG >> > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxIVsEfZZRxQVtlQRAmDWAKCq/QZXdVFqw5fY4dysLCkWBeiNXQCginit fpZLo9XVKaOWwxFk2ZZVx/E= =R/58 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From anance at SYSSRC.com Tue Feb 26 21:45:09 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Tue Feb 26 21:45:44 2008 Subject: Symantec Scan Engine In-Reply-To: <47C4852D.70003@ecs.soton.ac.uk> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> <47C45CAD.50302@ecs.soton.ac.uk><15BDDC14871D2A49BFCEEEF409EB298303EA552E@exchange.SYSSRCAD.SYSSRC.com> <47C4852D.70003@ecs.soton.ac.uk> Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA5533@exchange.SYSSRCAD.SYSSRC.com> Here you are: http://www.symantec.com/business/products/overview.jsp?pcid=2242&pvid=83 6_1 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, February 26, 2008 4:31 PM To: MailScanner discussion Subject: Re: Symantec Scan Engine -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To save me lots of time, can you give me the direct URL to it please (or else the click route if there's no static URL). Alexander Nance wrote: > I was not the one that did the initial request, it is however available > for a 30 day trial directly from Symantec. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, February 26, 2008 1:39 PM > To: MailScanner discussion > Subject: Re: Symantec Scan Engine > > > * PGP Bad Signature, Signed by an unverified key: 02/26/08 at 18:38:39 > > Did you ever send me a copy of the software to develop from? > > Alexander Nance wrote: > >> It replies that the scanengine is discovered properly. It is not >> > having > >> a problem sending the file through to be processed, it is just >> > ignoring > >> the result response. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo >> Bellavance >> Sent: Tuesday, February 26, 2008 11:46 AM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Symantec Scan Engine >> >> Alexander Nance wrote: >> >> >>> I found this post in the archives but never saw a resolution: >>> >>> Scan Engine reports that is sees the tests as viruses but MailScanner >>> > > >>> simply passes the message through. >>> >>> >> What does MailScanner --lint say? >> >> Ugo >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxIUvEfZZRxQVtlQRAs+KAKD8yOoRKiAOGXVhtwQ2r/dz8iue8ACgl11u cZVd5wEmWbzAZQ7koRjMc0E= =S5S7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From technician at cenpac.net.nr Tue Feb 26 22:12:04 2008 From: technician at cenpac.net.nr (Jon Leeman) Date: Tue Feb 26 22:12:53 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C4856A.3000104@ecs.soton.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> Message-ID: <47C48EB4.5050001@cenpac.net.nr> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Does this only happen with the ClamAVModule scanner? > > Greg Deputy wrote: >> Also not seeing the typical 'Virus Scanning completed at X bytes per second' >> or 'Batch completed at X bytes per second' messages in the log. >> >> Is this a known issue, or do I have something else going on? >> I also seeing it (not seeing the "Virus Scanning......) with 4.66.5 on Mandriva 2007.1 using clamav. Regards, Jon From glenn.steen at gmail.com Tue Feb 26 22:23:35 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 26 22:24:09 2008 Subject: http proxy:suggestion In-Reply-To: <08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> <08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> Message-ID: <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> On 26/02/2008, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of Glenn Steen > > Sent: Tuesday, February 26, 2008 9:45 AM > > To: MailScanner discussion > > > Subject: Re: http proxy:suggestion > > > > On 26/02/2008, Rick Cooper wrote: > > > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > > > > > Behalf Of David Lee > > > > Sent: Tuesday, February 26, 2008 5:29 AM > > > > To: MailScanner discussion > > > > > > > Subject: RE: http proxy:suggestion > > > > > > > > On Fri, 22 Feb 2008, Rick Cooper wrote: > > > > > > > > > > wrote: > > > > > > > [...] > > > > > > >> What still seems absent is recognising > > "http_proxy" when > > > > > > run under "cron". > > > > > > >> > > > > > > >> Those scripts already do: > > > > > > >> if [ -f /etc/sysconfig/MailScanner ] ; then > > > > > > >> . /etc/sysconfig/MailScanner > > > > > > >> fi > > > > > > >> > > > > > > >> But that file seems oriented to variables specific to > > > > > > "MailScanner.conf". > > > > > > >> > > > > > > >> Could there also be a "/etc/sysconfig/MailScannerEnv" > > > > > > (or similar) whose > > > > > > >> purpose would be for environment variables > > for scripts? > > > > > > > > > > [...] That said, why not use the (.)?wgetrc and > > (.)?curlrc files to > > > > > enter the default proxy/user/password information on > > > > systems that need this > > > > > information? I have done this in the past for a specific > > > > server for a > > > > > specific reason. > > > > > > > > Good idea. Thanks. I've just tried it (/etc/wgetrc) > > and it seems to > > > > work... for the 'update_phishing_sites' and > > > > 'update_bad_phishing_sites' > > > > cron jobs. > > > > > > > > That just leaves the MS 'update_spamassassin' cron job; is > > > > there some way > > > > to arrange for it, when run under 'cron', to obtain > > > > 'http_proxy' somehow > > > > from somewhere? > > > > > > > > > > > > > > > > > Well if you are running linux you can just add the ENV > > item at the top of > > > the correct user's crontab. It seems like solaris doesn't > > allow for that. > > > Remember it's not exported though, it's in the format of > > > > > > VAR=VALUE > > > > > > Since sa-update uses LWP I don't believe there are any rc > > files to handle > > > that. > > > > > > > > > Rick > > > > > Correct me if I'm wrong, but this "issue" is only an issue on > > platforms where the install will actually set up the cron jobs for > > you, right? I don't think the stock source install does that... So > > what Solaris or whatever use for cron is rather immaterial, since > > it'll be you (as admin) that will be doing those entries > > anyway... And > > the timetested sh -c ";" would work well > > enough... Right? > > Or am I missing something obvious? To my eyes, the http_proxy setting > > for LWP could well go anywhere, on the installs that need > > them. Having > > another conf file to massage afterwards would just confuse the matter > > (IMO:-). So put it in the sysconfig file... commented out with > > something nice above for us to read:-)... Less changes for Jules, > > little real "semantic" problems... > > > > > I think the original problem was that all distros don't use the sysconfig > file... Mostly a redhat thing, and I think someone said deb. Using the sh -c > option would work but the script he specifically mentioned clearly states at > the top not to edit it, I assume this means it's overwritten on upgrade. If > he adds the environment proxy stuff at the top of the crontab for the user > that runs the script in question it would be immune to upgrade tampering. > > The easiest answer is to allow the server in question to pass the proxy. I > assume http(s) traffic is being redirected via an Iptables rule and simply > adding a PREROUTINING rule (before the redirect) that does an ACCEPT for > that server on outbound connections to the ports being trapped would exempt > it from forced proxy usage and the problem is then mute. > > It's just an opinion but I have found that, even in this day and age, *many* > programs are not proxy friendly and in the case of wget or curl you can > handle that with an rc file, not so with LWP, or others without specific ENV > items. If you need it and your OS supports it then crontab is a good place > for them because they are then available to scripts/programs that require > them and do not make specific configuration allowances for them. > I'm with you all the way Rick, no argument. My sh -c ... thingie pertains to use in a crontab, to be just that ... upgrade friendly;-) If the cron version you use don't support setting environment, then call a shell explicitly that does... oldest "trick" (and very basic/simple) in the book:-). So there really is no argument from me. I to have a vague recollection (and am too lazy to look through the thread:-) of someone mentioning debian.... well, if James does the repo thing to ... freshen... things in that department, he can do the similar thing for that packaging that Jules would do for the sysconfig thing (and J-P for the FBSD port ... :-)... And Peter for the blastwave ...:D Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From greg at blastzone.com Tue Feb 26 22:50:22 2008 From: greg at blastzone.com (Greg Deputy) Date: Tue Feb 26 22:51:15 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C4856A.3000104@ecs.soton.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> Message-ID: <00da01c878c9$f891e650$e9b5b2f0$@com> This is clamav on Debian Etch -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, February 26, 2008 1:32 PM To: MailScanner discussion Subject: Re: small bug in 4.66.5 - log entries missing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does this only happen with the ClamAVModule scanner? Greg Deputy wrote: > Also not seeing the typical 'Virus Scanning completed at X bytes per second' > or 'Batch completed at X bytes per second' messages in the log. > > Is this a known issue, or do I have something else going on? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Deputy > Sent: Tuesday, February 26, 2008 10:45 AM > To: 'MailScanner discussion' > Subject: RE: small bug in 4.66.5 > > So this would explain no virus scanning being called out in the logs? This > suddenly started on my installation on 2/23, but not sure why it stopped > logging virus scanning at that time. I confirmed messages are being scanned > and I'm getting notifications of found viruses, but nothing in the logs. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg > Matthews > Sent: Monday, February 25, 2008 7:39 AM > To: MailScanner discussion > Subject: Re: small bug in 4.66.5 > > hmmm.... > > looks like this may have been in 4.62 as well as I found what looked > like my own modifications in SweepViruses.pm in that version too. > > It looks like $Name is not getting populated in sub > ProcessClamAVModOutput. The following patch corrects the log entry but > doesnt address the underlying cause: > > --- /tmp/SweepViruses.pm 2008-02-25 15:35:28.000000000 +0000 > +++ ./SweepViruses.pm 2008-02-25 15:23:30.000000000 +0000 > @@ -1444,7 +1444,8 @@ > ($keyword, $virusname, $filename) = split(/:: /, $line, 3); > > if ($keyword =~ /^error/i && $logout !~ /rar module failure/i) { > - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); > return 1; > } elsif ($keyword =~ /^info/i || $logout =~ /rar module failure/i) { > return 0; > @@ -1452,7 +1453,8 @@ > return 0; > } else { > # Must be an infection reports > - MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + #MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > + MailScanner::Log::InfoLog("ClamAVModule::%s", $logout); > > ($dot, $id, $part, @rest) = split(/\//, $filename); > $report = $Name . ': ' if $Name; > > Not sure if I'll have time to look at this further - hopefully Julian > can cast some light. > > GREG > > Greg Matthews wrote: > >> infection reporting for ClamAVModule seems to have changed in 4.66.5 >> (just upgraded from 4.62.9-2): >> >> Feb 25 10:03:58 mailr-w MailScanner[9708]: ClamAVModule::INFECTED:: >> Email.Spam.Sanesecurity.Url_1331:: ./m1PA3YS5011217/ >> Feb 25 11:17:49 mailr-w MailScanner[11304]: ::INFECTED:: >> Email.Hdr.Sanesecurity.07111002:: ./m1PBHY8C011316/ >> >> not good for log scrapers. >> >> will have a quick look at the code >> >> GREG >> > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxIVsEfZZRxQVtlQRAmDWAKCq/QZXdVFqw5fY4dysLCkWBeiNXQCginit fpZLo9XVKaOWwxFk2ZZVx/E= =R/58 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From anance at SYSSRC.com Tue Feb 26 23:08:21 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Tue Feb 26 23:08:55 2008 Subject: Symantec Scan Engine In-Reply-To: <47C4852D.70003@ecs.soton.ac.uk> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> <47C45CAD.50302@ecs.soton.ac.uk><15BDDC14871D2A49BFCEEEF409EB298303EA552E@exchange.SYSSRCAD.SYSSRC.com> <47C4852D.70003@ecs.soton.ac.uk> Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA5538@exchange.SYSSRCAD.SYSSRC.com> BTW in an effort to debug a little more I added a >>/tmp/log.txt to the symscanengine-wrapper, below is a sample of the output ./1JU8mP-0005Pi-B1/eicar.txt 1 ./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s): File Name: eicar.txt Virus Name: EICAR Test String Virus ID: 11101 Disposition: Infected ./1JU8mP-0005Pi-B1.header 1 ./1JU8mP-0005Pi-B1.header had 1 infection(s): File Name: 1JU8mP-0005Pi-B1.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Virus scan process began : Tue Feb 26 18:00:12 2008 Virus scan process completed : Tue Feb 26 18:00:12 2008 Defs Version = 20080226.002 Commandline Scanner = 4.2.2.8 Total Bytes = 577 (Bytes 577.0000) Elapsed = 0.0810 Scan Rate = 6.96 (Kbytes/sec) Files Excluded = 0 Files Scanned = 2 Directories Scanned = 2 Directories Excluded = 0 Files Skipped = 0 Files Scan Error = 0 Files Infected = 2 No error was found during the scan Infected file(s) list: ./1JU8mP-0005Pi-B1/eicar.txt infected ./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s): File Name: eicar.txt Virus Name: EICAR Test String Virus ID: 11101 Disposition: Infected ./1JU8mP-0005Pi-B1.header infected ./1JU8mP-0005Pi-B1.header had 1 infection(s): File Name: 1JU8mP-0005Pi-B1.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected ./1JU8nT-0005Qx-Dm/log.txt 0 ./1JU8nT-0005Qx-Dm.header 1 ./1JU8nT-0005Qx-Dm.header had 1 infection(s): File Name: 1JU8nT-0005Qx-Dm.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Virus scan process began : Tue Feb 26 18:01:20 2008 Virus scan process completed : Tue Feb 26 18:01:20 2008 Defs Version = 20080226.002 Commandline Scanner = 4.2.2.8 Total Bytes = 1802 (Kbytes 1.7598) Elapsed = 0.0810 Scan Rate = 21.73 (Kbytes/sec) Files Excluded = 0 Files Scanned = 2 Directories Scanned = 2 Directories Excluded = 0 Files Skipped = 0 Files Scan Error = 0 Files Infected = 1 No error was found during the scan Infected file(s) list: ./1JU8nT-0005Qx-Dm.header infected ./1JU8nT-0005Qx-Dm.header had 1 infection(s): File Name: 1JU8nT-0005Qx-Dm.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Mail log shows the following: Feb 26 18:00:12 scanner4 MailScanner[20815]: Virus and Content Scanning: Starting Feb 26 18:00:12 scanner4 MailScanner[20815]: Uninfected: Delivered 1 messages Feb 26 18:00:12 scanner4 MailScanner[20815]: Logging message 1JU8mP-0005Pi-B1 to SQL Feb 26 18:00:15 scanner4 MailScanner[19515]: 1JU8mP-0005Pi-B1: Logged to MailWatch SQL Feb 26 18:01:18 scanner4 MailScanner[19874]: New Batch: Scanning 1 messages, 2458 bytes Feb 26 18:01:20 scanner4 MailScanner[19874]: Virus and Content Scanning: Starting Feb 26 18:01:20 scanner4 MailScanner[19874]: Uninfected: Delivered 1 messages Feb 26 18:01:20 scanner4 MailScanner[19874]: Logging message 1JU8nT-0005Qx-Dm to SQL Feb 26 18:01:20 scanner4 MailScanner[19515]: 1JU8nT-0005Qx-Dm: Logged to MailWatch SQL -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, February 26, 2008 4:31 PM To: MailScanner discussion Subject: Re: Symantec Scan Engine -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To save me lots of time, can you give me the direct URL to it please (or else the click route if there's no static URL). Alexander Nance wrote: > I was not the one that did the initial request, it is however available > for a 30 day trial directly from Symantec. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, February 26, 2008 1:39 PM > To: MailScanner discussion > Subject: Re: Symantec Scan Engine > > > * PGP Bad Signature, Signed by an unverified key: 02/26/08 at 18:38:39 > > Did you ever send me a copy of the software to develop from? > > Alexander Nance wrote: > >> It replies that the scanengine is discovered properly. It is not >> > having > >> a problem sending the file through to be processed, it is just >> > ignoring > >> the result response. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo >> Bellavance >> Sent: Tuesday, February 26, 2008 11:46 AM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Symantec Scan Engine >> >> Alexander Nance wrote: >> >> >>> I found this post in the archives but never saw a resolution: >>> >>> Scan Engine reports that is sees the tests as viruses but MailScanner >>> > > >>> simply passes the message through. >>> >>> >> What does MailScanner --lint say? >> >> Ugo >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxIUvEfZZRxQVtlQRAs+KAKD8yOoRKiAOGXVhtwQ2r/dz8iue8ACgl11u cZVd5wEmWbzAZQ7koRjMc0E= =S5S7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Feb 27 00:00:47 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 27 00:01:48 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C4856A.3000104@ecs.soton.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> Message-ID: on 2/26/2008 1:32 PM Julian Field spake the following: > Does this only happen with the ClamAVModule scanner? > I just had some time to look at my systems and I am not seeing this. Back in December I saw the report change from Dec 30 05:38:03 mail MailScanner[28877]: ClamAV Module::INFECTED:: Email.Hdr.San esecurity.07091600:: ./lBUDb5e1031892/ to Feb 26 15:30:02 mail MailScanner[17626]: ClamAVModule::INFECTED:: Email.Spam.Gen 2443.Sanesecurity.08020714:: ./m1QNTefQ019501/ Just the space between ClamAV and Module. Maybe there was some change in the perl logging module? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080226/f747f264/signature.bin From shuttlebox at gmail.com Wed Feb 27 09:06:45 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Feb 27 09:07:19 2008 Subject: http proxy:suggestion In-Reply-To: <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> <08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> Message-ID: <625385e30802270106m567b5295p9203f404e46e3d61@mail.gmail.com> On Tue, Feb 26, 2008 at 11:23 PM, Glenn Steen wrote: > I to have a vague recollection (and am too lazy to look through the > thread:-) of someone mentioning debian.... well, if James does the > repo thing to ... freshen... things in that department, he can do the > similar thing for that packaging that Jules would do for the sysconfig > thing (and J-P for the FBSD port ... :-)... And Peter for the > blastwave ...:D I'm not sure if I get what you're after here (and I'm also too lazy to check the thread :-) but what I meant in my post was that if more work was to be put into the scripts they should be as generic as possible, not geared even more towards one or a few Linux distributions. Of course I can make changes in the Blastwave edition for Solaris but I will have to make them for every release. I already do quite a lot of modifications to make for a smooth experience on Solaris and Julian has already done some changes to help out. I just thought the original suggestion from David was going in the wrong direction when it comes to making it easy to support multiple platforms. I guess it comes down to me thinking of the tar distribution of MailScanner as the "core" one but many users are on RH-derived systems and they think of the RPM-dist as the main one. :-) -- /peter From glenn.steen at gmail.com Wed Feb 27 12:03:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 27 12:04:25 2008 Subject: http proxy:suggestion In-Reply-To: <625385e30802270106m567b5295p9203f404e46e3d61@mail.gmail.com> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> <08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> <625385e30802270106m567b5295p9203f404e46e3d61@mail.gmail.com> Message-ID: <223f97700802270403j645f1831pbd7797236d926b9c@mail.gmail.com> On 27/02/2008, shuttlebox wrote: > On Tue, Feb 26, 2008 at 11:23 PM, Glenn Steen wrote: > > I to have a vague recollection (and am too lazy to look through the > > thread:-) of someone mentioning debian.... well, if James does the > > repo thing to ... freshen... things in that department, he can do the > > similar thing for that packaging that Jules would do for the sysconfig > > thing (and J-P for the FBSD port ... :-)... And Peter for the > > blastwave ...:D > > > I'm not sure if I get what you're after here (and I'm also too lazy to > check the thread :-) but what I meant in my post was that if more work > was to be put into the scripts they should be as generic as possible, > not geared even more towards one or a few Linux distributions. > > Of course I can make changes in the Blastwave edition for Solaris but > I will have to make them for every release. I already do quite a lot > of modifications to make for a smooth experience on Solaris and Julian > has already done some changes to help out. I just thought the original > suggestion from David was going in the wrong direction when it comes > to making it easy to support multiple platforms. Yes, I see your point... But don't you already facilitate the cron jobs in your packaging? Handling this there would be a minor issue, surely? > I guess it comes down to me thinking of the tar distribution of > MailScanner as the "core" one but many users are on RH-derived systems > and they think of the RPM-dist as the main one. :-) :-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From t.d.lee at durham.ac.uk Wed Feb 27 12:17:39 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Wed Feb 27 12:18:35 2008 Subject: "Use SpamAssassin = auto"? Message-ID: Julian: An idle thought... You already have a default "Virus Scanners = auto" to find whatever virus scanner are available. That "auto" setting is right for most of the people most of the time: they generally don't need to do anything. How about extending that same principle to "Use SpamAssassin"? So the default setting could be "Use SpamAssassin = auto" which, similarly, would be right for most of the people most of the time. Just a thought. Actually in theory, in future, if there were multiple anti-spam engines available one could envisage a "Spam Scanners = auto"... -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From rcooper at dwford.com Wed Feb 27 13:15:53 2008 From: rcooper at dwford.com (Rick Cooper) Date: Wed Feb 27 13:16:35 2008 Subject: http proxy:suggestion In-Reply-To: <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com><47BEFA91.1010200@ecs.soton.ac.uk><056c01c87584$110bd4a0$0301a8c0@SAHOMELT><087d01c87876$bcfeac20$0301a8c0@SAHOMELT><223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com><08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> Message-ID: <0b7901c87942$e2305580$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Glenn Steen > Sent: Tuesday, February 26, 2008 5:24 PM > To: MailScanner discussion > Subject: Re: http proxy:suggestion > > On 26/02/2008, Rick Cooper wrote: > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > > > Behalf Of Glenn Steen > > > Sent: Tuesday, February 26, 2008 9:45 AM > > > To: MailScanner discussion > > [...] > > > I'm with you all the way Rick, no argument. My sh -c ... thingie > pertains to use in a crontab, to be just that ... upgrade friendly;-) > If the cron version you use don't support setting environment, then > call a shell explicitly that does... oldest "trick" (and very > basic/simple) in the book:-). > So there really is no argument from me. > I to have a vague recollection (and am too lazy to look through the > thread:-) of someone mentioning debian.... well, if James does the > repo thing to ... freshen... things in that department, he can do the > similar thing for that packaging that Jules would do for the > sysconfig > thing (and J-P for the FBSD port ... :-)... And Peter for the > blastwave ...:D > I was under the impression that MS wrote the cron entries, but I guess that would work anyway if he just added the prepend. I guess the whole question just doesn't seem to me a MailScanner item. If MS cannot access the web what other issues are likely to occur with other software now/down the road. This issue just seem to be a SysOp (does any one use that term any more?) issue not a MS issue. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Feb 27 13:24:19 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 27 13:25:07 2008 Subject: "Use SpamAssassin = auto"? In-Reply-To: References: Message-ID: David Lee wrote: > Julian: An idle thought... > > You already have a default "Virus Scanners = auto" to find whatever virus > scanner are available. That "auto" setting is right for most of the > people most of the time: they generally don't need to do anything. > > How about extending that same principle to "Use SpamAssassin"? So the > default setting could be "Use SpamAssassin = auto" which, similarly, would > be right for most of the people most of the time. > > Just a thought. This setting is mostly to have a ruleset for SA scanning, and I think that many of us have a ruleset there, so it wouldn't change much to have an 'auto' option. Ugo From ugob at lubik.ca Wed Feb 27 13:26:02 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 27 13:30:17 2008 Subject: Having one config file per domain support in MailScanner ? In-Reply-To: <47C3B82D.5030706@vanderkooij.org> References: <76074.43497.qm@web33306.mail.mud.yahoo.com> <47C3B82D.5030706@vanderkooij.org> Message-ID: Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael Mansour wrote: > | Hi, > | > | Does MailScanner support having one config per domain? > | ie. instead of putting everything into the one config > | file like: > | > | /etc/MailScanner/rules/someMSoption.rules > | From: blah@domain1.com no > | From: blah@domain2.com no > | FromOrTo: default yes > | > | you can have it like: > | > | /etc/MailScanner/rules/MSoption1.rules > | From: blah@domain1.com no > | FromOrTo: default yes > | > | /etc/MailScanner/rules/MSoption1.rules > | From: blah@domain2.com no > | FromOrTo: default yes > > But what does one gain this way? (Besides from your duplicate use of the > same file ;-) And how do you expect it to behave? Because you redefined > the default. > > I could see some logic in getting the data from SQL instead of fixed > files. Then you can fill the table anyway you like it. > > In fact about 5 minutes after I installed MailWatch I started to itch to > add a lot of tables to the database and write up some code to make use > of it. But as MailWatch 2.0 was just under development I decided to sit > it out. I am not sure how much of it is going to be in MailWatch 2.0 but > ~ that would be my way to work the issue. Wise decision. MW 2.0 should be out soon. Ugo From glenn.steen at gmail.com Wed Feb 27 13:40:20 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 27 13:40:55 2008 Subject: "Use SpamAssassin = auto"? In-Reply-To: References: Message-ID: <223f97700802270540q46d370c0i3bac97575ce090e1@mail.gmail.com> On 27/02/2008, David Lee wrote: > > Julian: An idle thought... > > You already have a default "Virus Scanners = auto" to find whatever virus > scanner are available. That "auto" setting is right for most of the > people most of the time: they generally don't need to do anything. > > How about extending that same principle to "Use SpamAssassin"? So the > default setting could be "Use SpamAssassin = auto" which, similarly, would > be right for most of the people most of the time. > > Just a thought. > > > > Actually in theory, in future, if there were multiple anti-spam engines > available one could envisage a "Spam Scanners = auto"... > > Um, call me stupid, but ... for a setting where "yes" is essentially right for most people, and "no" is the other possibility, what kind of purpose would "auto" fill? Apart from the warm fuzzy feeling of having this automatically right:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Feb 27 13:41:34 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 27 13:42:24 2008 Subject: "Use SpamAssassin = auto"? In-Reply-To: References: Message-ID: <47C5688E.6060901@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Lee wrote: > Julian: An idle thought... > > You already have a default "Virus Scanners = auto" to find whatever virus > scanner are available. That "auto" setting is right for most of the > people most of the time: they generally don't need to do anything. > > How about extending that same principle to "Use SpamAssassin"? So the > default setting could be "Use SpamAssassin = auto" which, similarly, would > be right for most of the people most of the time. > Use SpamAssassin = yes already achieves the same end. > Just a thought. > > > > Actually in theory, in future, if there were multiple anti-spam engines > available one could envisage a "Spam Scanners = auto"... > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHxWiPEfZZRxQVtlQRAsRsAJ9s4685fcgYkCg+8/vgEb9Hje1qnwCg7vUP aYDtzsJJBb5ZUWfT1k45mV0= =A+k+ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Feb 27 13:44:40 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 27 13:45:16 2008 Subject: http proxy:suggestion In-Reply-To: <0b7901c87942$e2305580$0301a8c0@SAHOMELT> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> <08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> <0b7901c87942$e2305580$0301a8c0@SAHOMELT> Message-ID: <223f97700802270544xf5d381ax94fc2c832527aeb5@mail.gmail.com> On 27/02/2008, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Glenn Steen > > > Sent: Tuesday, February 26, 2008 5:24 PM > > To: MailScanner discussion > > Subject: Re: http proxy:suggestion > > > > On 26/02/2008, Rick Cooper wrote: > > > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > > > > > Behalf Of Glenn Steen > > > > Sent: Tuesday, February 26, 2008 9:45 AM > > > > To: MailScanner discussion > > > > > [...] > > > > > I'm with you all the way Rick, no argument. My sh -c ... thingie > > pertains to use in a crontab, to be just that ... upgrade friendly;-) > > If the cron version you use don't support setting environment, then > > call a shell explicitly that does... oldest "trick" (and very > > basic/simple) in the book:-). > > So there really is no argument from me. > > I to have a vague recollection (and am too lazy to look through the > > thread:-) of someone mentioning debian.... well, if James does the > > repo thing to ... freshen... things in that department, he can do the > > similar thing for that packaging that Jules would do for the > > sysconfig > > thing (and J-P for the FBSD port ... :-)... And Peter for the > > blastwave ...:D > > > > > I was under the impression that MS wrote the cron entries, but I guess that > would work anyway if he just added the prepend. I guess the whole question > just doesn't seem to me a MailScanner item. If MS cannot access the web what > other issues are likely to occur with other software now/down the road. This > issue just seem to be a SysOp (does any one use that term any more?) issue > not a MS issue. Yes, definitely, more a SysAdm/SysOp issue, and just possibly (evry remotly, depending of course on focus) an issue concerning packaging... And then there were two dinosaurs on the list... (Since I know what you mean by "SysOp" and have been known to use the term (recently)...:-) > Rick > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mi6 at orcon.net.nz Wed Feb 27 13:52:53 2008 From: mi6 at orcon.net.nz (Charlie) Date: Wed Feb 27 13:53:41 2008 Subject: Tnef setting and forwarding Outlook contacts References: <9ee5ed4c54696742acf45d519a5bb0c9@solidstatelogic.com> Message-ID: <2ed901c87948$0d5d8ca0$0200a8c0@CharlieCompaq> >----- Original Message ----- >From: "Martin.Hepworth" >To: "MailScanner discussion" >Sent: Wednesday, February 27, 2008 1:47 AM >Subject: RE: Tnef setting and forwarding Outlook contacts > >Hi > >The TNEF expander works in interesting ways.... > >Some people have more success with the internal setting and some with the >external. > >Try flipping it to the alternate setting to what you have in >MailScanner.conf. > >-- >Martin Hepworth >Snr Systems Administrator .Solid State Logic >Tel: +44 (0)1865 842300 Thanks Martin but I've tried using both the internal TNEF expander *and* the external one that was on my computer and there is the same result with both. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Charlie > Sent: 26 February 2008 14:37 > To: MailScanner discussion > Subject: Tnef setting and forwarding Outlook contacts > > Hi, thanks for all the previous help with other requests. > > I have reinstalled MailScanner, but have run into an old problem. > Whenever I try to 'forward' a contact from Outlook (by clicking on > 'Contacts' then right-clicking a particular contact and then choosing > 'Forward'), the attachment's name is changed (by the way, it shouldn't be > changed) to be 'Untitled Attachment' when I have the following setting in > MailScanner.conf: > Deliver Unparsable TNEF = no > > However, when I make it 'Deliver Unparsable TNEF = yes' the attachment is > removed entirely! > > Is this a new bug? In the previous version when I changed Deliver > Unparsable > TNEF to 'yes' the correctly named and formatted attachment was delivered. > Now, nothing is delivered. > > Cheers! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From J.Ede at birchenallhowden.co.uk Wed Feb 27 14:11:22 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Feb 27 14:15:13 2008 Subject: Allow Password protected? Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C135C640AF5@server02.bhl.local> We have clients who send/receive password protected zip files. Would it be possible to have an extra option on Allow-password-protected-archives of warn so that the zip file could be allowed through but a warning placed in the email that the contents of the archive have not been scanned for viruses as its password protected? Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080227/ecc674ec/attachment.html From jaearick at colby.edu Wed Feb 27 15:30:25 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Feb 27 15:31:10 2008 Subject: phishing_bad_sites broken? Message-ID: Julian, My hourly cronjob to update bad phishing sites has been broken for the last day or so: /opt/MailScanner/bin/update_bad_phishing_sites --10:25:27-- http://www.mailscanner.eu/phishing.bad.sites.conf.master => `phishing.bad.sites.conf.master' Resolving www.mailscanner.eu... 127.0.0.1 Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: Connection refused. Is something broken in DNS land? This address always resolves to loopback here. Anybody else seeing this? Jeff Earickson Colby College From anance at SYSSRC.com Wed Feb 27 15:44:17 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Wed Feb 27 15:44:52 2008 Subject: phishing_bad_sites broken? In-Reply-To: References: Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA553B@exchange.SYSSRCAD.SYSSRC.com> Seeing the same thing from here as well. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson Sent: Wednesday, February 27, 2008 10:30 AM To: mailscanner mailing list Subject: phishing_bad_sites broken? Julian, My hourly cronjob to update bad phishing sites has been broken for the last day or so: /opt/MailScanner/bin/update_bad_phishing_sites --10:25:27-- http://www.mailscanner.eu/phishing.bad.sites.conf.master => `phishing.bad.sites.conf.master' Resolving www.mailscanner.eu... 127.0.0.1 Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: Connection refused. Is something broken in DNS land? This address always resolves to loopback here. Anybody else seeing this? Jeff Earickson Colby College -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Wed Feb 27 15:47:38 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Feb 27 15:48:14 2008 Subject: phishing_bad_sites broken? In-Reply-To: Message-ID: <1390cce4819b1f4b8be49ee50dad1334@solidstatelogic.com> It's a DDOS against the domain. Hosting provider is aware of it.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson > Sent: 27 February 2008 15:30 > To: mailscanner mailing list > Subject: phishing_bad_sites broken? > > Julian, > > My hourly cronjob to update bad phishing sites has been broken > for the last day or so: > > /opt/MailScanner/bin/update_bad_phishing_sites > --10:25:27-- http://www.mailscanner.eu/phishing.bad.sites.conf.master > => `phishing.bad.sites.conf.master' > Resolving www.mailscanner.eu... 127.0.0.1 > Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: Connection > refused. > > Is something broken in DNS land? This address always resolves > to loopback here. Anybody else seeing this? > > Jeff Earickson > Colby College > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Wed Feb 27 15:47:39 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Feb 27 15:48:30 2008 Subject: phishing_bad_sites broken? In-Reply-To: References: Message-ID: <1204127259.13221.33.camel@gblades-suse.linguaphone-intranet.co.uk> I did notice a strange entry in my logwatch for yesterday about this file not being found on my local server by apache. I didnt bother looking into it but the address resolving to loopback makes sense now. On Wed, 2008-02-27 at 15:30, Jeff A. Earickson wrote: > Julian, > > My hourly cronjob to update bad phishing sites has been broken > for the last day or so: > > /opt/MailScanner/bin/update_bad_phishing_sites > --10:25:27-- http://www.mailscanner.eu/phishing.bad.sites.conf.master > => `phishing.bad.sites.conf.master' > Resolving www.mailscanner.eu... 127.0.0.1 > Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: Connection > refused. > > Is something broken in DNS land? This address always resolves > to loopback here. Anybody else seeing this? > > Jeff Earickson > Colby College From MailScanner at ecs.soton.ac.uk Wed Feb 27 15:59:12 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 27 16:00:09 2008 Subject: phishing_bad_sites broken? In-Reply-To: References: Message-ID: <47C588D0.5010401@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is due to a suspected attack on the www.mailscanner.eu site. I will check with the Blacknight guys to see where we're at and will get back to you a.s.a.p. Jules. Jeff A. Earickson wrote: > Julian, > > My hourly cronjob to update bad phishing sites has been broken > for the last day or so: > > /opt/MailScanner/bin/update_bad_phishing_sites > --10:25:27-- http://www.mailscanner.eu/phishing.bad.sites.conf.master > => `phishing.bad.sites.conf.master' > Resolving www.mailscanner.eu... 127.0.0.1 > Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: Connection > refused. > > Is something broken in DNS land? This address always resolves > to loopback here. Anybody else seeing this? > > Jeff Earickson > Colby College Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHxYjREfZZRxQVtlQRAhsBAKCl/CkI/D6BfQl6pjCTY7SI8uWhQwCePM7h OAsnuNUatTG12c3XR2xMqRU= =9Go9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikea at mikea.ath.cx Wed Feb 27 16:16:33 2008 From: mikea at mikea.ath.cx (mikea) Date: Wed Feb 27 16:17:13 2008 Subject: phishing_bad_sites broken? In-Reply-To: <15BDDC14871D2A49BFCEEEF409EB298303EA553B@exchange.SYSSRCAD.SYSSRC.com> References: <15BDDC14871D2A49BFCEEEF409EB298303EA553B@exchange.SYSSRCAD.SYSSRC.com> Message-ID: <20080227161633.GA42798@mikea.ath.cx> On Wed, Feb 27, 2008 at 10:44:17AM -0500, Alexander Nance wrote: > Seeing the same thing from here as well. > > -----Original Message----- > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson > > Julian, > > My hourly cronjob to update bad phishing sites has been broken > for the last day or so: > > /opt/MailScanner/bin/update_bad_phishing_sites > --10:25:27-- http://www.mailscanner.eu/phishing.bad.sites.conf.master > => `phishing.bad.sites.conf.master' > Resolving www.mailscanner.eu... 127.0.0.1 > Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: Connection > refused. > > Is something broken in DNS land? This address always resolves > to loopback here. Anybody else seeing this? :r !host www.mailscanner.eu www.mailscanner.eu has address 127.0.0.1 Looks like a subtle hint to me. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From jkf at ecs.soton.ac.uk Wed Feb 27 16:46:16 2008 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 27 16:47:05 2008 Subject: phishing_bad_sites broken? In-Reply-To: <47C588D0.5010401@ecs.soton.ac.uk> References: <47C588D0.5010401@ecs.soton.ac.uk> Message-ID: <47C593D8.3070305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Current news appears to be this: I suppose you could say that for some reason, 500k mailservers across the globe to decided to get that file at the same time yesterday and effectively DDOSd the server www.mailscanner.eu sits on It will be reconnected at some point this evening hopefully, and we'll see if it bears up. Julian Field wrote: > * PGP Signed: 02/27/08 at 15:59:13 > > This is due to a suspected attack on the www.mailscanner.eu site. > I will check with the Blacknight guys to see where we're at and will > get back to you a.s.a.p. > > Jules. > > Jeff A. Earickson wrote: >> Julian, >> >> My hourly cronjob to update bad phishing sites has been broken >> for the last day or so: >> >> /opt/MailScanner/bin/update_bad_phishing_sites >> --10:25:27-- http://www.mailscanner.eu/phishing.bad.sites.conf.master >> => `phishing.bad.sites.conf.master' >> Resolving www.mailscanner.eu... 127.0.0.1 >> Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: Connection >> refused. >> >> Is something broken in DNS land? This address always resolves >> to loopback here. Anybody else seeing this? >> >> Jeff Earickson >> Colby College > > Jules > Jules - -- Julian Field MBCS CITP CEng jkf@ecs.soton.ac.uk Teaching Systems Manager Electronics & Computer Science University of Southampton SO17 1BJ, UK -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHxZPYEfZZRxQVtlQRAubsAJ90xzmKipceseyUbxSRQw+l/n6bEwCgr7bj BWQyOlYovFjibDNqjLBvqDw= =rC1f -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Hostmaster at computerservicecentre.com Wed Feb 27 16:59:58 2008 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Wed Feb 27 17:00:56 2008 Subject: phishing_bad_sites broken? In-Reply-To: <47C593D8.3070305@ecs.soton.ac.uk> References: <47C588D0.5010401@ecs.soton.ac.uk> <47C593D8.3070305@ecs.soton.ac.uk> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2A7A73AD@commssrv01.computerservicecentre.com> >Current news appears to be this: > >I suppose you could say that for some reason, 500k mailservers across the globe to decided to get >that file at the same time yesterday and effectively DDOSd the server www.mailscanner.eu sits on > This might just be my suspicious mind, but could this be a "probe"? Lets face it, MailScanner is one of the widest-distributed wrappers for anti-spam. Say I was running a botnet, wanted to send a lot of phishing emails out, and naturally wanted to improve my chances of my phishing emails getting through. If I attack the centralised system which distributes recognised phishing URL's to a major spam filtering wrapper, my chances of getting my malicious emails goes up, doesn't it? I'v got some spare tin foil hats if anyone wants one.... BR, Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. From rcooper at dwford.com Wed Feb 27 17:06:34 2008 From: rcooper at dwford.com (Rick Cooper) Date: Wed Feb 27 17:07:15 2008 Subject: phishing_bad_sites broken? In-Reply-To: <47C593D8.3070305@ecs.soton.ac.uk> References: <47C588D0.5010401@ecs.soton.ac.uk> <47C593D8.3070305@ecs.soton.ac.uk> Message-ID: <0c2901c87963$1b41f610$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Wednesday, February 27, 2008 11:46 AM > To: MailScanner discussion > Subject: Re: phishing_bad_sites broken? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Current news appears to be this: > > I suppose you could say that for some reason, 500k > mailservers across the globe to decided to get that file at > the same time yesterday and effectively DDOSd the server > www.mailscanner.eu sits on > > It will be reconnected at some point this evening hopefully, > and we'll > see if it bears up. Or, someone with a botnet who likes to go phishing is pissed at MailScanner for providing the service. It would be interesting to see how many hosts are cable/dsl dynamic hosts. Also a good time to mention you might want to add a random delay to the update script to prevent everyone setting their cron to run at midnight, 3:00 or some other hourly interval. Rick > > Julian Field wrote: > > * PGP Signed: 02/27/08 at 15:59:13 > > > > This is due to a suspected attack on the www.mailscanner.eu site. > > I will check with the Blacknight guys to see where we're > at and will > > get back to you a.s.a.p. > > > > Jules. > > > > Jeff A. Earickson wrote: > >> Julian, > >> > >> My hourly cronjob to update bad phishing sites has been broken > >> for the last day or so: > >> > >> /opt/MailScanner/bin/update_bad_phishing_sites > >> --10:25:27-- > http://www.mailscanner.eu/phishing.bad.sites.conf.master > >> => `phishing.bad.sites.conf.master' > >> Resolving www.mailscanner.eu... 127.0.0.1 > >> Connecting to www.mailscanner.eu|127.0.0.1|:80... failed: > Connection > >> refused. > >> > >> Is something broken in DNS land? This address always resolves > >> to loopback here. Anybody else seeing this? > >> > >> Jeff Earickson > >> Colby College > > > > Jules > > > > Jules > > - -- > Julian Field MBCS CITP CEng > jkf@ecs.soton.ac.uk > Teaching Systems Manager > Electronics & Computer Science > University of Southampton > SO17 1BJ, UK > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHxZPYEfZZRxQVtlQRAubsAJ90xzmKipceseyUbxSRQw+l/n6bEwCgr7bj > BWQyOlYovFjibDNqjLBvqDw= > =rC1f > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From anance at SYSSRC.com Wed Feb 27 18:27:48 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Wed Feb 27 18:28:24 2008 Subject: Symantec Scan Engine In-Reply-To: <15BDDC14871D2A49BFCEEEF409EB298303EA5538@exchange.SYSSRCAD.SYSSRC.com> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> <47C45CAD.50302@ecs.soton.ac.uk><15BDDC14871D2A49BFCEEEF409EB298303EA552E@exchange.SYSSRCAD.SYSSRC.com><47C4852D.70003@ecs.soton.ac.uk> <15BDDC14871D2A49BFCEEEF409EB298303EA5538@exchange.SYSSRCAD.SYSSRC.com> Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA553E@exchange.SYSSRCAD.SYSSRC.com> Doing a little more debugging I added a couple of print to file debugging lines to SweepViruses.pm and found that it never gets to the sub ProcessSymScanEngineOutput. Second item of note is the chomp section is doing a split on '.' instead of './', this will throw off the variables going forward since anything with an attachment would also contain a '.' -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alexander Nance Sent: Tuesday, February 26, 2008 6:08 PM To: MailScanner discussion Subject: RE: Symantec Scan Engine BTW in an effort to debug a little more I added a >>/tmp/log.txt to the symscanengine-wrapper, below is a sample of the output ./1JU8mP-0005Pi-B1/eicar.txt 1 ./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s): File Name: eicar.txt Virus Name: EICAR Test String Virus ID: 11101 Disposition: Infected ./1JU8mP-0005Pi-B1.header 1 ./1JU8mP-0005Pi-B1.header had 1 infection(s): File Name: 1JU8mP-0005Pi-B1.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Virus scan process began : Tue Feb 26 18:00:12 2008 Virus scan process completed : Tue Feb 26 18:00:12 2008 Defs Version = 20080226.002 Commandline Scanner = 4.2.2.8 Total Bytes = 577 (Bytes 577.0000) Elapsed = 0.0810 Scan Rate = 6.96 (Kbytes/sec) Files Excluded = 0 Files Scanned = 2 Directories Scanned = 2 Directories Excluded = 0 Files Skipped = 0 Files Scan Error = 0 Files Infected = 2 No error was found during the scan Infected file(s) list: ./1JU8mP-0005Pi-B1/eicar.txt infected ./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s): File Name: eicar.txt Virus Name: EICAR Test String Virus ID: 11101 Disposition: Infected ./1JU8mP-0005Pi-B1.header infected ./1JU8mP-0005Pi-B1.header had 1 infection(s): File Name: 1JU8mP-0005Pi-B1.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected ./1JU8nT-0005Qx-Dm/log.txt 0 ./1JU8nT-0005Qx-Dm.header 1 ./1JU8nT-0005Qx-Dm.header had 1 infection(s): File Name: 1JU8nT-0005Qx-Dm.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Virus scan process began : Tue Feb 26 18:01:20 2008 Virus scan process completed : Tue Feb 26 18:01:20 2008 Defs Version = 20080226.002 Commandline Scanner = 4.2.2.8 Total Bytes = 1802 (Kbytes 1.7598) Elapsed = 0.0810 Scan Rate = 21.73 (Kbytes/sec) Files Excluded = 0 Files Scanned = 2 Directories Scanned = 2 Directories Excluded = 0 Files Skipped = 0 Files Scan Error = 0 Files Infected = 1 No error was found during the scan Infected file(s) list: ./1JU8nT-0005Qx-Dm.header infected ./1JU8nT-0005Qx-Dm.header had 1 infection(s): File Name: 1JU8nT-0005Qx-Dm.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Mail log shows the following: Feb 26 18:00:12 scanner4 MailScanner[20815]: Virus and Content Scanning: Starting Feb 26 18:00:12 scanner4 MailScanner[20815]: Uninfected: Delivered 1 messages Feb 26 18:00:12 scanner4 MailScanner[20815]: Logging message 1JU8mP-0005Pi-B1 to SQL Feb 26 18:00:15 scanner4 MailScanner[19515]: 1JU8mP-0005Pi-B1: Logged to MailWatch SQL Feb 26 18:01:18 scanner4 MailScanner[19874]: New Batch: Scanning 1 messages, 2458 bytes Feb 26 18:01:20 scanner4 MailScanner[19874]: Virus and Content Scanning: Starting Feb 26 18:01:20 scanner4 MailScanner[19874]: Uninfected: Delivered 1 messages Feb 26 18:01:20 scanner4 MailScanner[19874]: Logging message 1JU8nT-0005Qx-Dm to SQL Feb 26 18:01:20 scanner4 MailScanner[19515]: 1JU8nT-0005Qx-Dm: Logged to MailWatch SQL -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, February 26, 2008 4:31 PM To: MailScanner discussion Subject: Re: Symantec Scan Engine -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To save me lots of time, can you give me the direct URL to it please (or else the click route if there's no static URL). Alexander Nance wrote: > I was not the one that did the initial request, it is however available > for a 30 day trial directly from Symantec. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, February 26, 2008 1:39 PM > To: MailScanner discussion > Subject: Re: Symantec Scan Engine > > > * PGP Bad Signature, Signed by an unverified key: 02/26/08 at 18:38:39 > > Did you ever send me a copy of the software to develop from? > > Alexander Nance wrote: > >> It replies that the scanengine is discovered properly. It is not >> > having > >> a problem sending the file through to be processed, it is just >> > ignoring > >> the result response. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo >> Bellavance >> Sent: Tuesday, February 26, 2008 11:46 AM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Symantec Scan Engine >> >> Alexander Nance wrote: >> >> >>> I found this post in the archives but never saw a resolution: >>> >>> Scan Engine reports that is sees the tests as viruses but MailScanner >>> > > >>> simply passes the message through. >>> >>> >> What does MailScanner --lint say? >> >> Ugo >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxIUvEfZZRxQVtlQRAs+KAKD8yOoRKiAOGXVhtwQ2r/dz8iue8ACgl11u cZVd5wEmWbzAZQ7koRjMc0E= =S5S7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Feb 27 20:51:40 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 27 20:53:02 2008 Subject: http proxy:suggestion In-Reply-To: <223f97700802270544xf5d381ax94fc2c832527aeb5@mail.gmail.com> References: <625385e30802220713q62356e8er3952fdc377fa236c@mail.gmail.com> <47BEFA91.1010200@ecs.soton.ac.uk> <056c01c87584$110bd4a0$0301a8c0@SAHOMELT> <087d01c87876$bcfeac20$0301a8c0@SAHOMELT> <223f97700802260645q2307f835t596055b1f070d7fa@mail.gmail.com> <08d601c8788d$18ebfd60$0301a8c0@SAHOMELT> <223f97700802261423j6dd985c5he962bbf0aeb11144@mail.gmail.com> <0b7901c87942$e2305580$0301a8c0@SAHOMELT> <223f97700802270544xf5d381ax94fc2c832527aeb5@mail.gmail.com> Message-ID: on 2/27/2008 5:44 AM Glenn Steen spake the following: > On 27/02/2008, Rick Cooper wrote: >> >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info >> > [mailto:mailscanner-bounces@lists.mailscanner.info] On >> > Behalf Of Glenn Steen >> >> > Sent: Tuesday, February 26, 2008 5:24 PM >> > To: MailScanner discussion >> > Subject: Re: http proxy:suggestion >> > >> > On 26/02/2008, Rick Cooper wrote: >> > > >> > > >> > > > -----Original Message----- >> > > > From: mailscanner-bounces@lists.mailscanner.info >> > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On >> > > >> > > > Behalf Of Glenn Steen >> > > > Sent: Tuesday, February 26, 2008 9:45 AM >> > > > To: MailScanner discussion >> > > >> >> [...] >> > > >> > I'm with you all the way Rick, no argument. My sh -c ... thingie >> > pertains to use in a crontab, to be just that ... upgrade friendly;-) >> > If the cron version you use don't support setting environment, then >> > call a shell explicitly that does... oldest "trick" (and very >> > basic/simple) in the book:-). >> > So there really is no argument from me. >> > I to have a vague recollection (and am too lazy to look through the >> > thread:-) of someone mentioning debian.... well, if James does the >> > repo thing to ... freshen... things in that department, he can do the >> > similar thing for that packaging that Jules would do for the >> > sysconfig >> > thing (and J-P for the FBSD port ... :-)... And Peter for the >> > blastwave ...:D >> > >> >> >> I was under the impression that MS wrote the cron entries, but I guess that >> would work anyway if he just added the prepend. I guess the whole question >> just doesn't seem to me a MailScanner item. If MS cannot access the web what >> other issues are likely to occur with other software now/down the road. This >> issue just seem to be a SysOp (does any one use that term any more?) issue >> not a MS issue. > > Yes, definitely, more a SysAdm/SysOp issue, and just possibly (evry > remotly, depending of course on focus) an issue concerning > packaging... > > And then there were two dinosaurs on the list... (Since I know what > you mean by "SysOp" and have been known to use the term > (recently)...:-) > >> Rick >> > > Cheers Glenn, You can't be "that" old. You can still see a keyboard, and I see many posts from you long after 6:00 PM your time ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080227/aca1c456/signature.bin From v at vladville.com Wed Feb 27 21:04:18 2008 From: v at vladville.com (Vlad Mazek) Date: Wed Feb 27 21:04:53 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: <47C4432A.7060703@ecs.soton.ac.uk> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> Message-ID: Keep in mind that if you have more than 4 MX records in round robin the lookup will only return four, throwing the load balancing a bit out of skew. Linux HA with lvs is dead easy to configure and can do quite a bit with cheap hardware. -Vlad On 2/26/08, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You don't need NFS and locking to run a MailScanner cluster. You just > have n independent MX servers all with the same MX priority (or 1 MX > record pointing to multiple A records), and have them deliver onwards to > the same mail servers for client email access. > Don't start trying to share queues between multiple machines: it's > asking for trouble, a nightmare to manage reliably and unnecessary. > That's my opinion, anyway :-) > > > Alex Neuman wrote: > > Dear list, > > > > From time to time people have been discussing how to set up > > MailScanner so that you can get a highly-available configuration. NFS > > and locking have been discussed along with other details regarding how > > "shared" the configuration is between clusters. > > > > I'd like to see if it would be possible to use a "pretty standard" > > config of centos(or > > rh)+ms+sendmail+dovecot+clamav+spamassassin+mailwatch(maybe)/etc. and > > how I could either "install from scratch" as a cluster or possibly > > "upconvert" one. > > > > Any docs you might suggest where one would look at different Linux > > clustering scenarios, so I can pick it up from there? I could document > > my progress on the list or the wiki. > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHxEMqEfZZRxQVtlQRAvUoAKC44JSvlJIqVIwnVSUxJd6X2NiQ9QCeNYhg > Cry7iUb/GTDznyiQF7hjMRk= > =axhN > -----END PGP SIGNATURE----- > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080227/4f7fd2b2/attachment-0001.html From ssilva at sgvwater.com Wed Feb 27 21:15:17 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 27 21:16:07 2008 Subject: Having one config file per domain support in MailScanner ? In-Reply-To: References: <76074.43497.qm@web33306.mail.mud.yahoo.com> <47C3B82D.5030706@vanderkooij.org> Message-ID: on 2/27/2008 5:26 AM Ugo Bellavance spake the following: > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Michael Mansour wrote: >> | Hi, >> | >> | Does MailScanner support having one config per domain? >> | ie. instead of putting everything into the one config >> | file like: >> | >> | /etc/MailScanner/rules/someMSoption.rules >> | From: blah@domain1.com no >> | From: blah@domain2.com no >> | FromOrTo: default yes >> | >> | you can have it like: >> | >> | /etc/MailScanner/rules/MSoption1.rules >> | From: blah@domain1.com no >> | FromOrTo: default yes >> | >> | /etc/MailScanner/rules/MSoption1.rules >> | From: blah@domain2.com no >> | FromOrTo: default yes >> >> But what does one gain this way? (Besides from your duplicate use of the >> same file ;-) And how do you expect it to behave? Because you redefined >> the default. >> >> I could see some logic in getting the data from SQL instead of fixed >> files. Then you can fill the table anyway you like it. >> >> In fact about 5 minutes after I installed MailWatch I started to itch to >> add a lot of tables to the database and write up some code to make use >> of it. But as MailWatch 2.0 was just under development I decided to sit >> it out. I am not sure how much of it is going to be in MailWatch 2.0 but >> ~ that would be my way to work the issue. > > Wise decision. MW 2.0 should be out soon. > I have been hearing that same song for a while now. I'm tired of the single, release the whole album already! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080227/327bed07/signature.bin From alex at nkpanama.com Wed Feb 27 21:56:59 2008 From: alex at nkpanama.com (Alex Neuman) Date: Wed Feb 27 21:58:24 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> Message-ID: <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> On Feb 27, 2008, at 4:04 PM, Vlad Mazek wrote: > Keep in mind that if you have more than 4 MX records in round robin > the lookup will only return four, throwing the load balancing a bit > out of skew. Linux HA with lvs is dead easy to configure and can do > quite a bit with cheap hardware. Can you please direct me to a good "howto" or "cookbook" on Linux HA? I've looked around and most are either too specific or outdated. From ssilva at sgvwater.com Wed Feb 27 22:05:59 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 27 22:06:48 2008 Subject: phishing_bad_sites broken? In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73AD@commssrv01.computerservicecentre.com> References: <47C588D0.5010401@ecs.soton.ac.uk> <47C593D8.3070305@ecs.soton.ac.uk> <3D9C92F3075F5144B46AA2C590F48E2A7A73AD@commssrv01.computerservicecentre.com> Message-ID: on 2/27/2008 8:59 AM Hostmaster spake the following: >> Current news appears to be this: >> >> I suppose you could say that for some reason, 500k mailservers across the globe > to decided to get >that file at the same time yesterday and effectively DDOSd > the server www.mailscanner.eu sits on > This might just be my suspicious mind, but could this be a "probe"? Lets face > it, MailScanner is one of the widest-distributed wrappers for anti-spam. Say I > was running a botnet, wanted to send a lot of phishing emails out, and naturally > wanted to improve my chances of my phishing emails getting through. If I attack > the centralised system which distributes recognised phishing URL's to a major > spam filtering wrapper, my chances of getting my malicious emails goes up, > doesn't it? > > I'v got some spare tin foil hats if anyone wants one.... > Since mailscanner uses a local copy of this file, it only prevents an update. So your local copy will be a few days old, but still work. PS... I prefer stuffing tinfoil into a regular hat. It is much thicker, and the random folds and crinkles scatter the mind probes better! And you get less stares and finger pointing. ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080227/aaef6416/signature.bin From glenn.steen at gmail.com Wed Feb 27 23:40:54 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 27 23:41:30 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> Message-ID: <223f97700802271540i7c537f7aw4688a543ba608a48@mail.gmail.com> On 27/02/2008, Alex Neuman wrote: > > On Feb 27, 2008, at 4:04 PM, Vlad Mazek wrote: > > > Keep in mind that if you have more than 4 MX records in round robin > > the lookup will only return four, throwing the load balancing a bit > > out of skew. Linux HA with lvs is dead easy to configure and can do > > quite a bit with cheap hardware. > > > Can you please direct me to a good "howto" or "cookbook" on Linux HA? > I've looked around and most are either too specific or outdated. > Um, what's wrong with linux-ha.org and heartbeat (perhaps in conjunction with lvs...)? Seems active enough, and from a HA perspective... spot on...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at lubik.ca Thu Feb 28 03:00:11 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 28 03:01:10 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> Message-ID: Alex Neuman wrote: > > On Feb 27, 2008, at 4:04 PM, Vlad Mazek wrote: > >> Keep in mind that if you have more than 4 MX records in round robin >> the lookup will only return four, throwing the load balancing a bit >> out of skew. Linux HA with lvs is dead easy to configure and can do >> quite a bit with cheap hardware. > > Can you please direct me to a good "howto" or "cookbook" on Linux HA? > I've looked around and most are either too specific or outdated. > http://www.howtoforge.com/high_availability_heartbeat_centos From ugob at lubik.ca Thu Feb 28 03:03:28 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 28 03:05:17 2008 Subject: phishing_bad_sites broken? In-Reply-To: <47C593D8.3070305@ecs.soton.ac.uk> References: <47C588D0.5010401@ecs.soton.ac.uk> <47C593D8.3070305@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Current news appears to be this: > > I suppose you could say that for some reason, 500k mailservers across the globe to decided to get that file at the same time yesterday and effectively DDOSd the server www.mailscanner.eu sits on Probably not all mailservers. Might be a good idea to run apf on its server (iptables wrapper) if possible, and use spamhaus's drop list and dshield's top ten reject feature. From ugob at lubik.ca Thu Feb 28 03:00:55 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 28 03:10:14 2008 Subject: Having one config file per domain support in MailScanner ? In-Reply-To: References: <76074.43497.qm@web33306.mail.mud.yahoo.com> <47C3B82D.5030706@vanderkooij.org> Message-ID: Scott Silva wrote: > on 2/27/2008 5:26 AM Ugo Bellavance spake the following: >> Hugo van der Kooij wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Michael Mansour wrote: >>> | Hi, >>> | >>> | Does MailScanner support having one config per domain? >>> | ie. instead of putting everything into the one config >>> | file like: >>> | >>> | /etc/MailScanner/rules/someMSoption.rules >>> | From: blah@domain1.com no >>> | From: blah@domain2.com no >>> | FromOrTo: default yes >>> | >>> | you can have it like: >>> | >>> | /etc/MailScanner/rules/MSoption1.rules >>> | From: blah@domain1.com no >>> | FromOrTo: default yes >>> | >>> | /etc/MailScanner/rules/MSoption1.rules >>> | From: blah@domain2.com no >>> | FromOrTo: default yes >>> >>> But what does one gain this way? (Besides from your duplicate use of the >>> same file ;-) And how do you expect it to behave? Because you redefined >>> the default. >>> >>> I could see some logic in getting the data from SQL instead of fixed >>> files. Then you can fill the table anyway you like it. >>> >>> In fact about 5 minutes after I installed MailWatch I started to itch to >>> add a lot of tables to the database and write up some code to make use >>> of it. But as MailWatch 2.0 was just under development I decided to sit >>> it out. I am not sure how much of it is going to be in MailWatch 2.0 but >>> ~ that would be my way to work the issue. >> >> Wise decision. MW 2.0 should be out soon. >> > I have been hearing that same song for a while now. I'm tired of the > single, release the whole album already! ;-P Are you willing to do some testing? Ugo From alex at nkpanama.com Thu Feb 28 03:21:21 2008 From: alex at nkpanama.com (Alex Neuman) Date: Thu Feb 28 03:22:47 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> Message-ID: <1C079A14-DFE8-40AC-81FF-DBFED531FAA1@nkpanama.com> Thanks! On Feb 27, 2008, at 10:00 PM, Ugo Bellavance wrote: > http://www.howtoforge.com/high_availability_heartbeat_centos From Phil.Udel at SalemCorp.com Thu Feb 28 13:26:49 2008 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Thu Feb 28 13:27:42 2008 Subject: Email Statistics Message-ID: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> I have been looking at my stats, I was curious what other people get Current doing about 100,000 emails a month with a 77% Spam hit. Also many of my users have a 90% spam Hit. Is that normal or average? We are a average company with about 250 mail boxes -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/32856d8d/attachment.html From hfleming at moosebird.net Thu Feb 28 13:30:13 2008 From: hfleming at moosebird.net (Howard Fleming) Date: Thu Feb 28 13:30:38 2008 Subject: Logwatch file being tagged as a virus file and deleted In-Reply-To: <1C079A14-DFE8-40AC-81FF-DBFED531FAA1@nkpanama.com> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> <1C079A14-DFE8-40AC-81FF-DBFED531FAA1@nkpanama.com> Message-ID: <47C6B765.1000705@moosebird.net> Is there any way to exclude a email address from being scanned for viruses? For the last 3 days my logwatch file from my mail server has been deleted, and I get the following: Sender: root@messenger.mideasti.org IP Address: 127.0.0.1 Recipient: hfleming@mideasti.org Subject: LogWatch for messenger.mideasti.org MessageID: F254D540E8.78B90 Quarantine: Report: Clamd: message was infected: Email.Phishing.DblDom-39 FOUND I have added root@messenger.mideasti.org to phishing.safe.sites.conf, but it did not make any difference (or is this the right place?). Thanks, Howard From admin at lctn.org Thu Feb 28 13:49:45 2008 From: admin at lctn.org (Raymond Norton) Date: Thu Feb 28 13:50:37 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <47C6BBF9.1050808@lctn.org> > > Is that normal or average? > > > > We are a average company with about 250 mail boxes > That would be normal if you haven't configured your MTA to block non-rfc compliant mail servers, check spam lists, etc... That alone can change your numbers to 60% good, 40% spam From vernon at comp-wiz.com Thu Feb 28 13:55:38 2008 From: vernon at comp-wiz.com (Vernon Webb) Date: Thu Feb 28 13:56:31 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <03e801c87a11$9b800430$d2800c90$@com> How the heck does someone look at their stats? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Thursday, February 28, 2008 8:27 AM To: mailscanner@lists.mailscanner.info Subject: Email Statistics I have been looking at my stats, I was curious what other people get Current doing about 100,000 emails a month with a 77% Spam hit. Also many of my users have a 90% spam Hit. Is that normal or average? We are a average company with about 250 mail boxes -- This message has been scanned for viruses and dangerous content by comp-wiz.com web hosting & design, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/2e0aade4/attachment.html From steve at fsl.com Thu Feb 28 14:11:12 2008 From: steve at fsl.com (Stephen Swaney) Date: Thu Feb 28 14:11:53 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <47C6C100.2040300@fsl.com> Phil Udel wrote: > > I have been looking at my stats, I was curious what other people get > > Current doing about 100,000 emails a month with a 77% Spam hit. > > Also many of my users have a 90% spam Hit. > > > > Is that normal or average? > > > > We are a average company with about 250 mail boxes > Phil, Sounds about right but 77% is on the low side. We're seeing that these numbers vary from site to site, from a low of around 80% to a high of 99% with the average being over 90%. Steve Steve Swaney steve@fsl.com www.fsl.com From list-mailscanner at linguaphone.com Thu Feb 28 14:11:45 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Feb 28 14:12:22 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <1204207905.16349.27.camel@gblades-suse.linguaphone-intranet.co.uk> Sounds a bit low. I am sure I get over 99%. Have a look at my config at http://www.gbnetwork.co.uk/mailscanner to see if there are any additional rules or plugins you could be using. On Thu, 2008-02-28 at 13:26, Phil Udel wrote: > I have been looking at my stats, I was curious what other people get > > Current doing about 100,000 emails a month with a 77% Spam hit. > > Also many of my users have a 90% spam Hit. > > > > Is that normal or average? > > > > We are a average company with about 250 mail boxes > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Feb 28 14:56:24 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 28 14:57:00 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <223f97700802280656v1254debfh329b933d8ad81e7c@mail.gmail.com> On 28/02/2008, Phil Udel wrote: > > > > > I have been looking at my stats, I was curious what other people get > > Current doing about 100,000 emails a month with a 77% Spam hit. > > Also many of my users have a 90% spam Hit. > > > > Is that normal or average? > Gut feeling? That seems pretty reasonable (!)... I have c:a 65 users (slightly more mailboxes), that receive about 2500 valid mails/day, and we have a steady influx of somewhere between 10-11k messages/day... Lots of lists to the analysts, likewise loads of cr*p:-). You have more users, but about the same percentage, it seems. > We are a average company with about 250 mail boxes Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dstraka at caspercollege.edu Thu Feb 28 15:00:22 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Feb 28 15:01:39 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <47C66A16.61A4.0000.0@caspercollege.edu> >>> On 2/28/2008 at 6:26 AM, in message <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com>, "Phil Udel" wrote: > I have been looking at my stats, I was curious what other people get > > Current doing about 100,000 emails a month with a 77% Spam hit. > > Also many of my users have a 90% spam Hit. > > Is that normal or average? > > We are a average company with about 250 mail boxes For January my Logwatch files indicated 732,405 messages with 81% SPAM This is a 2-year College with 475 users I don't run Pyzor or DCC because I don't know how to set them up I use these RBL's: spamhaus-ZEN spamcop.net SORBS-SPAM Users still see a lot of SPAM just due to the volume we get for 475 users -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu From mark at msapiro.net Thu Feb 28 15:01:13 2008 From: mark at msapiro.net (Mark Sapiro) Date: Thu Feb 28 15:01:52 2008 Subject: Logwatch file being tagged as a virus file and deleted In-Reply-To: <47C6B765.1000705@moosebird.net> Message-ID: Howard Fleming wrote: >Is there any way to exclude a email address from being scanned for >viruses? For the last 3 days my logwatch file from my mail server has >been deleted, and I get the following: > > Sender: root@messenger.mideasti.org >IP Address: 127.0.0.1 > Recipient: hfleming@mideasti.org > Subject: LogWatch for messenger.mideasti.org > MessageID: F254D540E8.78B90 >Quarantine: > Report: Clamd: message was infected: Email.Phishing.DblDom-39 FOUND > >I have added root@messenger.mideasti.org to phishing.safe.sites.conf, >but it did not make any difference (or is this the right place?). I had the same issue when I first installed Mailscanner. My solution is to put Scan Messages = %rules-dir%/scan.messages.rules in MailScanner.conf and then put From: 127.0.0.1 no FromOrTo: default yes in scan.messages.rules. You may not want to exempt all mail originating from localhost, so you may want a more restrictive rule. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From stef at aoc-uk.com Thu Feb 28 15:11:30 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Thu Feb 28 15:12:53 2008 Subject: Email Statistics In-Reply-To: References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <200802281512.m1SFCEYF031908@safir.blacknight.ie> One generally checks ones stats by logfile analysis, using something like logwatch. Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon Webb Sent: 28 February 2008 13:56 To: 'MailScanner discussion' Subject: RE: Email Statistics How the heck does someone look at their stats? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Thursday, February 28, 2008 8:27 AM To: mailscanner@lists.mailscanner.info Subject: Email Statistics I have been looking at my stats, I was curious what other people get Current doing about 100,000 emails a month with a 77% Spam hit. Also many of my users have a 90% spam Hit. Is that normal or average? We are a average company with about 250 mail boxes -- This message has been scanned for viruses and dangerous content by comp-wiz.com web hosting & design, and is believed to be clean. -- This email has been scanned by the AOC Internet MailCrusader for viruses, spam and dangerous content. For more information please visit AOC Internet Ltd . From martinh at solidstatelogic.com Thu Feb 28 15:12:56 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 28 15:13:34 2008 Subject: Email Statistics In-Reply-To: <03e801c87a11$9b800430$d2800c90$@com> Message-ID: <6620e1e04d334944b0e4a637db61953e@solidstatelogic.com> Vernon Depends on what package you use to collate the stats ;-) http://wiki.mailscanner.info/doku.php?id=&idx=documentation:related_software:stats -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Vernon Webb > Sent: 28 February 2008 13:56 > To: MailScanner discussion > Subject: RE: Email Statistics > > How the heck does someone look at their stats? > > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Phil Udel > Sent: Thursday, February 28, 2008 8:27 AM > To: mailscanner@lists.mailscanner.info > Subject: Email Statistics > > > > I have been looking at my stats, I was curious what other people get > > Current doing about 100,000 emails a month with a 77% Spam hit. > > Also many of my users have a 90% spam Hit. > > > > Is that normal or average? > > > > We are a average company with about 250 mail boxes > > > > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com web hosting > & design, > and is believed to be clean. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Thu Feb 28 15:21:55 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 15:22:45 2008 Subject: Email Statistics In-Reply-To: <47C6C100.2040300@fsl.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> <47C6C100.2040300@fsl.com> Message-ID: <47C6D193.7030007@ecs.soton.ac.uk> Stephen Swaney wrote: > Phil Udel wrote: >> >> I have been looking at my stats, I was curious what other people get >> >> Current doing about 100,000 emails a month with a 77% Spam hit. >> >> Also many of my users have a 90% spam Hit. >> >> >> >> Is that normal or average? >> >> >> >> We are a average company with about 250 mail boxes >> > Phil, > > Sounds about right but 77% is on the low side. We're seeing that these > numbers vary from site to site, from a low of around 80% to a high of > 99% with the average being over 90%. With 2,000 educational users, I see only about 70% spam. So it does vary quite a lot. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Feb 28 15:30:31 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 28 15:31:25 2008 Subject: Email Statistics In-Reply-To: <1204207905.16349.27.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <30135170.1281204212631594.JavaMail.root@office.splatnix.net> Justin's rules are pretty good for the latest stuff :- http://wiki.apache.org/spamassassin/SoughtRules Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Gareth" wrote: > Sounds a bit low. I am sure I get over 99%. > Have a look at my config at http://www.gbnetwork.co.uk/mailscanner to > see if there are any additional rules or plugins you could be using. > > On Thu, 2008-02-28 at 13:26, Phil Udel wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Thu Feb 28 15:34:45 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Feb 28 15:35:23 2008 Subject: Email Statistics In-Reply-To: <1204207905.16349.27.camel@gblades-suse.linguaphone-intranet.co.uk> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> <1204207905.16349.27.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <1204212885.16353.33.camel@gblades-suse.linguaphone-intranet.co.uk> Oops I though you meant the spam detection rate and not the overall percentage of spam you receive. I think we receive about 40% spam but I do have the spamhaus RBL configured in postfix which rejects about 80% of spam before receipt. On Thu, 2008-02-28 at 14:11, Gareth wrote: > Sounds a bit low. I am sure I get over 99%. > Have a look at my config at http://www.gbnetwork.co.uk/mailscanner to > see if there are any additional rules or plugins you could be using. > > On Thu, 2008-02-28 at 13:26, Phil Udel wrote: > > I have been looking at my stats, I was curious what other people get > > > > Current doing about 100,000 emails a month with a 77% Spam hit. > > > > Also many of my users have a 90% spam Hit. > > > > > > > > Is that normal or average? > > > > > > > > We are a average company with about 250 mail boxes > > > > > > > > ______________________________________________________________________ > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Thu Feb 28 15:37:51 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 28 15:38:47 2008 Subject: Email Statistics In-Reply-To: <223f97700802280656v1254debfh329b933d8ad81e7c@mail.gmail.com> Message-ID: <7798330.1371204213071114.JavaMail.root@office.splatnix.net> 94% here. 150k emails per day. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 28/02/2008, Phil Udel wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.frovarp at sendit.nodak.edu Thu Feb 28 15:38:39 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Feb 28 15:39:16 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: <223f97700802271540i7c537f7aw4688a543ba608a48@mail.gmail.com> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> <223f97700802271540i7c537f7aw4688a543ba608a48@mail.gmail.com> Message-ID: <47C6D57F.5030608@sendit.nodak.edu> Glenn Steen wrote: > On 27/02/2008, Alex Neuman wrote: > >> On Feb 27, 2008, at 4:04 PM, Vlad Mazek wrote: >> >> > Keep in mind that if you have more than 4 MX records in round robin >> > the lookup will only return four, throwing the load balancing a bit >> > out of skew. Linux HA with lvs is dead easy to configure and can do >> > quite a bit with cheap hardware. >> >> >> Can you please direct me to a good "howto" or "cookbook" on Linux HA? >> I've looked around and most are either too specific or outdated. >> >> > Um, what's wrong with linux-ha.org and heartbeat (perhaps in > conjunction with lvs...)? > Seems active enough, and from a HA perspective... spot on...:) > > Cheers > lvs doesn't support IPv6 at the moment and it doesn't look like any work is being done in that direction. So that may be a drawback of that project. We're currently looking for a replacement due to this fact. From bbecken at aafp.org Thu Feb 28 15:54:42 2008 From: bbecken at aafp.org (Brad Beckenhauer) Date: Thu Feb 28 15:55:27 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <47C684E2.D87E.0068.3@aafp.org> Hi Phil, 88% of our email scores between 6 points and 15 points. 93% of that same email scores over 15 points. Brad >>> "Phil Udel" 2/28/2008 7:26 AM >>> I have been looking at my stats, I was curious what other people get Current doing about 100,000 emails a month with a 77% Spam hit. Also many of my users have a 90% spam Hit. Is that normal or average? We are a average company with about 250 mail boxes From Kevin_Miller at ci.juneau.ak.us Thu Feb 28 16:02:32 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Feb 28 16:02:09 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: Do you mean that you're catching spam at about the 77% rate, or that of the mail that gets through about 77% of it is still spam? I have two active mailscanners at the moment. At the moment, the main one displays (per MailWatch) a high scoring catch rate of 72.6% and spam of 5.3. My lower priority mail server seems to be purposely targeted by spammers and I see a 97% hit rate on it for high score spam, and 1.6% for regular spam. It has a much lower connection count than my regular server which indicates my main server is pretty much able to keep up w/the inbound load so the traffic I see on the tier 2 server is probably almost exclusively spam targeted at that server. Spammers often try to hit the servers w/less priority. I guess they figure they're less likely to be up to date or something. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Thursday, February 28, 2008 4:27 AM To: mailscanner@lists.mailscanner.info Subject: Email Statistics I have been looking at my stats, I was curious what other people get Current doing about 100,000 emails a month with a 77% Spam hit. Also many of my users have a 90% spam Hit. Is that normal or average? We are a average company with about 250 mail boxes -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/373e91a3/attachment.html From ugob at lubik.ca Thu Feb 28 16:07:31 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 28 16:08:25 2008 Subject: Email Statistics In-Reply-To: <03e801c87a11$9b800430$d2800c90$@com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> <03e801c87a11$9b800430$d2800c90$@com> Message-ID: Vernon Webb wrote: > How the heck does someone look at their stats? > http://wiki.mailscanner.info/doku.php?id=&idx=documentation:related_software Logwatch is also a good candidate. Ugo > > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Phil Udel > *Sent:* Thursday, February 28, 2008 8:27 AM > *To:* mailscanner@lists.mailscanner.info > *Subject:* Email Statistics > > > > I have been looking at my stats, I was curious what other people get > > Current doing about 100,000 emails a month with a 77% Spam hit. > > Also many of my users have a 90% spam Hit. > > > > Is that normal or average? > > > > We are a average company with about 250 mail boxes > > > > > -- > This message has been scanned for viruses and > dangerous content by *comp-wiz.com* web > hosting & design, > and is believed to be clean. > From ssilva at sgvwater.com Thu Feb 28 16:09:55 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 16:10:19 2008 Subject: Another attack to fight off Message-ID: I see a new reason to block OoO replies; It seems that spammers are using legitimate webmail accounts to bounce their garbage via OoO replies. Just fake the sender, and suddenly you have spam with legitimate DKIM sigs, valid SPF, and maybe even whitelists. http://www.networkworld.com/news/2008/022608-out-of-office-messages-turned.html Filthy spammers! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/da6a5e69/signature.bin From Denis.Beauchemin at USherbrooke.ca Thu Feb 28 16:43:23 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Feb 28 16:44:07 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <47C6E4AB.7060802@USherbrooke.ca> Phil Udel a ?crit : > > I have been looking at my stats, I was curious what other people get > > Current doing about 100,000 emails a month with a 77% Spam hit. > > Also many of my users have a 90% spam Hit. > > > > Is that normal or average? > > > > We are a average company with about 250 mail boxes > For January: emails: 7337089; spam: 6348633 (86.5%) So far in February: emails: 5701710; spam: 4735554 (83.1%), Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From Kevin_Miller at ci.juneau.ak.us Thu Feb 28 17:39:31 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Feb 28 17:39:07 2008 Subject: Another attack to fight off In-Reply-To: References: Message-ID: Scott Silva wrote: > I see a new reason to block OoO replies; > > It seems that spammers are using legitimate webmail accounts to > bounce their garbage via OoO replies. Just fake the sender, and > suddenly you have spam with legitimate DKIM sigs, valid SPF, and > maybe even whitelists. > > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn ed.html > > Filthy spammers! Dang those boys are clever. Imagine if they turned their creativity to world peace and cheap, clean energy. Too bad there's no money in that. So how are you blocking Oo0 replies? There a spamassassin ruleset for that or what? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gmatt at nerc.ac.uk Thu Feb 28 17:46:46 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Thu Feb 28 17:47:39 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> Message-ID: <47C6F386.3080509@nerc.ac.uk> Scott Silva wrote: > on 2/26/2008 1:32 PM Julian Field spake the following: >> Does this only happen with the ClamAVModule scanner? >> > I just had some time to look at my systems and I am not seeing this. > > Back in December I saw the report change from > > Dec 30 05:38:03 mail MailScanner[28877]: ClamAV Module::INFECTED:: > Email.Hdr.San > esecurity.07091600:: ./lBUDb5e1031892/ > > to > > Feb 26 15:30:02 mail MailScanner[17626]: ClamAVModule::INFECTED:: > Email.Spam.Gen > 2443.Sanesecurity.08020714:: ./m1QNTefQ019501/ hmmm... wierd, so it works ok for you - what version of MS? can you send me the SweepViruses.pm for comparison? > > Just the space between ClamAV and Module. > > Maybe there was some change in the perl logging module? my virus.scanners.conf has: clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local clamavmodule /bin/false /tmp which seems ok to me, clam is installed under /usr/local. The hosts are bog standard CentOS 4.6. GREG > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From v at vladville.com Thu Feb 28 17:49:24 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 28 17:49:58 2008 Subject: MailScanner and multiple incoming queue dirs Message-ID: Got a bit of a incoming queue dir issue that I was hoping someone could clear up for me. I have MailScanner running with sendmail using split queues. MailScanner Incoming Queue Dir should support a filename (supposedly also a function?) containing a list of inbound queues. However, when I fire it up with the file (or function) I get this: Starting MailScanner daemons: incoming sendmail: 451 4.0.0 can not chdir(/etc/MailScanner/rules/mqueue.in.list.conf/): Not a directory [ OK ] My first question is, how do I make MailScanner pass the proper directories back to sendmail so it doesn't bark at startup (sendmail basically dies and cuts off inbound mail). The second question is about the processing priorities.. Does MailScanner process multiple queues concurrently? Thanks for any help anyone may be able to offer. -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/968a8706/attachment.html From v at vladville.com Thu Feb 28 17:59:04 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 28 17:59:39 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> Message-ID: I pieced mine out of a few guides but there is an easier way to do this now (assuming you're in RHEL / CentOS world) as Redhat developed a GUI for HA. It's called Piranha: www.*centos*.org/docs/5/html/Virtual_Server_Administration/ch-lvs-*piranha*- VSA.html You can get the RPMs from DAG and the process is pretty simple (at least mine is). I use direct path. On the load balancer just modify the /etc/rc.d/ha/lvs.cf to setup your load balancer and the virtual servers. serial_no = 132 primary = 1.2.3.10 service = lvs backup_active = 0 backup = 0.0.0.0 heartbeat = 1 heartbeat_port = 539 keepalive = 20 deadtime = 20 network = direct debug_level = NONE monitor_links = 0 virtual mailscanner { active = 1 address = 1.2.3.5 eth0:1 vip_nmask = 255.255.255.0 port = 25 use_regex = 0 load_monitor = none scheduler = wrr protocol = tcp timeout = 20 reentry = 30 quiesce_server = 0 server mailscanner1 { address = 1.2.3.1 active = 1 weight = 1 } server mailscanner2 { address = 1.2.3.2 active = 1 weight = 1 } } So here is the idea, your system runs on 1.2.3.10 and you're going to be pointing the MX to 1.2.3.5 which will then deliver mail down to the actual mailscanner real servers 1.2.3.1 and 1.2.3.2; Just start pulse and you're done. Each node needs a loopback interface with the address of the virtual server and 255.255.255.255 subnet mask. /etc/sysconfig/network-scripts/ifcfg-lo:1 DEVICE=lo:1 IPADDR=1.2.3.5 NETMASK=255.255.255.255 ONBOOT=yes NAME=loopback Some more junk for sysctl.conf (comment out packet forwarding): net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.eth0.arp_ignore = 1 net.ipv4.conf.all.arp_announce = 2 net.ipv4.conf.eth0.arp_announce = 2 net.ipv4.ip_forward = 1 Hope that helps (and hope you want to replicate exactly what I have otherwise there is reading involved).. :) -Vlad On 2/27/08, Alex Neuman wrote: > > > On Feb 27, 2008, at 4:04 PM, Vlad Mazek wrote: > > > Keep in mind that if you have more than 4 MX records in round robin > > the lookup will only return four, throwing the load balancing a bit > > out of skew. Linux HA with lvs is dead easy to configure and can do > > quite a bit with cheap hardware. > > > Can you please direct me to a good "howto" or "cookbook" on Linux HA? > I've looked around and most are either too specific or outdated. > > > -- > > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/c5bf18b8/attachment.html From ajcartmell at fonant.com Thu Feb 28 18:01:06 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Feb 28 18:01:59 2008 Subject: Email Statistics In-Reply-To: <47C6D193.7030007@ecs.soton.ac.uk> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> <47C6C100.2040300@fsl.com> <47C6D193.7030007@ecs.soton.ac.uk> Message-ID: > With 2,000 educational users, I see only about 70% spam. > So it does vary quite a lot. I'd have thought that spam-amount-per-user is very roughly constant, once the addresses are on all the big spammers' lists. So isn't the ratio much more affected by the volume of non-spam mail each user gets? For example, someone with no mailing list subscriptions will get a much higher % spam than someone who subscribes to lots, if they both get the same number of spam messages. Number of spams per day per user might be more interesting to compare between domains/installations, thus removing the number of non-spam messages from the comparison? Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Thu Feb 28 18:43:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 18:44:30 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C6F386.3080509@nerc.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> <47C6F386.3080509@nerc.ac.uk> Message-ID: <47C700D8.70709@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg Matthews wrote: > Scott Silva wrote: >> on 2/26/2008 1:32 PM Julian Field spake the following: >>> Does this only happen with the ClamAVModule scanner? >>> >> I just had some time to look at my systems and I am not seeing this. >> >> Back in December I saw the report change from >> >> Dec 30 05:38:03 mail MailScanner[28877]: ClamAV Module::INFECTED:: >> Email.Hdr.San >> esecurity.07091600:: ./lBUDb5e1031892/ >> >> to >> >> Feb 26 15:30:02 mail MailScanner[17626]: ClamAVModule::INFECTED:: >> Email.Spam.Gen >> 2443.Sanesecurity.08020714:: ./m1QNTefQ019501/ > > hmmm... wierd, so it works ok for you - what version of MS? can you > send me the SweepViruses.pm for comparison? > >> >> Just the space between ClamAV and Module. >> >> Maybe there was some change in the perl logging module? > > my virus.scanners.conf has: > > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamd /bin/false /usr/local > clamavmodule /bin/false /tmp > > which seems ok to me, clam is installed under /usr/local. The hosts > are bog standard CentOS 4.6. > > GREG > >> > > I'm seeing this: Feb 28 18:42:03 alegria MailScanner[7283]: Virus and Content Scanning: Starting Feb 28 18:42:04 alegria MailScanner[7283]: ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./gBJNiNQG014777/ Feb 28 18:42:04 alegria MailScanner[7283]: ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./j279YpRC016236/ Feb 28 18:42:04 alegria MailScanner[7283]: ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./gBJNiNQG014777/eicar1.com ... Feb 28 18:42:05 alegria MailScanner[7283]: Virus Scanning: ClamAVModule found 9 infections Feb 28 18:42:05 alegria MailScanner[7283]: Infected message j279YpRC016236 came from 152.78.69.139 Feb 28 18:42:05 alegria MailScanner[7283]: Infected message gBJNiNQG014777 came from 152.78.236.133 Feb 28 18:42:05 alegria MailScanner[7283]: Virus Scanning: Found 9 viruses Feb 28 18:42:05 alegria MailScanner[7283]: Virus Scanning completed at 1559 bytes per second which all looks just fine to me. What differences are you seeing on your systems? This is running on RHEL5 with clamavmodule as the only virus scanner. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: UTF-8 wj8DBQFHxwDaEfZZRxQVtlQRAjpSAJ0fT9XAB/AS/xDx9Ev7U0O9mndEegCgnVEu gOMmQypvo3O8Ze7n+yH+WZE= =qkWn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Feb 28 18:47:34 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 18:48:16 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C6F386.3080509@nerc.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> <47C6F386.3080509@nerc.ac.uk> Message-ID: on 2-28-2008 9:46 AM Greg Matthews spake the following: > Scott Silva wrote: >> on 2/26/2008 1:32 PM Julian Field spake the following: >>> Does this only happen with the ClamAVModule scanner? >>> >> I just had some time to look at my systems and I am not seeing this. >> >> Back in December I saw the report change from >> >> Dec 30 05:38:03 mail MailScanner[28877]: ClamAV Module::INFECTED:: >> Email.Hdr.San >> esecurity.07091600:: ./lBUDb5e1031892/ >> >> to >> >> Feb 26 15:30:02 mail MailScanner[17626]: ClamAVModule::INFECTED:: >> Email.Spam.Gen >> 2443.Sanesecurity.08020714:: ./m1QNTefQ019501/ > > hmmm... wierd, so it works ok for you - what version of MS? can you send > me the SweepViruses.pm for comparison? > CentOS 4.6 Mailscanner 4.66.5 I'll send sweepviruses.pm offlist if its OK with you -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/1be58a60/signature.bin From ssilva at sgvwater.com Thu Feb 28 18:54:59 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 18:55:15 2008 Subject: Having one config file per domain support in MailScanner ? In-Reply-To: References: <76074.43497.qm@web33306.mail.mud.yahoo.com> <47C3B82D.5030706@vanderkooij.org> Message-ID: on 2-27-2008 7:00 PM Ugo Bellavance spake the following: > Scott Silva wrote: >> on 2/27/2008 5:26 AM Ugo Bellavance spake the following: >>> Hugo van der Kooij wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Michael Mansour wrote: >>>> | Hi, >>>> | >>>> | Does MailScanner support having one config per domain? >>>> | ie. instead of putting everything into the one config >>>> | file like: >>>> | >>>> | /etc/MailScanner/rules/someMSoption.rules >>>> | From: blah@domain1.com no >>>> | From: blah@domain2.com no >>>> | FromOrTo: default yes >>>> | >>>> | you can have it like: >>>> | >>>> | /etc/MailScanner/rules/MSoption1.rules >>>> | From: blah@domain1.com no >>>> | FromOrTo: default yes >>>> | >>>> | /etc/MailScanner/rules/MSoption1.rules >>>> | From: blah@domain2.com no >>>> | FromOrTo: default yes >>>> >>>> But what does one gain this way? (Besides from your duplicate use of >>>> the >>>> same file ;-) And how do you expect it to behave? Because you redefined >>>> the default. >>>> >>>> I could see some logic in getting the data from SQL instead of fixed >>>> files. Then you can fill the table anyway you like it. >>>> >>>> In fact about 5 minutes after I installed MailWatch I started to >>>> itch to >>>> add a lot of tables to the database and write up some code to make use >>>> of it. But as MailWatch 2.0 was just under development I decided to sit >>>> it out. I am not sure how much of it is going to be in MailWatch 2.0 >>>> but >>>> ~ that would be my way to work the issue. >>> >>> Wise decision. MW 2.0 should be out soon. >>> >> I have been hearing that same song for a while now. I'm tired of the >> single, release the whole album already! ;-P > > Are you willing to do some testing? > > Ugo > I could run it for a while. I would just keep the old version up long enough to deal with the old data. It would be ideal if I could log to both the old db and the new for a while to get a better feel on how it is logging. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/fce039b7/signature.bin From ssilva at sgvwater.com Thu Feb 28 18:58:09 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 19:00:17 2008 Subject: Logwatch file being tagged as a virus file and deleted In-Reply-To: <47C6B765.1000705@moosebird.net> References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> <1C079A14-DFE8-40AC-81FF-DBFED531FAA1@nkpanama.com> <47C6B765.1000705@moosebird.net> Message-ID: on 2-28-2008 5:30 AM Howard Fleming spake the following: > Is there any way to exclude a email address from being scanned for > viruses? For the last 3 days my logwatch file from my mail server has > been deleted, and I get the following: > > Sender: root@messenger.mideasti.org > IP Address: 127.0.0.1 > Recipient: hfleming@mideasti.org > Subject: LogWatch for messenger.mideasti.org > MessageID: F254D540E8.78B90 > Quarantine: > Report: Clamd: message was infected: Email.Phishing.DblDom-39 FOUND > > I have added root@messenger.mideasti.org to phishing.safe.sites.conf, > but it did not make any difference (or is this the right place?). > > Thanks, > Howard Time for the thread hijacking spanking!!! SSSSSMMMMAAAACCCCKKKKK ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/23ca94dd/signature.bin From hfleming at moosebird.net Thu Feb 28 19:15:25 2008 From: hfleming at moosebird.net (Howard Fleming) Date: Thu Feb 28 19:15:47 2008 Subject: Logwatch file being tagged as a virus file and deleted In-Reply-To: References: Message-ID: <47C7084D.9040401@moosebird.net> Mark Sapiro wrote: > Howard Fleming wrote: > >> Is there any way to exclude a email address from being scanned for >> viruses? For the last 3 days my logwatch file from my mail server has >> been deleted, and I get the following: >> >> Sender: root@messenger.mideasti.org >> IP Address: 127.0.0.1 >> Recipient: hfleming@mideasti.org >> Subject: LogWatch for messenger.mideasti.org >> MessageID: F254D540E8.78B90 >> Quarantine: >> Report: Clamd: message was infected: Email.Phishing.DblDom-39 FOUND >> >> I have added root@messenger.mideasti.org to phishing.safe.sites.conf, >> but it did not make any difference (or is this the right place?). > > > I had the same issue when I first installed Mailscanner. My solution is > to put > > Scan Messages = %rules-dir%/scan.messages.rules > > in MailScanner.conf and then put > > From: 127.0.0.1 no > FromOrTo: default yes > > in scan.messages.rules. You may not want to exempt all mail originating > from localhost, so you may want a more restrictive rule. > Hi Mark, I added the change, only change I made to the contents of scan.messages.rules was to change From: 127.0.0.1 no to From: root@messenger.mideasti.org no Will know more tomorrow... :o) Thanks! Howard From MailScanner at ecs.soton.ac.uk Thu Feb 28 19:28:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 19:29:36 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> <47C6F386.3080509@nerc.ac.uk> Message-ID: <47C70B6F.6070701@ecs.soton.ac.uk> Scott Silva wrote: > on 2-28-2008 9:46 AM Greg Matthews spake the following: >> Scott Silva wrote: >>> on 2/26/2008 1:32 PM Julian Field spake the following: >>>> Does this only happen with the ClamAVModule scanner? >>>> >>> I just had some time to look at my systems and I am not seeing this. >>> >>> Back in December I saw the report change from >>> >>> Dec 30 05:38:03 mail MailScanner[28877]: ClamAV Module::INFECTED:: >>> Email.Hdr.San >>> esecurity.07091600:: ./lBUDb5e1031892/ >>> >>> to >>> >>> Feb 26 15:30:02 mail MailScanner[17626]: ClamAVModule::INFECTED:: >>> Email.Spam.Gen >>> 2443.Sanesecurity.08020714:: ./m1QNTefQ019501/ >> >> hmmm... wierd, so it works ok for you - what version of MS? can you >> send me the SweepViruses.pm for comparison? >> > CentOS 4.6 > Mailscanner 4.66.5 > > I'll send sweepviruses.pm offlist if its OK with you > Sure. Please gzip it first. Is all the other logging working okay? Does it happen only with exactly this set? Virus Scanners = clamavmodule Exactly what log entries don't arrive in your syslog (when compared to using a different virus scanner)? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 28 19:32:52 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 19:33:14 2008 Subject: {Disarmed} Re: Somewhat OT: Clustering and HA In-Reply-To: References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> Message-ID: <47C70C64.1070601@ecs.soton.ac.uk> Please can someone add this to the Wiki, it's a very useful guide. And once it's up there, we can edit and further improve it as necessary if people feel they would like to. Thanks folks! Jules. Vlad Mazek wrote: > I pieced mine out of a few guides but there is an easier way to do > this now (assuming you're in RHEL / CentOS world) as Redhat developed > a GUI for HA. It's called Piranha: > www.*centos*.org/docs/5/html/Virtual_Server_Administration/ch-lvs-*piranha*-VSA.html > > You can get the RPMs from DAG and the process is pretty simple (at > least mine is). I use direct path. On the load balancer just modify > the /etc/rc.d/ha/lvs.cf to setup your load balancer and the virtual > servers. > > serial_no = 132 > primary = *MailScanner warning: numerical links are often malicious:* > 1.2.3.10 > service = lvs > backup_active = 0 > backup = *MailScanner has detected a possible fraud attempt from > "0.0.0.0" claiming to be* 0.0.0.0 > heartbeat = 1 > heartbeat_port = 539 > keepalive = 20 > deadtime = 20 > network = direct > debug_level = NONE > monitor_links = 0 > virtual mailscanner { > active = 1 > address = *MailScanner has detected a possible fraud attempt from > "1.2.3.5" claiming to be* 1.2.3.5 eth0:1 > vip_nmask = *MailScanner has detected a possible fraud attempt > from "255.255.255.0" claiming to be* 255.255.255.0 > port = 25 > use_regex = 0 > load_monitor = none > scheduler = wrr > protocol = tcp > timeout = 20 > reentry = 30 > quiesce_server = 0 > server mailscanner1 { > address = *MailScanner has detected a possible fraud attempt > from "1.2.3.1" claiming to be* 1.2.3.1 > active = 1 > weight = 1 > } > server mailscanner2 { > address = *MailScanner has detected a possible fraud attempt > from "1.2.3.2" claiming to be* 1.2.3.2 > active = 1 > weight = 1 > } > } > > So here is the idea, your system runs on *MailScanner warning: > numerical links are often malicious:* 1.2.3.10 and > you're going to be pointing the MX to *MailScanner has detected a > possible fraud attempt from "1.2.3.5" claiming to be* 1.2.3.5 > which will then deliver mail down to the actual > mailscanner real servers *MailScanner has detected a possible fraud > attempt from "1.2.3.1" claiming to be* 1.2.3.1 and > *MailScanner has detected a possible fraud attempt from "1.2.3.2" > claiming to be* 1.2.3.2 ; Just start pulse and you're > done. > > Each node needs a loopback interface with the address of the virtual > server and *MailScanner warning: numerical links are often malicious:* > 255.255.255.255 subnet mask. > /etc/sysconfig/network-scripts/ifcfg-lo:1 > DEVICE=lo:1 > IPADDR=*MailScanner has detected a possible fraud attempt from > "1.2.3.5" claiming to be* 1.2.3.5 > NETMASK=*MailScanner warning: numerical links are often malicious:* > 255.255.255.255 > ONBOOT=yes > NAME=loopback > > Some more junk for sysctl.conf (comment out packet forwarding): > > net.ipv4.conf.all.arp_ignore = 1 > net.ipv4.conf.eth0.arp_ignore = 1 > net.ipv4.conf.all.arp_announce = 2 > net.ipv4.conf.eth0.arp_announce = 2 > net.ipv4.ip_forward = 1 > > Hope that helps (and hope you want to replicate exactly what I have > otherwise there is reading involved).. :) > > -Vlad > > On 2/27/08, *Alex Neuman* > wrote: > > > On Feb 27, 2008, at 4:04 PM, Vlad Mazek wrote: > > > Keep in mind that if you have more than 4 MX records in round robin > > the lookup will only return four, throwing the load balancing a bit > > out of skew. Linux HA with lvs is dead easy to configure and can do > > quite a bit with cheap hardware. > > > Can you please direct me to a good "howto" or "cookbook" on Linux HA? > I've looked around and most are either too specific or outdated. > > > -- > > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Feb 28 19:55:31 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 19:56:21 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C70B6F.6070701@ecs.soton.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> <47C6F386.3080509@nerc.ac.uk> <47C70B6F.6070701@ecs.soton.ac.uk> Message-ID: on 2-28-2008 11:28 AM Julian Field spake the following: > > > Scott Silva wrote: >> on 2-28-2008 9:46 AM Greg Matthews spake the following: >>> Scott Silva wrote: >>>> on 2/26/2008 1:32 PM Julian Field spake the following: >>>>> Does this only happen with the ClamAVModule scanner? >>>>> >>>> I just had some time to look at my systems and I am not seeing this. >>>> >>>> Back in December I saw the report change from >>>> >>>> Dec 30 05:38:03 mail MailScanner[28877]: ClamAV Module::INFECTED:: >>>> Email.Hdr.San >>>> esecurity.07091600:: ./lBUDb5e1031892/ >>>> >>>> to >>>> >>>> Feb 26 15:30:02 mail MailScanner[17626]: ClamAVModule::INFECTED:: >>>> Email.Spam.Gen >>>> 2443.Sanesecurity.08020714:: ./m1QNTefQ019501/ >>> >>> hmmm... wierd, so it works ok for you - what version of MS? can you >>> send me the SweepViruses.pm for comparison? >>> >> CentOS 4.6 >> Mailscanner 4.66.5 >> >> I'll send sweepviruses.pm offlist if its OK with you >> > Sure. Please gzip it first. Is all the other logging working okay? Does > it happen only with exactly this set? > Virus Scanners = clamavmodule > Exactly what log entries don't arrive in your syslog (when compared to > using a different virus scanner)? > > Jules > Sorry Julian, I think Greg wanted a copy of mine to see if he had differences, at least that is what I inferred. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/dbbd9c0e/signature.bin From MailScanner at ecs.soton.ac.uk Thu Feb 28 19:57:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 19:58:05 2008 Subject: MailScanner: selective virus scanning using a simple ruleset Message-ID: <47C71213.5040603@ecs.soton.ac.uk> Howard, There are many ways you can do this. You want to use a "ruleset". In this case, it's a very simple one that just switches off the "Virus Scanning = yes" for these particular messages. You can set pretty much any setting in the MailScanner.conf file to different values for different messages, depending on where they come from and are going to. You can have a different ruleset for any setting, so you can build extremely complex configurations if that's what you need. But in your case we can keep it very simple. The setting we want to change is the "Virus Scanning" setting, which can take "yes" or "no" as its value. So first we build the ruleset file. These live in /etc/MailScanner/rules on most people's systems. You have to beware that the "from" address in an email message can be faked by a spammer or a virus, so you can't reliably control something as crucial as the actual virus scanning depending on only the "from" address. Less crucial settings, such as many of the spam detection settings are no problem, as a failure will just let through the occasional spam which is unlikely to cause anyone serious problems. So we can say that, in your case, you want to set "Virus Scanning" to "yes" for most messages. You want it to be "no" for messages from root@messenger.mideasti.org, so long as they originate from the server itself, the IP address 127.0.0.1. So put these 2 lines into /etc/MailScanner/rules/virus.scanning.rules file From: root@messenger.mideasti.org and From: 127.0.0.1 no FromOrTo: default yes That should have been 2 lines, just in case your email application wrapped the text onto 3 lines by mistake. Then you just tell MailScanner to use the new ruleset file by setting this in your /etc/MailScanner/MailScanner.conf Virus Scanning = %rules-dir%/virus.scanning.rules The last 2 jobs are to check the new setting is right by running the command MailScanner --lint and if that works okay then tell MailScanner to re-read its configuration immediately: /sbin/service MailScanner reload You can have as many different rulesets as you like. Just don't put more than around 1000 lines into each ruleset as things will slow down a bit. In the /etc/MailScanner/rules directory, you will find a couple of examples which show you what you can put in ruleset files. You can make the 'address conditions' (just the simple "root@messenger.mideasti.org" in your case) very complicated if you need to, there are loads of different things you can do there. If you can't write your requirements as a ruleset, but need to write some sort of a program to work out the value, you can write what are called "Custom Functions" to produce the result instead. Indeed, this is how the entire MailWatch package hooks into MailScanner. The values set by a ruleset don't have to just be "yes" or "no". They can be whatever values are acceptable to the MailScanner.conf setting you are using the ruleset for. So you can give different report filenames for different customers, different languages for different domains, all sorts of things, it's only limited by your imagination and requirements. The configuration system I built into MailScanner is very easy to use, and most people's setups are very simple. But you can make it as complex as you need to, and it's all easy to manage and administer. Personally it's one of the cleverest bits of code I've written in quite a while :-) The bit I'm most proud of actually is the upgrade_MailScanner_conf script, as it can upgrade or downgrade from any MailScanner version to any other MailScanner version, without any external list of what the permitted options are or anything like that. It just uses the two filenames you give it to read from, and it works out everything from those. For example, did you know that upgrade_languages_conf and upgrade_MailScanner_conf are actually the same script? One is soft-linked to the other, there's only 1 copy of the script on your disk. I hope that all helps you get started using rulesets. There are examples in the /etc/MailScanner/rules directory and in the wiki web site at http://wiki.mailscanner.info/ and in the Book. The Book explains them all fairly well too. If you haven't got the book, please can you buy one from the website? It's my only source of funding for MailScanner and its development and my ability to support it depend on the profits I make solely from selling the book. Many thanks! If you can't afford a copy of the book, and just want the bit that explains rulesets, then drop me a line and I might give you a copy of that snippet of the book. It would be useful for that bit to be available for free on-line anyway, I think a lot of people would appreciate that, as many people seem to think they are more complicated than they actually are. Good luck! And feel free to mail me if you really get stuck even after you've read the examples, the documentation on-line and in the book. Cheers, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 28 19:59:17 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 19:59:40 2008 Subject: Logwatch file being tagged as a virus file and deleted In-Reply-To: <47C7084D.9040401@moosebird.net> References: <47C7084D.9040401@moosebird.net> Message-ID: <47C71295.9010306@ecs.soton.ac.uk> Howard Fleming wrote: > > > Mark Sapiro wrote: >> Howard Fleming wrote: >> >>> Is there any way to exclude a email address from being scanned for >>> viruses? For the last 3 days my logwatch file from my mail server >>> has been deleted, and I get the following: >>> >>> Sender: root@messenger.mideasti.org >>> IP Address: 127.0.0.1 >>> Recipient: hfleming@mideasti.org >>> Subject: LogWatch for messenger.mideasti.org >>> MessageID: F254D540E8.78B90 >>> Quarantine: >>> Report: Clamd: message was infected: Email.Phishing.DblDom-39 >>> FOUND >>> >>> I have added root@messenger.mideasti.org to >>> phishing.safe.sites.conf, but it did not make any difference (or is >>> this the right place?). >> >> >> I had the same issue when I first installed Mailscanner. My solution is >> to put >> >> Scan Messages = %rules-dir%/scan.messages.rules >> >> in MailScanner.conf and then put >> >> From: 127.0.0.1 no >> FromOrTo: default yes >> >> in scan.messages.rules. You may not want to exempt all mail originating >> from localhost, so you may want a more restrictive rule. >> > > Hi Mark, > > I added the change, only change I made to the contents of > scan.messages.rules was to change > > From: 127.0.0.1 no > > to > > From: root@messenger.mideasti.org no That's dangerous. All a spammer (or a virus) has to do is set the sender address of the message (which is completely under their control) to root@messenger.mideasti.org and their messages won't be virus-scanned at all. Not a good idea! Change it to this instead: From: root@messenger.mideasti.org and From: 127.0.0.1 no and that will be a whole lot safer. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Feb 28 20:07:38 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 20:08:04 2008 Subject: Another attack to fight off In-Reply-To: References: Message-ID: on 2-28-2008 9:39 AM Kevin Miller spake the following: > Scott Silva wrote: >> I see a new reason to block OoO replies; >> >> It seems that spammers are using legitimate webmail accounts to >> bounce their garbage via OoO replies. Just fake the sender, and >> suddenly you have spam with legitimate DKIM sigs, valid SPF, and >> maybe even whitelists. >> >> > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn > ed.html >> Filthy spammers! > > Dang those boys are clever. Imagine if they turned their creativity to > world peace and cheap, clean energy. Too bad there's no money in that. > > So how are you blocking Oo0 replies? There a spamassassin ruleset for > that or what? > > ...Kevin I haven't quite figured out how to block them without also blocking Outlook read receipts. But if it is spam, it should still get caught by spamassassin and the digests. DKIM verified only subtracts a small amount from the total, and I have spam that scores double digit quite regularly. It just means that there will be a little more low scoring spam sneaking in, and here I tag and attach that so it doesn't automatically preview in the windows MUA's. And stripping web bugs and other nasties also helps. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/defabcae/signature.bin From mikew at crucis.net Thu Feb 28 20:08:18 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Thu Feb 28 20:08:55 2008 Subject: F-Prot use not appearing in log file Message-ID: <47C714B2.6060603@crucis.net> I've installed MS 4.66 on a new box and thanks to others here gotten it running. I have noticed something odd. I have clamav and f-prot installed for virus scanning. I have an older version of MS running on another box also with clamav and f-prot. On that older box, when an e-mail is being scanned, I see in the log that clamav and f-prot are used. On the new box however, I only see clamav mentioned. Both virus scanners are found when MS is started. Is f-prot being used and just not logged? Mike W -- "Lose not thy airspeed lest the ground rises up and smites thee." - Anon. From richard.siddall at elirion.net Thu Feb 28 20:14:16 2008 From: richard.siddall at elirion.net (Richard Siddall) Date: Thu Feb 28 20:15:06 2008 Subject: Somewhat OT: Clustering and HA In-Reply-To: References: <0C548A5B-C490-416D-A9A3-84BE97389D54@nkpanama.com> <47C4432A.7060703@ecs.soton.ac.uk> <56C6E72D-E68C-4D5B-8B47-65459F161984@nkpanama.com> Message-ID: <47C71618.7050604@elirion.net> Vlad Mazek wrote: > I pieced mine out of a few guides but there is an easier way to do this now > (assuming you're in RHEL / CentOS world) as Redhat developed a GUI for HA. > It's called Piranha: > www.*centos*.org/docs/5/html/Virtual_Server_Administration/ch-lvs-*piranha*- > VSA.html > I could be wrong, but I think when I was researching clustering last night I read that Piranha had been deprecated in favour of Conga: http://sourceware.org/cluster/conga/ Regards, Richard Siddall From v at vladville.com Thu Feb 28 20:38:06 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 28 20:38:41 2008 Subject: Another attack to fight off In-Reply-To: References: Message-ID: The problem too is that at least here we've seen a 40% increase in message load specifically in NDRs and null senders over the past 2-3 days. The iron is starting to turn orange.. -Vlad On 2/28/08, Scott Silva wrote: > > on 2-28-2008 9:39 AM Kevin Miller spake the following: > > > Scott Silva wrote: > >> I see a new reason to block OoO replies; > >> > >> It seems that spammers are using legitimate webmail accounts to > >> bounce their garbage via OoO replies. Just fake the sender, and > >> suddenly you have spam with legitimate DKIM sigs, valid SPF, and > >> maybe even whitelists. > >> > >> > > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn > > ed.html > >> Filthy spammers! > > > > Dang those boys are clever. Imagine if they turned their creativity to > > world peace and cheap, clean energy. Too bad there's no money in that. > > > > So how are you blocking Oo0 replies? There a spamassassin ruleset for > > that or what? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/72c2176c/attachment.html From dstraka at caspercollege.edu Thu Feb 28 20:49:13 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Feb 28 20:50:10 2008 Subject: Another attack to fight off In-Reply-To: References: Message-ID: <47C6BBD8.61A4.0000.0@caspercollege.edu> I'm seeing Vlad's problem too, only 100% (2x) more than last week, it's unnerving... >>> On 2/28/2008 at 1:38 PM, in message , "Vlad Mazek" wrote: > The problem too is that at least here we've seen a 40% increase in message > load specifically in NDRs and null senders over the past 2-3 days. The iron > is starting to turn orange.. > > -Vlad > > On 2/28/08, Scott Silva wrote: >> >> on 2-28-2008 9:39 AM Kevin Miller spake the following: >> >> > Scott Silva wrote: >> >> I see a new reason to block OoO replies; >> >> >> >> It seems that spammers are using legitimate webmail accounts to >> >> bounce their garbage via OoO replies. Just fake the sender, and >> >> suddenly you have spam with legitimate DKIM sigs, valid SPF, and >> >> maybe even whitelists. >> >> >> >> >> > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn >> > ed.html >> >> Filthy spammers! >> > >> > Dang those boys are clever. Imagine if they turned their creativity to >> > world peace and cheap, clean energy. Too bad there's no money in that. >> > >> > So how are you blocking Oo0 replies? There a spamassassin ruleset for >> > that or what? >> >> From MailScanner at ecs.soton.ac.uk Thu Feb 28 20:55:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 20:55:58 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C714B2.6060603@crucis.net> References: <47C714B2.6060603@crucis.net> Message-ID: <47C71FAE.1020007@ecs.soton.ac.uk> Mike - W0TMW wrote: > I've installed MS 4.66 on a new box and thanks to others here gotten > it running. I have noticed something odd. > > I have clamav and f-prot installed for virus scanning. I have an > older version of MS running on another box also with clamav and > f-prot. On that older box, when an e-mail is being scanned, I see in > the log that clamav and f-prot are used. On the new box however, I > only see clamav mentioned. Both virus scanners are found when MS is > started. > > Is f-prot being used and just not logged? That shouldn't be possible. What does "MailScanner --lint" say? If you add "eicar" to Non-Forging Viruses list, then you should receive a notification when you send a copy of Eicar through it. That will tell you for definite which virus scanners are finding Eicar. Please let me know how you get on with this. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Feb 28 21:22:23 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 21:23:28 2008 Subject: Another attack to fight off In-Reply-To: References: Message-ID: on 2-28-2008 12:38 PM Vlad Mazek spake the following: > The problem too is that at least here we've seen a 40% increase in > message load specifically in NDRs and null senders over the past 2-3 > days. The iron is starting to turn orange.. > > -Vlad > > On 2/28/08, *Scott Silva* > wrote: > > on 2-28-2008 9:39 AM Kevin Miller spake the following: > > > Scott Silva wrote: > >> I see a new reason to block OoO replies; > >> > >> It seems that spammers are using legitimate webmail accounts to > >> bounce their garbage via OoO replies. Just fake the sender, and > >> suddenly you have spam with legitimate DKIM sigs, valid SPF, and > >> maybe even whitelists. > >> > >> > > > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn > > ed.html > >> Filthy spammers! > > > > Dang those boys are clever. Imagine if they turned their > creativity to > > world peace and cheap, clean energy. Too bad there's no money in > that. > > > > So how are you blocking Oo0 replies? There a spamassassin > ruleset for > > that or what? > Milter-null might help, from what I have read in the list before. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/125de3de/signature.bin From v at vladville.com Thu Feb 28 21:32:51 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 28 21:33:26 2008 Subject: Another attack to fight off In-Reply-To: <47C6BBD8.61A4.0000.0@caspercollege.edu> References: <47C6BBD8.61A4.0000.0@caspercollege.edu> Message-ID: It's escalating too :( which is why I'm trying to do the split queue thing but MailScanner has a big bold FIXME where it parses for incoming directories.. On 2/28/08, Daniel Straka wrote: > > I'm seeing Vlad's problem too, only 100% (2x) more than last week, it's > unnerving... > > >>> On 2/28/2008 at 1:38 PM, in message > , "Vlad > Mazek" > > wrote: > > The problem too is that at least here we've seen a 40% increase in > message > > load specifically in NDRs and null senders over the past 2-3 days. The > iron > > is starting to turn orange.. > > > > -Vlad > > > > On 2/28/08, Scott Silva wrote: > >> > >> on 2-28-2008 9:39 AM Kevin Miller spake the following: > >> > >> > Scott Silva wrote: > >> >> I see a new reason to block OoO replies; > >> >> > >> >> It seems that spammers are using legitimate webmail accounts to > >> >> bounce their garbage via OoO replies. Just fake the sender, and > >> >> suddenly you have spam with legitimate DKIM sigs, valid SPF, and > >> >> maybe even whitelists. > >> >> > >> >> > >> > > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn > >> > ed.html > >> >> Filthy spammers! > >> > > >> > Dang those boys are clever. Imagine if they turned their creativity > to > >> > world peace and cheap, clean energy. Too bad there's no money in > that. > >> > > >> > So how are you blocking Oo0 replies? There a spamassassin ruleset > for > >> > that or what? > >> > >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/1935bd48/attachment.html From mikew at crucis.net Thu Feb 28 21:35:10 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Thu Feb 28 21:35:47 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C71FAE.1020007@ecs.soton.ac.uk> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> Message-ID: <47C7290E.20700@crucis.net> Julian Field wrote: > > > Mike - W0TMW wrote: >> I've installed MS 4.66 on a new box and thanks to others here gotten >> it running. I have noticed something odd. >> >> I have clamav and f-prot installed for virus scanning. I have an >> older version of MS running on another box also with clamav and >> f-prot. On that older box, when an e-mail is being scanned, I see in >> the log that clamav and f-prot are used. On the new box however, I >> only see clamav mentioned. Both virus scanners are found when MS is >> started. >> >> Is f-prot being used and just not logged? > That shouldn't be possible. > What does "MailScanner --lint" say? > If you add "eicar" to Non-Forging Viruses list, then you should > receive a notification when you send a copy of Eicar through it. That > will tell you for definite which virus scanners are finding Eicar. > > Please let me know how you get on with this. > > Jules > Here's the dump from MailScanner --lint. [root@cygni ~]# MailScanner --lint Trying to setlogsock(unix) Checking version numbers... Version number in MailScanner.conf (4.66.5) is correct. Your setting "Mail Header" contains illegal characters. This is most likely caused by your "%org-name%" setting which must not contain and "." or "_" characters as these are known to cause problems with some mail systems. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-crucis.net-MailScanner-From MikeW: Hmmm, I wonder if this could be the cause? Continuing... Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = f-prot clamav" Found these virus scanners installed: clamav, f-prot =========================================================================== =========================================================================== Virus Scanner test reports: F-Prot said "./1/eicar.com Infection: EICAR_Test_File" ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav,f-prot) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. [root@cygni ~]# Mike W: However, maillog only shows... [root@cygni ~]# tail -50 /var/log/maillog Feb 28 14:22:50 cygni MailScanner[21967]: Read 5752 hostnames from the phishing blacklist Feb 28 14:22:50 cygni MailScanner[21967]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Feb 28 14:22:50 cygni MailScanner[21967]: Using SpamAssassin results cache Feb 28 14:22:50 cygni MailScanner[21967]: Connected to SpamAssassin cache database Feb 28 14:22:50 cygni MailScanner[21967]: Enabling SpamAssassin auto-whitelist functionality... Feb 28 14:22:52 cygni MailScanner[21967]: ClamAV scanner using unrar command /usr/bin/unrar Feb 28 14:22:52 cygni MailScanner[21967]: Using locktype = posix Feb 28 14:22:52 cygni MailScanner[21967]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 28 14:22:55 cygni MailScanner[21968]: MailScanner E-Mail Virus Scanner version 4.66.5 starting... Feb 28 14:22:55 cygni MailScanner[21968]: Read 814 hostnames from the phishing whitelist Feb 28 14:22:55 cygni MailScanner[21968]: Read 5752 hostnames from the phishing blacklist Feb 28 14:22:55 cygni MailScanner[21968]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Feb 28 14:22:55 cygni MailScanner[21968]: Using SpamAssassin results cache Feb 28 14:22:55 cygni MailScanner[21968]: Connected to SpamAssassin cache database Feb 28 14:22:55 cygni MailScanner[21968]: Enabling SpamAssassin auto-whitelist functionality... Feb 28 14:22:57 cygni MailScanner[21968]: ClamAV scanner using unrar command /usr/bin/unrar Feb 28 14:22:57 cygni MailScanner[21968]: Using locktype = posix Feb 28 14:22:57 cygni MailScanner[21968]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Feb 28 14:49:35 cygni sendmail[22232]: m1SKnYAV022232: from=, size=1444, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] Feb 28 14:49:35 cygni sendmail[22233]: m1SKnZWi022233: from=, size=1444, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] Feb 28 14:49:36 cygni MailScanner[21934]: New Batch: Scanning 2 messages, 3854 bytes Feb 28 14:49:36 cygni MailScanner[21934]: Spam Checks: Starting Feb 28 14:49:47 cygni MailScanner[21934]: Message m1SKnZWi022233 from 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) Feb 28 14:49:56 cygni MailScanner[21934]: Message m1SKnYAV022232 from 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) Feb 28 14:49:56 cygni MailScanner[21934]: Spam Checks completed at 197 bytes per second Feb 28 14:49:56 cygni MailScanner[21934]: Virus and Content Scanning: Starting Feb 28 14:50:00 cygni MailScanner[21934]: Virus Scanning completed at 821 bytes per second Feb 28 14:50:00 cygni MailScanner[21934]: Uninfected: Delivered 2 messages Feb 28 14:50:00 cygni MailScanner[21934]: Virus Processing completed at 75732 bytes per second Feb 28 14:50:00 cygni MailScanner[21934]: Batch completed at 158 bytes per second (3854 / 24) Feb 28 14:50:00 cygni MailScanner[21934]: Batch (2 messages) processed in 24.26 seconds Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward /home/yyy/.forward.cygni: World writable directory Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward /home/yyy/.forward: World writable directory Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: to=, delay=00:00:25, xdelay=00:00:00, mailer=local, pri=121444, dsn=2.0.0, stat=Sent Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward /home/zzz/.forward.cygni: World writable directory Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward /home/zzz/.forward: World writable directory Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: to=, delay=00:00:25, xdelay=00:00:00, mailer=local, pri=121444, dsn=2.0.0, stat=Sent Feb 28 15:01:02 cygni update.bad.phishing.sites: Delaying cron job up to 600 seconds Feb 28 15:05:31 cygni update.bad.phishing.sites: Phishing bad sites list updated Feb 28 15:05:31 cygni update.virus.scanners: Delaying cron job up to 600 seconds Feb 28 15:12:03 cygni update.virus.scanners: Found clamav installed Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for clamav Feb 28 15:12:03 cygni ClamAV-autoupdate[22465]: ClamAV updater /usr/local/bin/freshclam cannot be run Feb 28 15:12:03 cygni update.virus.scanners: Found f-prot installed Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for f-prot Feb 28 15:12:04 cygni F-Prot autoupdate[22488]: F-Prot did not need updating. Feb 28 15:12:04 cygni update.virus.scanners: Found generic installed Feb 28 15:12:04 cygni update.virus.scanners: Running autoupdate for generic Feb 28 15:22:20 cygni MailScanner[22620]: MailScanner E-Mail Virus Scanner version 4.66.5 starting... Feb 28 15:23:33 cygni MailScanner[22713]: MailScanner E-Mail Virus Scanner version 4.66.5 starting... [root@cygni ~]# From alex at nkpanama.com Thu Feb 28 21:44:36 2008 From: alex at nkpanama.com (Alex Neuman) Date: Thu Feb 28 21:46:01 2008 Subject: Another attack to fight off In-Reply-To: References: Message-ID: <29B51418-FA2E-4530-A847-91F77D6F32AD@nkpanama.com> That and MS's watermarking... On Feb 28, 2008, at 4:22 PM, Scott Silva wrote: > Milter-null might help, from what I have read in the list before. From mikew at crucis.net Thu Feb 28 21:55:55 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Thu Feb 28 21:56:38 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C71FAE.1020007@ecs.soton.ac.uk> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> Message-ID: <47C72DEB.3020309@crucis.net> Julian Field wrote: > > > Mike - W0TMW wrote: >> I've installed MS 4.66 on a new box and thanks to others here gotten >> it running. I have noticed something odd. >> >> I have clamav and f-prot installed for virus scanning. I have an >> older version of MS running on another box also with clamav and >> f-prot. On that older box, when an e-mail is being scanned, I see in >> the log that clamav and f-prot are used. On the new box however, I >> only see clamav mentioned. Both virus scanners are found when MS is >> started. >> >> Is f-prot being used and just not logged? > That shouldn't be possible. > What does "MailScanner --lint" say? > If you add "eicar" to Non-Forging Viruses list, then you should > receive a notification when you send a copy of Eicar through it. That > will tell you for definite which virus scanners are finding Eicar. > > Please let me know how you get on with this. > > Jules > I created an eicar test message and ran it. It was detected. This is the section of maillog and it only shows clamav being activated. [root@cygni ~]# tail -80 /var/log/maillog Feb 28 15:44:11 cygni sendmail[23070]: m1SLiBoV023070: from=root, size=364, class=0, nrcpts=1, msgid=<20080228214411.GA23016@cygni.crucis.net>, relay=root@localhost Feb 28 15:44:11 cygni sendmail[23071]: m1SLiBxD023071: from=, size=507, class=0, nrcpts=1, msgid=<20080228214411.GA23016@cygni.crucis.net>, proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] Feb 28 15:44:11 cygni sendmail[23070]: m1SLiBoV023070: to=mikew@cygni.crucis.net, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30364, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (m1SLiBxD023071 Message accepted for delivery) Feb 28 15:44:12 cygni MailScanner[22998]: New Batch: Scanning 1 messages, 988 bytes Feb 28 15:44:12 cygni MailScanner[22998]: Spam Checks: Starting Feb 28 15:44:24 cygni MailScanner[22998]: Message m1SLiBxD023071 from 127.0.0.1 (root@cygni.crucis.net) to crucis.net is not spam, SpamAssassin (score=1.459, required 6, ALL_TRUSTED -1.44, TVD_SPACE_RATIO 2.90) Feb 28 15:44:24 cygni MailScanner[22998]: Spam Checks completed at 78 bytes per second Feb 28 15:44:24 cygni MailScanner[22998]: Virus and Content Scanning: Starting Feb 28 15:44:28 cygni MailScanner[22998]: /var/spool/MailScanner/incoming/22998/./m1SLiBxD023071/msg-22998-1.txt: Eicar-Test-Signature FOUND Feb 28 15:44:28 cygni MailScanner[22998]: /var/spool/MailScanner/incoming/22998/./m1SLiBxD023071.message: Eicar-Test-Signature FOUND Feb 28 15:44:29 cygni MailScanner[22998]: Virus Scanning: ClamAV found 2 infections Feb 28 15:44:29 cygni MailScanner[22998]: Infected message m1SLiBxD023071.message came from Feb 28 15:44:29 cygni MailScanner[22998]: Infected message m1SLiBxD023071 came from 127.0.0.1 Feb 28 15:44:29 cygni MailScanner[22998]: Virus Scanning: Found 2 viruses Feb 28 15:44:29 cygni MailScanner[22998]: Virus Scanning completed at 239 bytes per second Feb 28 15:44:29 cygni MailScanner[22998]: Cleaned: Delivered 1 cleaned messages Feb 28 15:44:29 cygni sendmail[23089]: m1SLiTx9023089: from=postmaster, size=1145, class=0, nrcpts=1, msgid=<200802282144.m1SLiTx9023089@cygni.crucis.net>, relay=root@localhost Feb 28 15:44:29 cygni sendmail[23091]: m1SLiTfB023091: from=, size=1404, class=0, nrcpts=1, msgid=<200802282144.m1SLiTx9023089@cygni.crucis.net>, proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] Feb 28 15:44:29 cygni sendmail[23089]: m1SLiTx9023089: to=postmaster, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31145, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (m1SLiTfB023091 Message accepted for delivery) Feb 28 15:44:29 cygni sendmail[23090]: m1SLiBxD023071: forward /home/mikew/.forward.cygni: World writable directory Feb 28 15:44:29 cygni sendmail[23090]: m1SLiBxD023071: forward /home/mikew/.forward: World writable directory Feb 28 15:44:29 cygni sendmail[23090]: m1SLiBxD023071: to=, ctladdr= (0/0), delay=00:00:18, xdelay=00:00:00, mailer=local, pri=120507, dsn=2.0.0, stat=Sent Feb 28 15:44:29 cygni MailScanner[22998]: Notices: Warned about 1 messages Feb 28 15:44:29 cygni MailScanner[22998]: Virus Processing completed at 3246 bytes per second Feb 28 15:44:29 cygni MailScanner[22998]: Batch completed at 58 bytes per second (988 / 16) Feb 28 15:44:29 cygni MailScanner[22998]: Batch (1 message) processed in 16.95 seconds Feb 28 15:44:29 cygni MailScanner[22998]: New Batch: Scanning 1 messages, 1896 bytes Feb 28 15:44:29 cygni MailScanner[22998]: Spam Checks: Starting Feb 28 15:44:44 cygni MailScanner[22998]: Message m1SLiTfB023091 from 127.0.0.1 (postmaster@cygni.crucis.net) to cygni.crucis.net is not spam, SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) Feb 28 15:44:44 cygni MailScanner[22998]: Spam Checks completed at 127 bytes per second Feb 28 15:44:44 cygni MailScanner[22998]: Virus and Content Scanning: Starting Feb 28 15:44:50 cygni MailScanner[22998]: Virus Scanning completed at 323 bytes per second Feb 28 15:44:50 cygni MailScanner[22998]: Uninfected: Delivered 1 messages Feb 28 15:44:50 cygni MailScanner[22998]: Virus Processing completed at 51281 bytes per second Feb 28 15:44:50 cygni MailScanner[22998]: Batch completed at 91 bytes per second (1896 / 20) Feb 28 15:44:50 cygni MailScanner[22998]: Batch (1 message) processed in 20.83 seconds Feb 28 15:44:50 cygni sendmail[23137]: m1SLiTfB023091: to=root, delay=00:00:21, xdelay=00:00:00, mailer=local, pri=121404, dsn=2.0.0, stat=Sent Feb 28 15:45:47 cygni sendmail[23161]: m1SLjl3d023161: Authentication-Warning: cygni.crucis.net: mikew set sender to mikew@cygni.crucis.net using -f Feb 28 15:45:47 cygni sendmail[23161]: m1SLjl3d023161: from=mikew@cygni.crucis.net, size=1482, class=0, nrcpts=1, msgid=<200802281545.12060.mikew@cygni.crucis.net>, relay=localhost [[UNIX: localhost]] [root@cygni ~]# From dave.list at pixelhammer.com Thu Feb 28 22:03:55 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Feb 28 22:04:39 2008 Subject: Another attack to fight off In-Reply-To: References: <47C6BBD8.61A4.0000.0@caspercollege.edu> Message-ID: <47C72FCB.2070304@pixelhammer.com> Vlad Mazek wrote: > It's escalating too :( which is why I'm trying to do the split queue > thing but MailScanner has a big bold FIXME where it parses for incoming > directories.. > > On 2/28/08, *Daniel Straka* > wrote: > > I'm seeing Vlad's problem too, only 100% (2x) more than last week, > it's unnerving... Just out of curiosity I checked one server and grabbed these stats. Nothing more scientific than a grep of the mail logs for " from=<> " Todays total so far, followed by the last eight days. 19,485 18,818 28,619 5,461 1,658 994 1,140 1,097 810 1,546 yea, I would say it is a problem now. DAve -- Google finally, after 7 years, provided a logo for veterans. Thank you Google. What to do with my signature now? From ssilva at sgvwater.com Thu Feb 28 22:09:01 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 28 22:09:50 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C7290E.20700@crucis.net> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> Message-ID: on 2-28-2008 1:35 PM Mike - W0TMW spake the following: > Julian Field wrote: >> >> >> Mike - W0TMW wrote: >>> I've installed MS 4.66 on a new box and thanks to others here gotten >>> it running. I have noticed something odd. >>> >>> I have clamav and f-prot installed for virus scanning. I have an >>> older version of MS running on another box also with clamav and >>> f-prot. On that older box, when an e-mail is being scanned, I see in >>> the log that clamav and f-prot are used. On the new box however, I >>> only see clamav mentioned. Both virus scanners are found when MS is >>> started. >>> >>> Is f-prot being used and just not logged? >> That shouldn't be possible. >> What does "MailScanner --lint" say? >> If you add "eicar" to Non-Forging Viruses list, then you should >> receive a notification when you send a copy of Eicar through it. That >> will tell you for definite which virus scanners are finding Eicar. >> >> Please let me know how you get on with this. >> >> Jules >> > Here's the dump from MailScanner --lint. > > [root@cygni ~]# MailScanner --lint > Trying to setlogsock(unix) > Checking version numbers... > Version number in MailScanner.conf (4.66.5) is correct. > > Your setting "Mail Header" contains illegal characters. > This is most likely caused by your "%org-name%" setting > which must not contain and "." or "_" characters as > these are known to cause problems with some mail systems. > > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-crucis.net-MailScanner-From > > MikeW: Hmmm, I wonder if this could be the cause? Continuing... > Change your %org-name% to crucis_net instead of crucis.net. That error has caused many logging problems. And you might as well fix the other error so spamassassin ignores your locally generated headers. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/0099b35d/signature.bin From MailScanner at ecs.soton.ac.uk Thu Feb 28 22:09:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 22:10:03 2008 Subject: Another attack to fight off In-Reply-To: References: <47C6BBD8.61A4.0000.0@caspercollege.edu> Message-ID: <47C7310E.3020004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Exactly what doesn't work? Vlad Mazek wrote: > It's escalating too :( which is why I'm trying to do the split queue > thing but MailScanner has a big bold FIXME where it parses for > incoming directories.. > > On 2/28/08, *Daniel Straka* > wrote: > > I'm seeing Vlad's problem too, only 100% (2x) more than last week, > it's unnerving... > > >>> On 2/28/2008 at 1:38 PM, in message > >, > "Vlad Mazek" > > > wrote: > > The problem too is that at least here we've seen a 40% increase > in message > > load specifically in NDRs and null senders over the past 2-3 > days. The iron > > is starting to turn orange.. > > > > -Vlad > > > > On 2/28/08, Scott Silva > wrote: > >> > >> on 2-28-2008 9:39 AM Kevin Miller spake the following: > >> > >> > Scott Silva wrote: > >> >> I see a new reason to block OoO replies; > >> >> > >> >> It seems that spammers are using legitimate webmail accounts to > >> >> bounce their garbage via OoO replies. Just fake the sender, and > >> >> suddenly you have spam with legitimate DKIM sigs, valid SPF, and > >> >> maybe even whitelists. > >> >> > >> >> > >> > > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn > >> > ed.html > >> >> Filthy spammers! > >> > > >> > Dang those boys are clever. Imagine if they turned their > creativity to > >> > world peace and cheap, clean energy. Too bad there's no > money in that. > >> > > >> > So how are you blocking Oo0 replies? There a spamassassin > ruleset for > >> > that or what? > >> > >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > > -Vlad Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxzEQEfZZRxQVtlQRAkUbAKCr7ScV/mPp1IWV5ux6mENVVh6J+gCfSKOu QxC2KgJ7yAyfC81+MXT8wmQ= =9fh3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dstraka at caspercollege.edu Thu Feb 28 22:15:33 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Feb 28 22:16:24 2008 Subject: Another attack to fight off In-Reply-To: <47C72FCB.2070304@pixelhammer.com> References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C72FCB.2070304@pixelhammer.com> Message-ID: <47C6D015.61A4.0000.0@caspercollege.edu> Can we use MailScanner to delete the incoming messages with "from=<>" in them? Would that be practical? Dan >>> On 2/28/2008 at 3:03 PM, in message <47C72FCB.2070304@pixelhammer.com>, DAve wrote: > Vlad Mazek wrote: >> It's escalating too :( which is why I'm trying to do the split queue >> thing but MailScanner has a big bold FIXME where it parses for incoming >> directories.. >> >> On 2/28/08, *Daniel Straka* > > wrote: >> >> I'm seeing Vlad's problem too, only 100% (2x) more than last week, >> it's unnerving... > > Just out of curiosity I checked one server and grabbed these stats. > Nothing more scientific than a grep of the mail logs for " from=<> " > > Todays total so far, followed by the last eight days. > 19,485 > 18,818 > 28,619 > 5,461 > 1,658 > 994 > 1,140 > 1,097 > 810 > 1,546 > > yea, I would say it is a problem now. > > DAve > From MailScanner at ecs.soton.ac.uk Thu Feb 28 22:19:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 28 22:23:34 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C7290E.20700@crucis.net> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> Message-ID: <47C7335F.7010004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike - W0TMW wrote: > Julian Field wrote: >> >> >> Mike - W0TMW wrote: >>> I've installed MS 4.66 on a new box and thanks to others here gotten >>> it running. I have noticed something odd. >>> >>> I have clamav and f-prot installed for virus scanning. I have an >>> older version of MS running on another box also with clamav and >>> f-prot. On that older box, when an e-mail is being scanned, I see >>> in the log that clamav and f-prot are used. On the new box however, >>> I only see clamav mentioned. Both virus scanners are found when MS >>> is started. >>> >>> Is f-prot being used and just not logged? >> That shouldn't be possible. >> What does "MailScanner --lint" say? >> If you add "eicar" to Non-Forging Viruses list, then you should >> receive a notification when you send a copy of Eicar through it. That >> will tell you for definite which virus scanners are finding Eicar. >> >> Please let me know how you get on with this. >> >> Jules >> > Here's the dump from MailScanner --lint. > > [root@cygni ~]# MailScanner --lint > Trying to setlogsock(unix) > Checking version numbers... > Version number in MailScanner.conf (4.66.5) is correct. > > Your setting "Mail Header" contains illegal characters. > This is most likely caused by your "%org-name%" setting > which must not contain and "." or "_" characters as > these are known to cause problems with some mail systems. > > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-crucis.net-MailScanner-From > > MikeW: Hmmm, I wonder if this could be the cause? Continuing... > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin reported no errors. > MailScanner.conf says "Virus Scanners = f-prot clamav" > Found these virus scanners installed: clamav, f-prot > =========================================================================== > > =========================================================================== > > Virus Scanner test reports: > F-Prot said "./1/eicar.com Infection: EICAR_Test_File" > ClamAV said "eicar.com contains Eicar-Test-Signature" > > If any of your virus scanners (clamav,f-prot) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > [root@cygni ~]# > > Mike W: However, maillog only shows... > > [root@cygni ~]# tail -50 /var/log/maillog > Feb 28 14:22:50 cygni MailScanner[21967]: Read 5752 hostnames from the > phishing blacklist > Feb 28 14:22:50 cygni MailScanner[21967]: SpamAssassin temporary > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Feb 28 14:22:50 cygni MailScanner[21967]: Using SpamAssassin results > cache > Feb 28 14:22:50 cygni MailScanner[21967]: Connected to SpamAssassin > cache database > Feb 28 14:22:50 cygni MailScanner[21967]: Enabling SpamAssassin > auto-whitelist functionality... > Feb 28 14:22:52 cygni MailScanner[21967]: ClamAV scanner using unrar > command /usr/bin/unrar > Feb 28 14:22:52 cygni MailScanner[21967]: Using locktype = posix > Feb 28 14:22:52 cygni MailScanner[21967]: Creating hardcoded > struct_flock subroutine for linux (Linux-type) > Feb 28 14:22:55 cygni MailScanner[21968]: MailScanner E-Mail Virus > Scanner version 4.66.5 starting... > Feb 28 14:22:55 cygni MailScanner[21968]: Read 814 hostnames from the > phishing whitelist > Feb 28 14:22:55 cygni MailScanner[21968]: Read 5752 hostnames from the > phishing blacklist > Feb 28 14:22:55 cygni MailScanner[21968]: SpamAssassin temporary > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Feb 28 14:22:55 cygni MailScanner[21968]: Using SpamAssassin results > cache > Feb 28 14:22:55 cygni MailScanner[21968]: Connected to SpamAssassin > cache database > Feb 28 14:22:55 cygni MailScanner[21968]: Enabling SpamAssassin > auto-whitelist functionality... > Feb 28 14:22:57 cygni MailScanner[21968]: ClamAV scanner using unrar > command /usr/bin/unrar > Feb 28 14:22:57 cygni MailScanner[21968]: Using locktype = posix > Feb 28 14:22:57 cygni MailScanner[21968]: Creating hardcoded > struct_flock subroutine for linux (Linux-type) > Feb 28 14:49:35 cygni sendmail[22232]: m1SKnYAV022232: > from=, size=1444, class=0, nrcpts=1, > msgid=, > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] > Feb 28 14:49:35 cygni sendmail[22233]: m1SKnZWi022233: > from=, size=1444, class=0, nrcpts=1, > msgid=, > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] > Feb 28 14:49:36 cygni MailScanner[21934]: New Batch: Scanning 2 > messages, 3854 bytes > Feb 28 14:49:36 cygni MailScanner[21934]: Spam Checks: Starting > Feb 28 14:49:47 cygni MailScanner[21934]: Message m1SKnZWi022233 from > 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, > ALL_TRUSTED -1.44) > Feb 28 14:49:56 cygni MailScanner[21934]: Message m1SKnYAV022232 from > 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, > ALL_TRUSTED -1.44) > Feb 28 14:49:56 cygni MailScanner[21934]: Spam Checks completed at 197 > bytes per second > Feb 28 14:49:56 cygni MailScanner[21934]: Virus and Content Scanning: > Starting > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Scanning completed at > 821 bytes per second > Feb 28 14:50:00 cygni MailScanner[21934]: Uninfected: Delivered 2 > messages > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Processing completed > at 75732 bytes per second > Feb 28 14:50:00 cygni MailScanner[21934]: Batch completed at 158 bytes > per second (3854 / 24) > Feb 28 14:50:00 cygni MailScanner[21934]: Batch (2 messages) processed > in 24.26 seconds > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward > /home/yyy/.forward.cygni: World writable directory > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward > /home/yyy/.forward: World writable directory > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: > to=, delay=00:00:25, xdelay=00:00:00, mailer=local, > pri=121444, dsn=2.0.0, stat=Sent > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward > /home/zzz/.forward.cygni: World writable directory > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward > /home/zzz/.forward: World writable directory > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: > to=, delay=00:00:25, xdelay=00:00:00, mailer=local, > pri=121444, dsn=2.0.0, stat=Sent > Feb 28 15:01:02 cygni update.bad.phishing.sites: Delaying cron job up > to 600 seconds > Feb 28 15:05:31 cygni update.bad.phishing.sites: Phishing bad sites > list updated > Feb 28 15:05:31 cygni update.virus.scanners: Delaying cron job up to > 600 seconds > Feb 28 15:12:03 cygni update.virus.scanners: Found clamav installed > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for > clamav > Feb 28 15:12:03 cygni ClamAV-autoupdate[22465]: ClamAV updater > /usr/local/bin/freshclam cannot be run > Feb 28 15:12:03 cygni update.virus.scanners: Found f-prot installed > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for > f-prot > Feb 28 15:12:04 cygni F-Prot autoupdate[22488]: F-Prot did not need > updating. > Feb 28 15:12:04 cygni update.virus.scanners: Found generic installed > Feb 28 15:12:04 cygni update.virus.scanners: Running autoupdate for > generic > Feb 28 15:22:20 cygni MailScanner[22620]: MailScanner E-Mail Virus > Scanner version 4.66.5 starting... > Feb 28 15:23:33 cygni MailScanner[22713]: MailScanner E-Mail Virus > Scanner version 4.66.5 starting... > [root@cygni ~]# I really don't understand this lack of logging, though in this case it may not be finding the F-Prot scanner at all for some other reason. With my F-Prot scanner in use, I get this in my mail log: Feb 28 22:15:01 alegria MailScanner[5466]: Virus Scanning: ClamAVModule found 9 infections Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.zip->eicar.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/j279YpRC016236.message->eicar.rar3a->eicar.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar1.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.zip->eicar.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.rar3a->eicar.com Infection: EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found virus EICAR_Test_File Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found 9 infections All of which clearly shows it working just fine. In my MailScanner.conf, I have these settings, please check them against yours: Log Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Silent Viruses = HTML-IFrame All-Viruses Which does of course make the point that if your viruses are "silent" then they won't be logged by default. Try switching on "Log Silent Viruses" and see what changes. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxzNhEfZZRxQVtlQRAkq/AKCqF39RCYaB0SsDotVC7vl4eP6v5ACgwz8Q cMgvzSjmE9ySyssKqQB+uuE= =g/CI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From v at vladville.com Thu Feb 28 22:43:16 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 28 22:43:51 2008 Subject: Another attack to fight off In-Reply-To: <47C7310E.3020004@ecs.soton.ac.uk> References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C7310E.3020004@ecs.soton.ac.uk> Message-ID: MailScanner doesn't seem to want to accept multiple incoming queues with sendmail. Incoming Queue Dir = doesn't seem to take anything other than a single directory. Documentation indicates it should take filesets but that doesn't work Starting MailScanner daemons: incoming sendmail: 451 4.0.0 can not chdir(/etc/MailScanner/rules/mqueue.in.list.conf/): Not a directory [ OK ] (I tried %rules-dir%/mqueue.in.list.conf, permissions are ok, the file contains the queue dir's one per line, etc all looks sane) -Vlad On 2/28/08, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Exactly what doesn't work? > > > Vlad Mazek wrote: > > It's escalating too :( which is why I'm trying to do the split queue > > thing but MailScanner has a big bold FIXME where it parses for > > incoming directories.. > > > > On 2/28/08, *Daniel Straka* > > > wrote: > > > > I'm seeing Vlad's problem too, only 100% (2x) more than last week, > > it's unnerving... > > > > >>> On 2/28/2008 at 1:38 PM, in message > > > > >>, > > "Vlad Mazek" > > > > > > wrote: > > > The problem too is that at least here we've seen a 40% increase > > in message > > > load specifically in NDRs and null senders over the past 2-3 > > days. The iron > > > is starting to turn orange.. > > > > > > -Vlad > > > > > > On 2/28/08, Scott Silva > > > wrote: > > >> > > >> on 2-28-2008 9:39 AM Kevin Miller spake the following: > > >> > > >> > Scott Silva wrote: > > >> >> I see a new reason to block OoO replies; > > >> >> > > >> >> It seems that spammers are using legitimate webmail accounts > to > > >> >> bounce their garbage via OoO replies. Just fake the sender, > and > > >> >> suddenly you have spam with legitimate DKIM sigs, valid SPF, > and > > >> >> maybe even whitelists. > > >> >> > > >> >> > > >> > > > > http://www.networkworld.com/news/2008/022608-out-of-office-messages-turn > > >> > ed.html > > >> >> Filthy spammers! > > >> > > > >> > Dang those boys are clever. Imagine if they turned their > > creativity to > > >> > world peace and cheap, clean energy. Too bad there's no > > money in that. > > >> > > > >> > So how are you blocking Oo0 replies? There a spamassassin > > ruleset for > > >> > that or what? > > >> > > >> > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > -- > > > > -Vlad > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: Use Thunderbird Enigmail to verify this message > Charset: ISO-8859-1 > > wj8DBQFHxzEQEfZZRxQVtlQRAkUbAKCr7ScV/mPp1IWV5ux6mENVVh6J+gCfSKOu > QxC2KgJ7yAyfC81+MXT8wmQ= > =9fh3 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/8cc43f76/attachment.html From raymond at prolocation.net Thu Feb 28 22:51:27 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Feb 28 22:52:21 2008 Subject: Another attack to fight off In-Reply-To: <47C6D015.61A4.0000.0@caspercollege.edu> References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C72FCB.2070304@pixelhammer.com> <47C6D015.61A4.0000.0@caspercollege.edu> Message-ID: Hi! > Can we use MailScanner to delete the incoming messages with "from=<>" > in them? Would that be practical? If you want to delete bounces, tell your mailer to do that. Bye, Raymond. From v at vladville.com Thu Feb 28 23:26:47 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 28 23:27:21 2008 Subject: Another attack to fight off In-Reply-To: References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C72FCB.2070304@pixelhammer.com> <47C6D015.61A4.0000.0@caspercollege.edu> Message-ID: Keep in mind that rejecting/deleting these violates RFC.. But if you're despearate, change: R<> $@ < @ > MAIL FROM:<> case to: R<> $#error $@ 5.1.3 $: "RFC Ignorant, and proud of it!" -Vlad On 2/28/08, Raymond Dijkxhoorn wrote: > > Hi! > > > > Can we use MailScanner to delete the incoming messages with "from=<>" > > in them? Would that be practical? > > > If you want to delete bounces, tell your mailer to do that. > > Bye, > > Raymond. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080228/e7e2535c/attachment.html From alex at nkpanama.com Thu Feb 28 23:32:24 2008 From: alex at nkpanama.com (Alex Neuman) Date: Thu Feb 28 23:33:53 2008 Subject: Another attack to fight off In-Reply-To: References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C72FCB.2070304@pixelhammer.com> <47C6D015.61A4.0000.0@caspercollege.edu> Message-ID: <471E170F-7E73-43E4-B2CA-03CDB78C4EA5@nkpanama.com> Any way to do this in "sendmail.mc" instead of "sendmail.cf" ? On Feb 28, 2008, at 6:26 PM, Vlad Mazek wrote: > R<> $#error $@ 5.1.3 $: "RFC Ignorant, and proud > of it!" From mikew at crucis.net Fri Feb 29 01:05:31 2008 From: mikew at crucis.net (Mike Watson) Date: Fri Feb 29 01:06:29 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C7335F.7010004@ecs.soton.ac.uk> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> <47C7335F.7010004@ecs.soton.ac.uk> Message-ID: <47C75A5B.709@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | | | Mike - W0TMW wrote: | > Julian Field wrote: | >> | >> Mike - W0TMW wrote: | >>> I've installed MS 4.66 on a new box and thanks to others here gotten | >>> it running. I have noticed something odd. | >>> | >>> I have clamav and f-prot installed for virus scanning. I have an | >>> older version of MS running on another box also with clamav and | >>> f-prot. On that older box, when an e-mail is being scanned, I see | >>> in the log that clamav and f-prot are used. On the new box however, | >>> I only see clamav mentioned. Both virus scanners are found when MS | >>> is started. | >>> | >>> Is f-prot being used and just not logged? | >> That shouldn't be possible. | >> What does "MailScanner --lint" say? | >> If you add "eicar" to Non-Forging Viruses list, then you should | >> receive a notification when you send a copy of Eicar through it. That | >> will tell you for definite which virus scanners are finding Eicar. | >> | >> Please let me know how you get on with this. | >> | >> Jules | >> | > Here's the dump from MailScanner --lint. | | > [root@cygni ~]# MailScanner --lint | > Trying to setlogsock(unix) | > Checking version numbers... | > Version number in MailScanner.conf (4.66.5) is correct. | | > Your setting "Mail Header" contains illegal characters. | > This is most likely caused by your "%org-name%" setting | > which must not contain and "." or "_" characters as | > these are known to cause problems with some mail systems. | | | > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf | > ERROR: is not correct, it should match X-crucis.net-MailScanner-From | | > MikeW: Hmmm, I wonder if this could be the cause? Continuing... | | > Checking for SpamAssassin errors (if you use it)... | > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp | > SpamAssassin reported no errors. | > MailScanner.conf says "Virus Scanners = f-prot clamav" | > Found these virus scanners installed: clamav, f-prot | > =========================================================================== | | > =========================================================================== | | > Virus Scanner test reports: | > F-Prot said "./1/eicar.com Infection: EICAR_Test_File" | > ClamAV said "eicar.com contains Eicar-Test-Signature" | | > If any of your virus scanners (clamav,f-prot) | > are not listed there, you should check that they are installed correctly | > and that MailScanner is finding them correctly via its | > virus.scanners.conf. | > [root@cygni ~]# | | > Mike W: However, maillog only shows... | | > [root@cygni ~]# tail -50 /var/log/maillog | > Feb 28 14:22:50 cygni MailScanner[21967]: Read 5752 hostnames from the | > phishing blacklist | > Feb 28 14:22:50 cygni MailScanner[21967]: SpamAssassin temporary | > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp | > Feb 28 14:22:50 cygni MailScanner[21967]: Using SpamAssassin results | > cache | > Feb 28 14:22:50 cygni MailScanner[21967]: Connected to SpamAssassin | > cache database | > Feb 28 14:22:50 cygni MailScanner[21967]: Enabling SpamAssassin | > auto-whitelist functionality... | > Feb 28 14:22:52 cygni MailScanner[21967]: ClamAV scanner using unrar | > command /usr/bin/unrar | > Feb 28 14:22:52 cygni MailScanner[21967]: Using locktype = posix | > Feb 28 14:22:52 cygni MailScanner[21967]: Creating hardcoded | > struct_flock subroutine for linux (Linux-type) | > Feb 28 14:22:55 cygni MailScanner[21968]: MailScanner E-Mail Virus | > Scanner version 4.66.5 starting... | > Feb 28 14:22:55 cygni MailScanner[21968]: Read 814 hostnames from the | > phishing whitelist | > Feb 28 14:22:55 cygni MailScanner[21968]: Read 5752 hostnames from the | > phishing blacklist | > Feb 28 14:22:55 cygni MailScanner[21968]: SpamAssassin temporary | > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp | > Feb 28 14:22:55 cygni MailScanner[21968]: Using SpamAssassin results | > cache | > Feb 28 14:22:55 cygni MailScanner[21968]: Connected to SpamAssassin | > cache database | > Feb 28 14:22:55 cygni MailScanner[21968]: Enabling SpamAssassin | > auto-whitelist functionality... | > Feb 28 14:22:57 cygni MailScanner[21968]: ClamAV scanner using unrar | > command /usr/bin/unrar | > Feb 28 14:22:57 cygni MailScanner[21968]: Using locktype = posix | > Feb 28 14:22:57 cygni MailScanner[21968]: Creating hardcoded | > struct_flock subroutine for linux (Linux-type) | > Feb 28 14:49:35 cygni sendmail[22232]: m1SKnYAV022232: | > from=, size=1444, class=0, nrcpts=1, | > msgid=, | > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] | > Feb 28 14:49:35 cygni sendmail[22233]: m1SKnZWi022233: | > from=, size=1444, class=0, nrcpts=1, | > msgid=, | > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] | > Feb 28 14:49:36 cygni MailScanner[21934]: New Batch: Scanning 2 | > messages, 3854 bytes | > Feb 28 14:49:36 cygni MailScanner[21934]: Spam Checks: Starting | > Feb 28 14:49:47 cygni MailScanner[21934]: Message m1SKnZWi022233 from | > 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, | > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, | > ALL_TRUSTED -1.44) | > Feb 28 14:49:56 cygni MailScanner[21934]: Message m1SKnYAV022232 from | > 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, | > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, | > ALL_TRUSTED -1.44) | > Feb 28 14:49:56 cygni MailScanner[21934]: Spam Checks completed at 197 | > bytes per second | > Feb 28 14:49:56 cygni MailScanner[21934]: Virus and Content Scanning: | > Starting | > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Scanning completed at | > 821 bytes per second | > Feb 28 14:50:00 cygni MailScanner[21934]: Uninfected: Delivered 2 | > messages | > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Processing completed | > at 75732 bytes per second | > Feb 28 14:50:00 cygni MailScanner[21934]: Batch completed at 158 bytes | > per second (3854 / 24) | > Feb 28 14:50:00 cygni MailScanner[21934]: Batch (2 messages) processed | > in 24.26 seconds | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward | > /home/yyy/.forward.cygni: World writable directory | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward | > /home/yyy/.forward: World writable directory | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: | > to=, delay=00:00:25, xdelay=00:00:00, mailer=local, | > pri=121444, dsn=2.0.0, stat=Sent | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward | > /home/zzz/.forward.cygni: World writable directory | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward | > /home/zzz/.forward: World writable directory | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: | > to=, delay=00:00:25, xdelay=00:00:00, mailer=local, | > pri=121444, dsn=2.0.0, stat=Sent | > Feb 28 15:01:02 cygni update.bad.phishing.sites: Delaying cron job up | > to 600 seconds | > Feb 28 15:05:31 cygni update.bad.phishing.sites: Phishing bad sites | > list updated | > Feb 28 15:05:31 cygni update.virus.scanners: Delaying cron job up to | > 600 seconds | > Feb 28 15:12:03 cygni update.virus.scanners: Found clamav installed | > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for | > clamav | > Feb 28 15:12:03 cygni ClamAV-autoupdate[22465]: ClamAV updater | > /usr/local/bin/freshclam cannot be run | > Feb 28 15:12:03 cygni update.virus.scanners: Found f-prot installed | > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for | > f-prot | > Feb 28 15:12:04 cygni F-Prot autoupdate[22488]: F-Prot did not need | > updating. | > Feb 28 15:12:04 cygni update.virus.scanners: Found generic installed | > Feb 28 15:12:04 cygni update.virus.scanners: Running autoupdate for | > generic | > Feb 28 15:22:20 cygni MailScanner[22620]: MailScanner E-Mail Virus | > Scanner version 4.66.5 starting... | > Feb 28 15:23:33 cygni MailScanner[22713]: MailScanner E-Mail Virus | > Scanner version 4.66.5 starting... | > [root@cygni ~]# | I really don't understand this lack of logging, though in this case it | may not be finding the F-Prot scanner at all for some other reason. | | With my F-Prot scanner in use, I get this in my mail log: | | Feb 28 22:15:01 alegria MailScanner[5466]: Virus Scanning: ClamAVModule | found 9 infections | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.zip->eicar.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/j279YpRC016236.message->eicar.rar3a->eicar.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar1.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.zip->eicar.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: | /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.rar3a->eicar.com | Infection: EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | virus EICAR_Test_File | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | 9 infections | | All of which clearly shows it working just fine. | In my MailScanner.conf, I have these settings, please check them against | yours: | | Log Silent Viruses = no | Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar | Silent Viruses = HTML-IFrame All-Viruses | | Which does of course make the point that if your viruses are "silent" | then they won't be logged by default. Try switching on "Log Silent | Viruses" and see what changes. | | Jules | My config is the same as yours. I turned on Log Silent Viruses and will run another test. Mike W -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHx1pXakodlddMd1ARArO8AJ9Z0dCPxNn0/GKUvWW1QJv2ub7ouwCfb27y Fiiqk8h03g3Uc4+KksN8xm4= =1z55 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner@CYGNI, and is believed to be clean. From mikew at crucis.net Fri Feb 29 01:31:51 2008 From: mikew at crucis.net (Mike Watson) Date: Fri Feb 29 01:32:46 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C75A5B.709@crucis.net> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> <47C7335F.7010004@ecs.soton.ac.uk> <47C75A5B.709@crucis.net> Message-ID: <47C76087.5070703@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Watson wrote: | Julian Field wrote: | | | | | | Mike - W0TMW wrote: | | > Julian Field wrote: | | >> | | >> Mike - W0TMW wrote: | | >>> I've installed MS 4.66 on a new box and thanks to others here gotten | | >>> it running. I have noticed something odd. | | >>> | | >>> I have clamav and f-prot installed for virus scanning. I have an | | >>> older version of MS running on another box also with clamav and | | >>> f-prot. On that older box, when an e-mail is being scanned, I see | | >>> in the log that clamav and f-prot are used. On the new box however, | | >>> I only see clamav mentioned. Both virus scanners are found when MS | | >>> is started. | | >>> | | >>> Is f-prot being used and just not logged? | | >> That shouldn't be possible. | | >> What does "MailScanner --lint" say? | | >> If you add "eicar" to Non-Forging Viruses list, then you should | | >> receive a notification when you send a copy of Eicar through it. That | | >> will tell you for definite which virus scanners are finding Eicar. | | >> | | >> Please let me know how you get on with this. | | >> | | >> Jules | | >> | | > Here's the dump from MailScanner --lint. | | | | > [root@cygni ~]# MailScanner --lint | | > Trying to setlogsock(unix) | | > Checking version numbers... | | > Version number in MailScanner.conf (4.66.5) is correct. | | | | > Your setting "Mail Header" contains illegal characters. | | > This is most likely caused by your "%org-name%" setting | | > which must not contain and "." or "_" characters as | | > these are known to cause problems with some mail systems. | | | | | | > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf | | > ERROR: is not correct, it should match X-crucis.net-MailScanner-From | | | | > MikeW: Hmmm, I wonder if this could be the cause? Continuing... | | | | > Checking for SpamAssassin errors (if you use it)... | | > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp | | > SpamAssassin reported no errors. | | > MailScanner.conf says "Virus Scanners = f-prot clamav" | | > Found these virus scanners installed: clamav, f-prot | | > =========================================================================== | | | | > =========================================================================== | | | | > Virus Scanner test reports: | | > F-Prot said "./1/eicar.com Infection: EICAR_Test_File" | | > ClamAV said "eicar.com contains Eicar-Test-Signature" | | | | > If any of your virus scanners (clamav,f-prot) | | > are not listed there, you should check that they are installed correctly | | > and that MailScanner is finding them correctly via its | | > virus.scanners.conf. | | > [root@cygni ~]# | | | | > Mike W: However, maillog only shows... | | | | > [root@cygni ~]# tail -50 /var/log/maillog | | > Feb 28 14:22:50 cygni MailScanner[21967]: Read 5752 hostnames from the | | > phishing blacklist | | > Feb 28 14:22:50 cygni MailScanner[21967]: SpamAssassin temporary | | > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp | | > Feb 28 14:22:50 cygni MailScanner[21967]: Using SpamAssassin results | | > cache | | > Feb 28 14:22:50 cygni MailScanner[21967]: Connected to SpamAssassin | | > cache database | | > Feb 28 14:22:50 cygni MailScanner[21967]: Enabling SpamAssassin | | > auto-whitelist functionality... | | > Feb 28 14:22:52 cygni MailScanner[21967]: ClamAV scanner using unrar | | > command /usr/bin/unrar | | > Feb 28 14:22:52 cygni MailScanner[21967]: Using locktype = posix | | > Feb 28 14:22:52 cygni MailScanner[21967]: Creating hardcoded | | > struct_flock subroutine for linux (Linux-type) | | > Feb 28 14:22:55 cygni MailScanner[21968]: MailScanner E-Mail Virus | | > Scanner version 4.66.5 starting... | | > Feb 28 14:22:55 cygni MailScanner[21968]: Read 814 hostnames from the | | > phishing whitelist | | > Feb 28 14:22:55 cygni MailScanner[21968]: Read 5752 hostnames from the | | > phishing blacklist | | > Feb 28 14:22:55 cygni MailScanner[21968]: SpamAssassin temporary | | > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp | | > Feb 28 14:22:55 cygni MailScanner[21968]: Using SpamAssassin results | | > cache | | > Feb 28 14:22:55 cygni MailScanner[21968]: Connected to SpamAssassin | | > cache database | | > Feb 28 14:22:55 cygni MailScanner[21968]: Enabling SpamAssassin | | > auto-whitelist functionality... | | > Feb 28 14:22:57 cygni MailScanner[21968]: ClamAV scanner using unrar | | > command /usr/bin/unrar | | > Feb 28 14:22:57 cygni MailScanner[21968]: Using locktype = posix | | > Feb 28 14:22:57 cygni MailScanner[21968]: Creating hardcoded | | > struct_flock subroutine for linux (Linux-type) | | > Feb 28 14:49:35 cygni sendmail[22232]: m1SKnYAV022232: | | > from=, size=1444, class=0, nrcpts=1, | | > msgid=, | | > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] | | > Feb 28 14:49:35 cygni sendmail[22233]: m1SKnZWi022233: | | > from=, size=1444, class=0, nrcpts=1, | | > msgid=, | | > proto=ESMTP, daemon=MTA, relay=localhost6.localdomain6 [127.0.0.1] | | > Feb 28 14:49:36 cygni MailScanner[21934]: New Batch: Scanning 2 | | > messages, 3854 bytes | | > Feb 28 14:49:36 cygni MailScanner[21934]: Spam Checks: Starting | | > Feb 28 14:49:47 cygni MailScanner[21934]: Message m1SKnZWi022233 from | | > 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, | | > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, | | > ALL_TRUSTED -1.44) | | > Feb 28 14:49:56 cygni MailScanner[21934]: Message m1SKnYAV022232 from | | > 127.0.0.1 (xxx-announce-bounces@crucis.net) to crucis.net is not spam, | | > SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, | | > ALL_TRUSTED -1.44) | | > Feb 28 14:49:56 cygni MailScanner[21934]: Spam Checks completed at 197 | | > bytes per second | | > Feb 28 14:49:56 cygni MailScanner[21934]: Virus and Content Scanning: | | > Starting | | > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Scanning completed at | | > 821 bytes per second | | > Feb 28 14:50:00 cygni MailScanner[21934]: Uninfected: Delivered 2 | | > messages | | > Feb 28 14:50:00 cygni MailScanner[21934]: Virus Processing completed | | > at 75732 bytes per second | | > Feb 28 14:50:00 cygni MailScanner[21934]: Batch completed at 158 bytes | | > per second (3854 / 24) | | > Feb 28 14:50:00 cygni MailScanner[21934]: Batch (2 messages) processed | | > in 24.26 seconds | | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward | | > /home/yyy/.forward.cygni: World writable directory | | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: forward | | > /home/yyy/.forward: World writable directory | | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnZWi022233: | | > to=, delay=00:00:25, xdelay=00:00:00, mailer=local, | | > pri=121444, dsn=2.0.0, stat=Sent | | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward | | > /home/zzz/.forward.cygni: World writable directory | | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: forward | | > /home/zzz/.forward: World writable directory | | > Feb 28 14:50:00 cygni sendmail[22257]: m1SKnYAV022232: | | > to=, delay=00:00:25, xdelay=00:00:00, mailer=local, | | > pri=121444, dsn=2.0.0, stat=Sent | | > Feb 28 15:01:02 cygni update.bad.phishing.sites: Delaying cron job up | | > to 600 seconds | | > Feb 28 15:05:31 cygni update.bad.phishing.sites: Phishing bad sites | | > list updated | | > Feb 28 15:05:31 cygni update.virus.scanners: Delaying cron job up to | | > 600 seconds | | > Feb 28 15:12:03 cygni update.virus.scanners: Found clamav installed | | > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for | | > clamav | | > Feb 28 15:12:03 cygni ClamAV-autoupdate[22465]: ClamAV updater | | > /usr/local/bin/freshclam cannot be run | | > Feb 28 15:12:03 cygni update.virus.scanners: Found f-prot installed | | > Feb 28 15:12:03 cygni update.virus.scanners: Running autoupdate for | | > f-prot | | > Feb 28 15:12:04 cygni F-Prot autoupdate[22488]: F-Prot did not need | | > updating. | | > Feb 28 15:12:04 cygni update.virus.scanners: Found generic installed | | > Feb 28 15:12:04 cygni update.virus.scanners: Running autoupdate for | | > generic | | > Feb 28 15:22:20 cygni MailScanner[22620]: MailScanner E-Mail Virus | | > Scanner version 4.66.5 starting... | | > Feb 28 15:23:33 cygni MailScanner[22713]: MailScanner E-Mail Virus | | > Scanner version 4.66.5 starting... | | > [root@cygni ~]# | | I really don't understand this lack of logging, though in this case it | | may not be finding the F-Prot scanner at all for some other reason. | | | | With my F-Prot scanner in use, I get this in my mail log: | | | | Feb 28 22:15:01 alegria MailScanner[5466]: Virus Scanning: ClamAVModule | | found 9 infections | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.com | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777.message->eicar.zip->eicar.com | | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/j279YpRC016236.message->eicar.rar3a->eicar.com | | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar1.com | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.zip->eicar.com | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/gBJNiNQG014777/eicar.com | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.com | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: | | /var/spool/MailScanner/incoming/5466/j279YpRC016236/eicar.rar3a->eicar.com | Infection: EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | virus EICAR_Test_File | | Feb 28 22:15:02 alegria MailScanner[5466]: Virus Scanning: F-Prot found | | 9 infections | | | | All of which clearly shows it working just fine. | | In my MailScanner.conf, I have these settings, please check them against | | yours: | | | | Log Silent Viruses = no | | Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar | | Silent Viruses = HTML-IFrame All-Viruses | | | | Which does of course make the point that if your viruses are "silent" | | then they won't be logged by default. Try switching on "Log Silent | | Viruses" and see what changes. | | | | Jules | | | My config is the same as yours. I turned on Log Silent Viruses and will run another test. | | Mike W I've been doing more tests. Turning on Silent Virus logging made no change to the issue other than seeing the Silent Virus message appear in maillog. I modified MailScanner.conf to more clamav as an anti-virus choice. I had specified "f-prot clamav" explicitly in the config. I deleted clamav leaving f-prot and ran the eicar test. Eicar was NOT detected. I then changed the config file entry to read "auto". Both clamav and F-prot were found according to maillog, but as previous, only clamav was logged as finding eicar. So, f-prot is being found but not executed. F-prot is version 4.6.8, engine 3.16.16. I just downloaded from the f-prot website last week. Any thoughts? Mike W -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHx2CFakodlddMd1ARAi8EAJoCg9zssK8WjrM/0UkiBx42MPNoTgCfbFbt 0tBuarcvCqJ4RI85cMwlwvg= =YX7w -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner@CYGNI, and is believed to be clean. From mikew at crucis.net Fri Feb 29 01:43:53 2008 From: mikew at crucis.net (Mike Watson) Date: Fri Feb 29 01:44:21 2008 Subject: F-Prot use not appearing in log file In-Reply-To: References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> Message-ID: <47C76359.3030300@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: | on 2-28-2008 1:35 PM Mike - W0TMW spake the following: |> Julian Field wrote: |>> |>> |>> Mike - W0TMW wrote: |>>> I've installed MS 4.66 on a new box and thanks to others here gotten it running. I have noticed something odd. |>>> |>>> I have clamav and f-prot installed for virus scanning. I have an older version of MS running on another box also with clamav and f-prot. On that older box, when an e-mail is being scanned, I see in the log that clamav and f-prot are used. On the new box however, I only see clamav mentioned. Both virus scanners are found when MS is started. |>>> |>>> Is f-prot being used and just not logged? |>> That shouldn't be possible. |>> What does "MailScanner --lint" say? |>> If you add "eicar" to Non-Forging Viruses list, then you should receive a notification when you send a copy of Eicar through it. That will tell you for definite which virus scanners are finding Eicar. |>> |>> Please let me know how you get on with this. |>> |>> Jules |>> |> Here's the dump from MailScanner --lint. |> |> [root@cygni ~]# MailScanner --lint |> Trying to setlogsock(unix) |> Checking version numbers... |> Version number in MailScanner.conf (4.66.5) is correct. |> |> Your setting "Mail Header" contains illegal characters. |> This is most likely caused by your "%org-name%" setting |> which must not contain and "." or "_" characters as |> these are known to cause problems with some mail systems. |> |> |> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf |> ERROR: is not correct, it should match X-crucis.net-MailScanner-From |> |> MikeW: Hmmm, I wonder if this could be the cause? Continuing... |> | | Change your %org-name% to crucis_net instead of crucis.net. That error has caused many logging problems. | And you might as well fix the other error so spamassassin ignores your locally generated headers. Replaced the "." with a "_", but no change. F-prot still not being executed although clamav is. mw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFHx2NWakodlddMd1ARAq2pAJ99W1+dDLPkGOBrYJUePQ9WLtiFhACY2nJP jjtTpBXd0UfIlfHCuqtRgA== =HTr3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner@CYGNI, and is believed to be clean. From dave.list at pixelhammer.com Fri Feb 29 03:56:51 2008 From: dave.list at pixelhammer.com (DAve) Date: Fri Feb 29 03:57:36 2008 Subject: Off Topic: I had a good day Message-ID: <47C78283.7090808@pixelhammer.com> Sorry for the off topic post but I just have to tell someone. I have a house full of teenagers twice a week. I let my sons band practice downstairs, full drum kit and amps, the whole shootin match. I give them a place to practice, make them dinner, fix their guitars, tell them to drive careful when they leave. This has been Thursday and Sunday nights for almost a year. Funny thing happened tonight after practice. My wife called me downstairs and all the kids were in the kitchen. In the middle of the floor was a new hardcase with a New Haven made Ovation six string guitar. They had saved their money since November and pooled it together to get me something they said I wouldn't spend the money on for myself. It was their way of saying thanks. I nearly cried. The next generation is going to be just fine. DAve -- Google finally, after 7 years, provided a logo for veterans. Thank you Google. What to do with my signature now? From hvdkooij at vanderkooij.org Fri Feb 29 07:03:00 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Feb 29 07:04:07 2008 Subject: OT: Signed messages Message-ID: <47C7AE24.2010802@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike and all those that sign their messages. Can you please verify you have uploaded your pgp public key to the public key servers? Or include a link in your tagline. Not much use to sign messages if your public key is not public ;-) Thanks, Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHx64iBvzDRVjxmYERAiq0AJ9Tnw+ORZkYqrHGgxoSWQcTPSNedACffZPp cjZv9L4doO067v3pcBcTa+E= =/u4D -----END PGP SIGNATURE----- From uxbod at splatnix.net Fri Feb 29 07:46:04 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 29 07:46:56 2008 Subject: Off Topic: I had a good day In-Reply-To: <47C78283.7090808@pixelhammer.com> Message-ID: <13997047.01204271164879.JavaMail.root@office.splatnix.net> Thats really nice. Good things come to those who care about others. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "DAve" wrote: > Sorry for the off topic post but I just have to tell someone. > > I have a house full of teenagers twice a week. I let my sons band > practice downstairs, full drum kit and amps, the whole shootin match. > I > give them a place to practice, make them dinner, fix their guitars, > tell > them to drive careful when they leave. This has been Thursday and > Sunday > nights for almost a year. > > Funny thing happened tonight after practice. My wife called me > downstairs and all the kids were in the kitchen. In the middle of the > > floor was a new hardcase with a New Haven made Ovation six string > guitar. They had saved their money since November and pooled it > together > to get me something they said I wouldn't spend the money on for > myself. > It was their way of saying thanks. I nearly cried. > > The next generation is going to be just fine. > > DAve -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 29 08:42:04 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 08:42:43 2008 Subject: Email Statistics In-Reply-To: <1204212885.16353.33.camel@gblades-suse.linguaphone-intranet.co.uk> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> <1204207905.16349.27.camel@gblades-suse.linguaphone-intranet.co.uk> <1204212885.16353.33.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700802290042i4f7b8658wee02a0b6f7cdb73c@mail.gmail.com> On 28/02/2008, Gareth wrote: > Oops I though you meant the spam detection rate and not the overall > percentage of spam you receive. > > I think we receive about 40% spam but I do have the spamhaus RBL > configured in postfix which rejects about 80% of spam before receipt. At which point one can start looking at ones pflogsumm stats and combining with the MW figures...:-). That's what I do, when reporting to "the powers that be"... Relevant for them to know exactly how protected they are:-). And put a stop to the whining about the occasional FN. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Feb 29 09:32:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 29 09:33:37 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C76359.3030300@crucis.net> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> <47C76359.3030300@crucis.net> Message-ID: <47C7D13F.90507@ecs.soton.ac.uk> Mike Watson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Scott Silva wrote: > | on 2-28-2008 1:35 PM Mike - W0TMW spake the following: > |> Julian Field wrote: > |>> > |>> > |>> Mike - W0TMW wrote: > |>>> I've installed MS 4.66 on a new box and thanks to others here > gotten it running. I have noticed something odd. > |>>> > |>>> I have clamav and f-prot installed for virus scanning. I have an > older version of MS running on another box also with clamav and > f-prot. On that older box, when an e-mail is being scanned, I see in > the log that clamav and f-prot are used. On the new box however, I > only see clamav mentioned. Both virus scanners are found when MS is > started. > |>>> > |>>> Is f-prot being used and just not logged? > |>> That shouldn't be possible. > |>> What does "MailScanner --lint" say? > |>> If you add "eicar" to Non-Forging Viruses list, then you should > receive a notification when you send a copy of Eicar through it. That > will tell you for definite which virus scanners are finding Eicar. > |>> > |>> Please let me know how you get on with this. > |>> > |>> Jules > |>> > |> Here's the dump from MailScanner --lint. > |> > |> [root@cygni ~]# MailScanner --lint > |> Trying to setlogsock(unix) > |> Checking version numbers... > |> Version number in MailScanner.conf (4.66.5) is correct. > |> > |> Your setting "Mail Header" contains illegal characters. > |> This is most likely caused by your "%org-name%" setting > |> which must not contain and "." or "_" characters as > |> these are known to cause problems with some mail systems. > |> > |> > |> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > |> ERROR: is not correct, it should match X-crucis.net-MailScanner-From > |> > |> MikeW: Hmmm, I wonder if this could be the cause? Continuing... > |> > | > | Change your %org-name% to crucis_net instead of crucis.net. That > error has caused many logging problems. > | And you might as well fix the other error so spamassassin ignores > your locally generated headers. > Replaced the "." with a "_", but no change. F-prot still not being > executed although clamav is. Have you checked your /etc/MailScanner.conf recently? A new version of F-Prot appeared with a totally new output format. There is now the "f-prot-6" scanner which you should have in your "Virus Scanners" setting. It's mentioned in the comments above. > > mw > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD4DBQFHx2NWakodlddMd1ARAq2pAJ99W1+dDLPkGOBrYJUePQ9WLtiFhACY2nJP > jjtTpBXd0UfIlfHCuqtRgA== > =HTr3 > -----END PGP SIGNATURE----- > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmatt at nerc.ac.uk Fri Feb 29 11:38:41 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Feb 29 11:39:45 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> <47C6F386.3080509@nerc.ac.uk> <47C70B6F.6070701@ecs.soton.ac.uk> Message-ID: <47C7EEC1.4000709@nerc.ac.uk> Scott, Julian... Scott Silva wrote: > on 2-28-2008 11:28 AM Julian Field spake the following: >> Sure. Please gzip it first. Is all the other logging working okay? >> Does it happen only with exactly this set? >> Virus Scanners = clamavmodule >> Exactly what log entries don't arrive in your syslog (when compared to >> using a different virus scanner)? >> >> Jules >> > Sorry Julian, > I think Greg wanted a copy of mine to see if he had differences, at > least that is what I inferred. > Got your SweepViruses.pm and the only difference between yours and mine is the patch I posted to correct the log entries (ie using "ClamAVModule" instead of $Name). I've compared your MailScanner -V output and there are a few minor differences, most significant is probably Mail::ClamAV - you are using 0.20 and I'm using 0.21. This may be a dead end tho as my test and dev host also runs with 0.21 and doesnt have this problem. Julian, this is only happening on my production servers so I cant easily take out the other AV engines. The missing content was described at the start of this thread. Here is an example from sending the Eicar test virus through: Feb 29 11:32:26 mailr-w MailScanner[609]: SophosSAVI::INFECTED:: EICAR-AV-Test:: ./m1TBUQc2032625/eicar.com Feb 29 11:32:30 mailr-w MailScanner[609]: ::INFECTED:: Eicar-Test-Signature:: ./m1TBUQc2032625/eicar.com Feb 29 11:32:52 mailr-w MailScanner[609]: m1TBUQc2032625/eicar.com:infected: EICAR-Test-File (not a virus) Sophos and Bitdefender log as expected but the clamavmodule logging is missing the "ClamAVModule" part. It should read "ClamAVModule::INFECTED..." Attached is the MailScanner -V output. Peculiar behaviour - let me know if you want access to one of the affected hosts. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -------------- next part -------------- A non-text attachment was scrubbed... Name: ms-vers.txt.gz Type: application/x-gzip Size: 928 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/c0f5fff1/ms-vers.txt.gz From rgreen at trayerproducts.com Fri Feb 29 12:06:45 2008 From: rgreen at trayerproducts.com (Rodney Green) Date: Fri Feb 29 12:07:16 2008 Subject: Off Topic: I had a good day In-Reply-To: <47C78283.7090808@pixelhammer.com> References: <47C78283.7090808@pixelhammer.com> Message-ID: <47C7F555.7010401@trayerproducts.com> Very cool! Thanks for sharing this with us! DAve wrote: > Sorry for the off topic post but I just have to tell someone. > > I have a house full of teenagers twice a week. I let my sons band > practice downstairs, full drum kit and amps, the whole shootin match. > I give them a place to practice, make them dinner, fix their guitars, > tell them to drive careful when they leave. This has been Thursday and > Sunday nights for almost a year. > > Funny thing happened tonight after practice. My wife called me > downstairs and all the kids were in the kitchen. In the middle of the > floor was a new hardcase with a New Haven made Ovation six string > guitar. They had saved their money since November and pooled it > together to get me something they said I wouldn't spend the money on > for myself. It was their way of saying thanks. I nearly cried. > > The next generation is going to be just fine. > > DAve -- Rodney Green Network Administrator Trayer Products, Inc. /rgreen@trayerproducts.com / /607-734-8124 Ext. 343 Security+ Certified / "The Internet is a telephone system that's gotten uppity." - Clifford Stoll -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dyioulos at firstbhph.com Fri Feb 29 13:19:53 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Fri Feb 29 13:20:45 2008 Subject: Off Topic: I had a good day In-Reply-To: <47C78283.7090808@pixelhammer.com> References: <47C78283.7090808@pixelhammer.com> Message-ID: <200802290819.55069.dyioulos@firstbhph.com> On Thursday 28 February 2008 10:56 pm, DAve wrote: > Sorry for the off topic post but I just have to tell someone. > > I have a house full of teenagers twice a week. I let my sons band > practice downstairs, full drum kit and amps, the whole shootin match. I > give them a place to practice, make them dinner, fix their guitars, tell > them to drive careful when they leave. This has been Thursday and Sunday > nights for almost a year. > > Funny thing happened tonight after practice. My wife called me > downstairs and all the kids were in the kitchen. In the middle of the > floor was a new hardcase with a New Haven made Ovation six string > guitar. They had saved their money since November and pooled it together > to get me something they said I wouldn't spend the money on for myself. > It was their way of saying thanks. I nearly cried. > > The next generation is going to be just fine. > > DAve > -- > Google finally, after 7 years, provided a logo for > veterans. Thank you Google. What to do with my signature now? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Several weeks ago, a poster to some list I subscribe to posted an OT bit of humor. Another poster replied something to the effect that there was no place for humor on the list. I most whole-heartedly disagree. While certainly not a list's primary purpose, every once in a while a little humor, or a piece like DAve's, is refreshing. Helps keep us in touch with our humanity (well, OK, at least at those times when we're not being god to our end-users :-) ). Some of the best humor and best human-interest stories I've read, have come from the technical mailing lists I subscribe to. We most certainly are an interesting group of folk. Thanks, DAve. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmatt at nerc.ac.uk Fri Feb 29 13:35:49 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Feb 29 13:36:36 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C7EEC1.4000709@nerc.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> <47C6F386.3080509@nerc.ac.uk> <47C70B6F.6070701@ecs.soton.ac.uk> <47C7EEC1.4000709@nerc.ac.uk> Message-ID: <47C80A35.1040006@nerc.ac.uk> Replying to myself... and top posting too, apologies it just occurred to me that a possibly significant difference between my production and test/dev environments is that the test/dev is 64bit and therefore does not use the SophosSAVI stuff. Instead, it uses plain Sophos. I tried switching from SAVI to plain Sophos in MailScanner.conf on the prod box but MailScanner is still detecting SAVI even tho is uses plain Sophos, and the missing "ClamAVModule" text is still a problem. But, could there be a subtle clash between SophosSAVI and ClamAVModule given that their logging is very similar? GREG Greg Matthews wrote: > > Feb 29 11:32:26 mailr-w MailScanner[609]: SophosSAVI::INFECTED:: > EICAR-AV-Test:: ./m1TBUQc2032625/eicar.com > Feb 29 11:32:30 mailr-w MailScanner[609]: ::INFECTED:: > Eicar-Test-Signature:: ./m1TBUQc2032625/eicar.com > Feb 29 11:32:52 mailr-w MailScanner[609]: > m1TBUQc2032625/eicar.com:infected: EICAR-Test-File (not a virus) > > Sophos and Bitdefender log as expected but the clamavmodule logging is > missing the "ClamAVModule" part. It should read "ClamAVModule::INFECTED..." > > Attached is the MailScanner -V output. > > Peculiar behaviour - let me know if you want access to one of the > affected hosts. > > GREG > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From hfleming at moosebird.net Fri Feb 29 13:49:28 2008 From: hfleming at moosebird.net (Howard Fleming) Date: Fri Feb 29 13:50:22 2008 Subject: Logwatch file being tagged as a virus file and deleted In-Reply-To: <47C71295.9010306@ecs.soton.ac.uk> References: <47C7084D.9040401@moosebird.net> <47C71295.9010306@ecs.soton.ac.uk> Message-ID: <47C80D68.40501@moosebird.net> Hi Jules, Julian Field wrote: >> From: 127.0.0.1 no >> >> to >> >> From: root@messenger.mideasti.org no > That's dangerous. All a spammer (or a virus) has to do is set the sender > address of the message (which is completely under their control) to > root@messenger.mideasti.org and their messages won't be virus-scanned at > all. > > Not a good idea! Correct. :o) However, I have another process that talks to the mail system on 127.0.0.1, which is why I did not set it up on 127.0.0.1 originally, since I want to exclude email from root only. > Change it to this instead: > From: root@messenger.mideasti.org and From: 127.0.0.1 no > and that will be a whole lot safer. Done. > Jules > As for the MailScanner book, I do have a copy, but I think it is time for work to buy a copy so I do not have to keep moving my personal copy back and forth between work and home. Thanks! Howard From anance at SYSSRC.com Fri Feb 29 14:59:16 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Fri Feb 29 14:59:54 2008 Subject: Symantec Scan Engine In-Reply-To: <15BDDC14871D2A49BFCEEEF409EB298303EA553E@exchange.SYSSRCAD.SYSSRC.com> References: <15BDDC14871D2A49BFCEEEF409EB298303EA5526@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA5529@exchange.SYSSRCAD.SYSSRC.com> <47C45CAD.50302@ecs.soton.ac.uk><15BDDC14871D2A49BFCEEEF409EB298303EA552E@exchange.SYSSRCAD.SYSSRC.com><47C4852D.70003@ecs.soton.ac.uk><15BDDC14871D2A49BFCEEEF409EB298303EA5538@exchange.SYSSRCAD.SYSSRC.com> <15BDDC14871D2A49BFCEEEF409EB298303EA553E@exchange.SYSSRCAD.SYSSRC.com> Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA554F@exchange.syssrcad.syssrc.com> Anybody making any headway on this? Can't quite figure out why it never makes it to the sub process. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alexander Nance Sent: Wednesday, February 27, 2008 1:28 PM To: MailScanner discussion Subject: RE: Symantec Scan Engine Doing a little more debugging I added a couple of print to file debugging lines to SweepViruses.pm and found that it never gets to the sub ProcessSymScanEngineOutput. Second item of note is the chomp section is doing a split on '.' instead of './', this will throw off the variables going forward since anything with an attachment would also contain a '.' -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alexander Nance Sent: Tuesday, February 26, 2008 6:08 PM To: MailScanner discussion Subject: RE: Symantec Scan Engine BTW in an effort to debug a little more I added a >>/tmp/log.txt to the symscanengine-wrapper, below is a sample of the output ./1JU8mP-0005Pi-B1/eicar.txt 1 ./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s): File Name: eicar.txt Virus Name: EICAR Test String Virus ID: 11101 Disposition: Infected ./1JU8mP-0005Pi-B1.header 1 ./1JU8mP-0005Pi-B1.header had 1 infection(s): File Name: 1JU8mP-0005Pi-B1.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Virus scan process began : Tue Feb 26 18:00:12 2008 Virus scan process completed : Tue Feb 26 18:00:12 2008 Defs Version = 20080226.002 Commandline Scanner = 4.2.2.8 Total Bytes = 577 (Bytes 577.0000) Elapsed = 0.0810 Scan Rate = 6.96 (Kbytes/sec) Files Excluded = 0 Files Scanned = 2 Directories Scanned = 2 Directories Excluded = 0 Files Skipped = 0 Files Scan Error = 0 Files Infected = 2 No error was found during the scan Infected file(s) list: ./1JU8mP-0005Pi-B1/eicar.txt infected ./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s): File Name: eicar.txt Virus Name: EICAR Test String Virus ID: 11101 Disposition: Infected ./1JU8mP-0005Pi-B1.header infected ./1JU8mP-0005Pi-B1.header had 1 infection(s): File Name: 1JU8mP-0005Pi-B1.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected ./1JU8nT-0005Qx-Dm/log.txt 0 ./1JU8nT-0005Qx-Dm.header 1 ./1JU8nT-0005Qx-Dm.header had 1 infection(s): File Name: 1JU8nT-0005Qx-Dm.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Virus scan process began : Tue Feb 26 18:01:20 2008 Virus scan process completed : Tue Feb 26 18:01:20 2008 Defs Version = 20080226.002 Commandline Scanner = 4.2.2.8 Total Bytes = 1802 (Kbytes 1.7598) Elapsed = 0.0810 Scan Rate = 21.73 (Kbytes/sec) Files Excluded = 0 Files Scanned = 2 Directories Scanned = 2 Directories Excluded = 0 Files Skipped = 0 Files Scan Error = 0 Files Infected = 1 No error was found during the scan Infected file(s) list: ./1JU8nT-0005Qx-Dm.header infected ./1JU8nT-0005Qx-Dm.header had 1 infection(s): File Name: 1JU8nT-0005Qx-Dm.header Virus Name: Malformed container violation Virus ID: -8 Disposition: Infected Mail log shows the following: Feb 26 18:00:12 scanner4 MailScanner[20815]: Virus and Content Scanning: Starting Feb 26 18:00:12 scanner4 MailScanner[20815]: Uninfected: Delivered 1 messages Feb 26 18:00:12 scanner4 MailScanner[20815]: Logging message 1JU8mP-0005Pi-B1 to SQL Feb 26 18:00:15 scanner4 MailScanner[19515]: 1JU8mP-0005Pi-B1: Logged to MailWatch SQL Feb 26 18:01:18 scanner4 MailScanner[19874]: New Batch: Scanning 1 messages, 2458 bytes Feb 26 18:01:20 scanner4 MailScanner[19874]: Virus and Content Scanning: Starting Feb 26 18:01:20 scanner4 MailScanner[19874]: Uninfected: Delivered 1 messages Feb 26 18:01:20 scanner4 MailScanner[19874]: Logging message 1JU8nT-0005Qx-Dm to SQL Feb 26 18:01:20 scanner4 MailScanner[19515]: 1JU8nT-0005Qx-Dm: Logged to MailWatch SQL -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, February 26, 2008 4:31 PM To: MailScanner discussion Subject: Re: Symantec Scan Engine -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To save me lots of time, can you give me the direct URL to it please (or else the click route if there's no static URL). Alexander Nance wrote: > I was not the one that did the initial request, it is however available > for a 30 day trial directly from Symantec. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, February 26, 2008 1:39 PM > To: MailScanner discussion > Subject: Re: Symantec Scan Engine > > > * PGP Bad Signature, Signed by an unverified key: 02/26/08 at 18:38:39 > > Did you ever send me a copy of the software to develop from? > > Alexander Nance wrote: > >> It replies that the scanengine is discovered properly. It is not >> > having > >> a problem sending the file through to be processed, it is just >> > ignoring > >> the result response. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo >> Bellavance >> Sent: Tuesday, February 26, 2008 11:46 AM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Symantec Scan Engine >> >> Alexander Nance wrote: >> >> >>> I found this post in the archives but never saw a resolution: >>> >>> Scan Engine reports that is sees the tests as viruses but MailScanner >>> > > >>> simply passes the message through. >>> >>> >> What does MailScanner --lint say? >> >> Ugo >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHxIUvEfZZRxQVtlQRAs+KAKD8yOoRKiAOGXVhtwQ2r/dz8iue8ACgl11u cZVd5wEmWbzAZQ7koRjMc0E= =S5S7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Hostmaster at computerservicecentre.com Fri Feb 29 15:05:30 2008 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Fri Feb 29 15:06:00 2008 Subject: [Maybe OT] - RFC compliance checking at session Message-ID: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Hi All, I would like to illicit some opinions from you other MailScanner using MX-administrators. I know that there was some discussion on list some time ago regarding session checking, particularly HELO/EHLO checking, and its compliance against RFC 821, as clarified and updated in 2821. We use Exim for both inbound and outbound message handling around MailScanner, and on the inbound, some quite complex ACL's to validate the session to try and cut down the amount of spam our users get. The first check we run is to ensure that the HELO/EHLO is an FQDN. We don't then validate if this FQDN can be resolved, or even if it is valid, it just has to be host.domain.tld, and this significantly cuts the number of RBL lookups we do. This hasn't caused us any problems with rejecting valid mail until now. One of our users complained that they were no longer receiving a newsletter they signed up for. I managed to find it in the exim reject logs, and sure enough, it was failing the host checking - the EHLO it sends is "(server3549)", and exim declines the session with a 550 - permanent reject for policy reasons. Now comes the fun part. That 550 is not enough for the sender - it ignores it and constantly retries the send, treating it more like a 450, but not following any normal MTA retry period I can establish. That would be enough for me to leave them blocked, but checking further, the IP for that host has no RDNS, also a big no-no in my opinion for a valid mail server, and the IP does not accept return SMTP - indicating that it's probably a web server and not an MTA itself. I even took the liberty of doing an IPWhois, phoning the helpdesk of the company responsible for the IP (only because they are UK based the same as us) and pointing the problem out, only to be met with "yeah, we know about that, it'll be fixed sometime next year when we put a new server in", even after I pointed out that they wouldn't be getting successful deliveries to organisations such as AOL (RDNS is a must) and BT/Yahoo (whose policies are incredibly strict)! So what do you guys think? Am I just being particularly awkward on a Friday afternoon and should I spend my time re-working our config to work around an organisation who is blatantly ignorant of common mail server practise, or just tell my user that the sending organisation needs to get their act together? Best Regards, Richard Garner (A+, N+, AMBCS, MOS-O) All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/a1998955/attachment.html From sbanderson at impromed.com Fri Feb 29 15:05:34 2008 From: sbanderson at impromed.com (Scott B. Anderson) Date: Fri Feb 29 15:06:39 2008 Subject: Another attack to fight off In-Reply-To: References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C72FCB.2070304@pixelhammer.com> <47C6D015.61A4.0000.0@caspercollege.edu> Message-ID: <4B16C177313C70448BFF4C80789335B33D26E214@ES1.impromed.com> Check /usr/share/sendmail-cf/m4/proto.m4 You will find the same line you found in your sendmail.cf, except this is the source file - if you upgrade sendmail you'll need to hack this again every time too. Probably easiest just to temporarily hack the sendmail.cf. Again, doing this violates at least RFC 1123, which requires that all senders use <> around the address and that the blank <> address be valid. Scott > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Vlad Mazek > Sent: Thursday, February 28, 2008 5:27 PM > To: MailScanner discussion > Subject: Re: Another attack to fight off > > Keep in mind that rejecting/deleting these violates RFC.. But if you're > despearate, change: > > R<> $@ < @ > MAIL FROM:<> > case > > to: > > R<> $#error $@ 5.1.3 $: "RFC Ignorant, and proud of > it!" > > -Vlad > > On 2/28/08, Raymond Dijkxhoorn wrote: > > > > Hi! > > > > > > > Can we use MailScanner to delete the incoming messages with > "from=<>" > > > in them? Would that be practical? > > > > > > If you want to delete bounces, tell your mailer to do that. > > > > Bye, > > > > Raymond. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > From P.G.M.Peters at utwente.nl Fri Feb 29 15:13:18 2008 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Feb 29 15:14:15 2008 Subject: Another attack to fight off In-Reply-To: <47C72FCB.2070304@pixelhammer.com> References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C72FCB.2070304@pixelhammer.com> Message-ID: <47C8210E.1040305@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DAve wrote on 28-2-2008 23:03: > Vlad Mazek wrote: >> It's escalating too :( which is why I'm trying to do the split queue >> thing but MailScanner has a big bold FIXME where it parses for >> incoming directories.. >> >> On 2/28/08, *Daniel Straka* > > wrote: >> >> I'm seeing Vlad's problem too, only 100% (2x) more than last week, >> it's unnerving... > > Just out of curiosity I checked one server and grabbed these stats. > Nothing more scientific than a grep of the mail logs for " from=<> " > > Todays total so far, followed by the last eight days. > 19,485 > 18,818 > 28,619 > 5,461 > 1,658 > 994 > 1,140 > 1,097 > 810 > 1,546 > > yea, I would say it is a problem now. I checked my logs and I don't really see something different. 3679 4089 4598 4981 4494 4074 3730 5418 3927 2808 I scratched my head for a moment because of that last number but then I remembered we rolled in two extra servers next to the old 3. The last couple of weeks the amount of spam has sky rocketed, but where it came from is uncertain. We have had our incoming queue grow during the day the last couple of weeks. There is one little thing I noticed. Normally a spambot only delivers 10 to 15 messages each certain period of time. It seems they are acting faster lately. Sometime reaching 30 to 40 during the same amount of time. - -- Peter Peters, Teamleider Unix/Linux-Beheer ICT-Servicecentrum Universiteit Twente, Postbus 217, 7500 AE Enschede Telefoon 053 489 2301, Fax 053 489 2383, P.G.M.Peters@utwente.nl, http://www.utwente.nl/icts -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHyCENelLo80lrIdIRAiGkAKCWJF2Sa0/q1gMm7cxoUeoX/pU35ACfSw+G JDmI3QlAhrMrErf6k1z25sA= =o9GW -----END PGP SIGNATURE----- From mgaudreault at reference.qc.ca Fri Feb 29 15:26:34 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 15:27:12 2008 Subject: Queue problem Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Hi I have a problem with my anti-spam gateway. The queue is fulling up very quickly (1600+ mails in queue). The server's load average is <1 (0.60 - 0.80) so I suppose this is not a ressource problem. Then I have to change the port forwarding directly to my Imail server to let the anti-spam's queue going down. I used many tweak to maximize the efficacity of the anti-spam (mailscanner work directory in ram, dns cache server, increasing memory). I only got 1 CPU but I suppose this is not the problem because when the queue is full, the load average is under 1. Any idea ? PS: Sorry for my bad engllish Maxime Gaudreault Technicien R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/c71d1c91/attachment.html From alex at nkpanama.com Fri Feb 29 15:34:47 2008 From: alex at nkpanama.com (Alex Neuman) Date: Fri Feb 29 15:36:07 2008 Subject: Off Topic: I had a good day In-Reply-To: <200802290819.55069.dyioulos@firstbhph.com> References: <47C78283.7090808@pixelhammer.com> <200802290819.55069.dyioulos@firstbhph.com> Message-ID: Hear, hear! On Feb 29, 2008, at 8:19 AM, Dimitri Yioulos wrote: > Some of the best humor and best human-interest stories > I've read, have come from the technical mailing lists I subscribe > to. We > most certainly are an interesting group of folk. From alex at nkpanama.com Fri Feb 29 15:49:06 2008 From: alex at nkpanama.com (Alex Neuman) Date: Fri Feb 29 15:50:03 2008 Subject: Another attack to fight off In-Reply-To: <4B16C177313C70448BFF4C80789335B33D26E214@ES1.impromed.com> References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C72FCB.2070304@pixelhammer.com> <47C6D015.61A4.0000.0@caspercollege.edu> <4B16C177313C70448BFF4C80789335B33D26E214@ES1.impromed.com> Message-ID: <85FB118A-C8B2-4A81-BA14-2B6DF7200C7B@nkpanama.com> Could one include('/etc/my.mc') something like this and override proto.m4? On Feb 29, 2008, at 10:05 AM, Scott B. Anderson wrote: > Check /usr/share/sendmail-cf/m4/proto.m4 You will find the same > line you found in your sendmail.cf, except this is the source file - > if you upgrade sendmail you'll need to hack this again every time > too. Probably easiest just to temporarily hack the sendmail.cf. From mgaudreault at reference.qc.ca Fri Feb 29 15:54:04 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 15:54:42 2008 Subject: Queue problem Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> Hi I have a problem with my anti-spam gateway. The queue is fulling up very quickly (1600+ mails in queue). The server's load average is <1 (0.60 - 0.80) so I suppose this is not a ressource problem. Then I have to change the port forwarding directly to my Imail server to let the anti-spam's queue going down. I used many tweak to maximize the efficacity of the anti-spam (mailscanner work directory in ram, dns cache server, increasing memory). I only got 1 CPU but I suppose this is not the problem because when the queue is full, the load average is under 1. Any idea ? PS: Sorry for my bad english PPS: Sorry if you received my message twice Maxime Gaudreault Technicien R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/9877b547/attachment.html From raymond at prolocation.net Fri Feb 29 15:57:37 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Feb 29 15:58:16 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Message-ID: Hi! > The server's load average is <1 (0.60 - 0.80) so I suppose this is not > a ressource problem. Most likely things as network timeouts. Are you using pyzor with a dead pyzor server for example? We have seen that before slowing down things. Bye, Raymond. From alex at nkpanama.com Fri Feb 29 15:58:11 2008 From: alex at nkpanama.com (Alex Neuman) Date: Fri Feb 29 15:59:36 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Message-ID: <6F8C33BB-013D-4678-BFC9-56B6EB73ABE6@nkpanama.com> Increase the number of children? Throttle the incoming connections? Try the stuff in http://www.technoids.org/dossed.html for example. On Feb 29, 2008, at 10:26 AM, Maxime Gaudreault wrote: > Any idea ? From v at vladville.com Fri Feb 29 16:03:44 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 29 16:04:19 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Message-ID: Look for the spamassassin cache database locking (search maillog for dbi is locked) which will explain it. Turn on spam speed logging to see how long the average queue processing time takes. Between the two you should be able to isolate it. Or you can try MailScanner --debug and see if you can find the needle in the haystack, maybe your DNS is just acting up. -Vlad On 2/29/08, Maxime Gaudreault wrote: > > Hi > > > > I have a problem with my anti-spam gateway. The queue is fulling up very > quickly (1600+ mails in queue). > > > > The server's load average is <1 (0.60 ? 0.80) so I suppose this is not a > ressource problem. > > > > Then I have to change the port forwarding directly to my Imail server to > let the anti-spam's queue going down. > > > > I used many tweak to maximize the efficacity of the anti-spam (mailscanner > work directory in ram, dns cache server, increasing memory). I only got 1 > CPU but I suppose this is not the problem because when the queue is full, > the load average is under 1. > > > > Any idea ? > > > > PS: Sorry for my bad engllish > > > > *Maxime Gaudreault* > > Technicien > > * * > > R?f?rence Syst?mes inc. > > T?l. : 418.650.0997 > > T?l?c. : 418.650.9668 > > Courriel : *mgaudreault*@reference.qc.ca > > Site Internet : http://www.reference.qc.ca/ > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/521451fc/attachment.html From anance at SYSSRC.com Fri Feb 29 16:09:03 2008 From: anance at SYSSRC.com (Alexander Nance) Date: Fri Feb 29 16:09:37 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Message-ID: <15BDDC14871D2A49BFCEEEF409EB298303EA5553@exchange.syssrcad.syssrc.com> Check the mail logs on the mailscanner system, Imail may be causing your inbound messages to be deferred due to it connection limitations. I have seen where the if Imail is too busy, it will cause all the mail to back up and in the case of Exim the message go to a frozen state. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Maxime Gaudreault Sent: Friday, February 29, 2008 10:27 AM To: mailscanner@lists.mailscanner.info Subject: Queue problem Hi I have a problem with my anti-spam gateway. The queue is fulling up very quickly (1600+ mails in queue). The server's load average is <1 (0.60 - 0.80) so I suppose this is not a ressource problem. Then I have to change the port forwarding directly to my Imail server to let the anti-spam's queue going down. I used many tweak to maximize the efficacity of the anti-spam (mailscanner work directory in ram, dns cache server, increasing memory). I only got 1 CPU but I suppose this is not the problem because when the queue is full, the load average is under 1. Any idea ? PS: Sorry for my bad engllish Maxime Gaudreault Technicien R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/6caca228/attachment-0001.html From ugob at lubik.ca Fri Feb 29 16:12:08 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Feb 29 16:13:01 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Message-ID: Hostmaster wrote: > So what do you guys think? Am I just being particularly awkward on a > Friday afternoon and should I spend my time re-working our config to > work around an organisation who is blatantly ignorant of common mail > server practise, or just tell my user that the sending organisation > needs to get their act together? My opinion: leave it as is. If your user complains, you can tell them that the ones who are responsible for managing the server are aware of the problem and don't want to fix it. If the user insists, I guess you can whitelist the IP in some way. Ugo From steve.freegard at fsl.com Fri Feb 29 16:17:36 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Feb 29 16:19:03 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Message-ID: <47C83020.1050909@fsl.com> Hostmaster wrote: > So what do you guys think? Am I just being particularly awkward on a > Friday afternoon and should I spend my time re-working our config to > work around an organisation who is blatantly ignorant of common mail > server practise, or just tell my user that the sending organisation > needs to get their act together? Any anti-spam measures you put in place should have the ability for specific senders IP/PTR to be whitelisted for cases such as this. We've been enforcing strict RFC-compliance in HELOs (FQDN or IP-domain literal; e.g. [ip.ip.ip.ip]) for a long time now. It helps a quite a bit: 214-2.0.0 036 rfc2821-strict-helo=4135 (8.55%) However - I have had the need to whitelist a handful of hosts in the past. And if your user wants the message, then why not? It's not going to force the sender to do anything about their mail server any quicker, just annoy your user. There are some 'crazy' SMTP set-ups around, even some big providers flaunt the RFCs at will. I recently came across a host that had to be whitelisted through our greylisting functions (which were set to 10 minutes) because their MTA retried messages every 20 and 60 seconds and had a hard limit of 10 retries maximum before the message was de-queued and bounced back to the sender (the RFC states that mail should be queued for up to 5 *days*). Cheers, Steve. From alex at nkpanama.com Fri Feb 29 16:28:58 2008 From: alex at nkpanama.com (Alex Neuman) Date: Fri Feb 29 16:30:23 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> Message-ID: Did you try the suggestions I made? On Feb 29, 2008, at 10:54 AM, Maxime Gaudreault wrote: > used many tweak to maximize the efficacity of the anti-spam > (mailscanner work directory in ram, dns cache server, increasing > memory). I only got 1 CPU but I suppose this is not the problem > because when the queue is full, the load average is under 1. > > Any idea ? From mgaudreault at reference.qc.ca Fri Feb 29 16:30:54 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 16:31:31 2008 Subject: Queue problem In-Reply-To: References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451B9@jupiter.reference.local> I use DCC and Razor, not Pyzor Maxime Gaudreault Technicien ?????????????????????????????????????????????????? R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn Sent: February 29, 2008 10:58 AM To: MailScanner discussion Subject: Re: Queue problem Hi! > The server's load average is <1 (0.60 - 0.80) so I suppose this is not > a ressource problem. Most likely things as network timeouts. Are you using pyzor with a dead pyzor server for example? We have seen that before slowing down things. Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Feb 29 16:48:15 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Feb 29 16:49:34 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Message-ID: <47C8374F.9000502@evi-inc.com> Hostmaster wrote: > Hi All, > > I would like to illicit some opinions from you other MailScanner using > MX-administrators. Pretty much all your opinions here are valid, except: > and the IP does not accept return SMTP ? indicating that > it?s probably a web server and not an MTA itself. I find that conclusion irrational. Why wouldn't it be an MTA? Anyone large enough to have separate MX (inbound) and smarthost (outbound) servers should *NOT* be accepting inbound SMTP connections to their smarthost servers from the outside world. Only their internal network should be able to SMTP to the smarthost. There's no reason to allow it, so best practice would suggest you should close that off at the firewall. Any legitimate mail delivery attempts will go to the MX servers. Therefore any attempts to connect to port 25 on the SmartHost from the outside are either hackers, scans, or random pokes and prods at parts of your network nobody on the outside belongs in. I think it's a pretty far jump to assume that any system that generates SMTP but doesn't accept inbound from you can't be an MTA. It's quite possible it is an MTA, but you're not authorized to try to queue mail there and are firewalled out. From dward at nccumc.org Fri Feb 29 16:51:27 2008 From: dward at nccumc.org (Douglas Ward) Date: Fri Feb 29 16:52:17 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Message-ID: I believe that the problem is on their end, not yours. You have to follow the RFC's. If they choose not to then you simply can't communicate. I have had this problem a very few times. Each time I was able to resolve it by asking the end user to subscribe a different e-mail address. If they could receive it then problem solved. If no one else would accept the message then it reinforced my point. Perhaps a whitelist (last resort)? On Fri, Feb 29, 2008 at 10:05 AM, Hostmaster < Hostmaster@computerservicecentre.com> wrote: > Hi All, > > I would like to illicit some opinions from you other MailScanner using > MX-administrators. I know that there was some discussion on list some time > ago regarding session checking, particularly HELO/EHLO checking, and its > compliance against RFC 821, as clarified and updated in 2821. > > > > > > We use Exim for both inbound and outbound message handling around > MailScanner, and on the inbound, some quite complex ACL's to validate the > session to try and cut down the amount of spam our users get. The first > check we run is to ensure that the HELO/EHLO is an FQDN. We don't then > validate if this FQDN can be resolved, or even if it is valid, it just has > to be host.domain.tld, and this significantly cuts the number of RBL > lookups we do. This hasn't caused us any problems with rejecting valid mail > until now. > > > > One of our users complained that they were no longer receiving a > newsletter they signed up for. I managed to find it in the exim reject logs, > and sure enough, it was failing the host checking ? the EHLO it sends is > "(server3549)", and exim declines the session with a 550 ? permanent reject > for policy reasons. > > > > Now comes the fun part. That 550 is not enough for the sender ? it ignores > it and constantly retries the send, treating it more like a 450, but not > following any normal MTA retry period I can establish. That would be enough > for me to leave them blocked, but checking further, the IP for that host has > no RDNS, also a big no-no in my opinion for a valid mail server, and the IP > does not accept return SMTP ? indicating that it's probably a web server and > not an MTA itself. I even took the liberty of doing an IPWhois, phoning the > helpdesk of the company responsible for the IP (only because they are UK > based the same as us) and pointing the problem out, only to be met with > "yeah, we know about that, it'll be fixed sometime next year when we put a > new server in", even after I pointed out that they wouldn't be getting > successful deliveries to organisations such as AOL (RDNS is a must) and > BT/Yahoo (whose policies are incredibly strict)! > > > > > > So what do you guys think? Am I just being particularly awkward on a > Friday afternoon and should I spend my time re-working our config to work > around an organisation who is blatantly ignorant of common mail server > practise, or just tell my user that the sending organisation needs to get > their act together? > > Best Regards, > > Richard Garner (A+, N+, AMBCS, MOS-O) > All E-Mail communications are monitored in addition to being content > checked for malicious codes or viruses. The success of scanning products is > not guaranteed, therefore the recipient(s) should carry out any checks that > they believe to be appropriate in this respect. > > This message (including any attachments and/or related materials) is > confidential to and is the property of Computer Service Centre, unless > otherwise noted. If you are not the intended recipient, you should delete > this message and are hereby notified that any disclosure, copying, or > distribution of this message, or the taking of any action based on it, is > strictly prohibited. > > Any views or opinions presented are solely those of the author and do not > necessarily represent those of Computer Service Centre. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/42d85f33/attachment.html From mgaudreault at reference.qc.ca Fri Feb 29 16:53:31 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 16:54:09 2008 Subject: Queue problem In-Reply-To: <15BDDC14871D2A49BFCEEEF409EB298303EA5553@exchange.syssrcad.syssrc.com> References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> <15BDDC14871D2A49BFCEEEF409EB298303EA5553@exchange.syssrcad.syssrc.com> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451C2@jupiter.reference.local> The mail in queue are not scanned by Mailscanner yet, so I guess this is not a problem with Imail since the mail are transferred to Imail AFTER being scanned. Am I wrong ? Maxime Gaudreault Technicien R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alexander Nance Sent: February 29, 2008 11:09 AM To: mailscanner@lists.mailscanner.info Subject: RE: Queue problem Check the mail logs on the mailscanner system, Imail may be causing your inbound messages to be deferred due to it connection limitations. I have seen where the if Imail is too busy, it will cause all the mail to back up and in the case of Exim the message go to a frozen state. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Maxime Gaudreault Sent: Friday, February 29, 2008 10:27 AM To: mailscanner@lists.mailscanner.info Subject: Queue problem Hi I have a problem with my anti-spam gateway. The queue is fulling up very quickly (1600+ mails in queue). The server's load average is <1 (0.60 - 0.80) so I suppose this is not a ressource problem. Then I have to change the port forwarding directly to my Imail server to let the anti-spam's queue going down. I used many tweak to maximize the efficacity of the anti-spam (mailscanner work directory in ram, dns cache server, increasing memory). I only got 1 CPU but I suppose this is not the problem because when the queue is full, the load average is under 1. Any idea ? PS: Sorry for my bad engllish Maxime Gaudreault Technicien R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/5b17cc47/attachment.html From mgaudreault at reference.qc.ca Fri Feb 29 17:03:00 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 17:03:12 2008 Subject: Queue problem In-Reply-To: References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451C3@jupiter.reference.local> I'm on it Maxime Gaudreault Technicien ?????????????????????????????????????????????????? R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: February 29, 2008 11:29 AM To: MailScanner discussion Subject: Re: Queue problem Did you try the suggestions I made? On Feb 29, 2008, at 10:54 AM, Maxime Gaudreault wrote: > used many tweak to maximize the efficacity of the anti-spam > (mailscanner work directory in ram, dns cache server, increasing > memory). I only got 1 CPU but I suppose this is not the problem > because when the queue is full, the load average is under 1. > > Any idea ? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mgaudreault at reference.qc.ca Fri Feb 29 17:15:56 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 17:16:33 2008 Subject: Queue problem In-Reply-To: References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451C5@jupiter.reference.local> The link you gave me is about sendmail but I'll search around for instruction to configure rate control on postfix Maxime Gaudreault Technicien ?????????????????????????????????????????????????? R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: February 29, 2008 11:29 AM To: MailScanner discussion Subject: Re: Queue problem Did you try the suggestions I made? On Feb 29, 2008, at 10:54 AM, Maxime Gaudreault wrote: > used many tweak to maximize the efficacity of the anti-spam > (mailscanner work directory in ram, dns cache server, increasing > memory). I only got 1 CPU but I suppose this is not the problem > because when the queue is full, the load average is under 1. > > Any idea ? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mgaudreault at reference.qc.ca Fri Feb 29 17:46:54 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 17:47:32 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> Hi The hold queue is actually at 415 emails Load Average: 0.11 0.25 0.53 htop show many of these process: MailScanner: checking with SpamAssassin MailScanner: checking with Spam Lists CPU is 3% Mem is 25% I don't understand Maxime Gaudreault Technicien R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Maxime Gaudreault Sent: February 29, 2008 10:54 AM To: MailScanner discussion Subject: Queue problem Hi I have a problem with my anti-spam gateway. The queue is fulling up very quickly (1600+ mails in queue). The server's load average is <1 (0.60 - 0.80) so I suppose this is not a ressource problem. Then I have to change the port forwarding directly to my Imail server to let the anti-spam's queue going down. I used many tweak to maximize the efficacity of the anti-spam (mailscanner work directory in ram, dns cache server, increasing memory). I only got 1 CPU but I suppose this is not the problem because when the queue is full, the load average is under 1. Any idea ? PS: Sorry for my bad english PPS: Sorry if you received my message twice Maxime Gaudreault Technicien R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/60e74366/attachment.html From shuttlebox at gmail.com Fri Feb 29 18:04:39 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Feb 29 18:05:13 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> Message-ID: <625385e30802291004w55958c65i11ae1c2cd1c351b8@mail.gmail.com> On Fri, Feb 29, 2008 at 6:46 PM, Maxime Gaudreault wrote: > Hi > > The hold queue is actually at 415 emails > > Load Average: 0.11 0.25 0.53 > > htop show many of these process: > > MailScanner: checking with SpamAssassin > > MailScanner: checking with Spam Lists > > CPU is 3% > > Mem is 25% > > I don't understand Looks like the limiting factor is the network. Probably DCC, Razor or some RBL is acting up for you. Run MailScanner with --debug set and look where it pauses. Also look at your queue dirs so they are clean and not full of corrupt files that your MTA has to stat all the time. -- /peter From mikew at crucis.net Fri Feb 29 18:16:51 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Fri Feb 29 18:17:28 2008 Subject: Off Topic: I had a good day In-Reply-To: <47C78283.7090808@pixelhammer.com> References: <47C78283.7090808@pixelhammer.com> Message-ID: <47C84C13.30100@crucis.net> DAve wrote: > Sorry for the off topic post but I just have to tell someone. > > I have a house full of teenagers twice a week. I let my sons band > practice downstairs, full drum kit and amps, the whole shootin match. > I give them a place to practice, make them dinner, fix their guitars, > tell them to drive careful when they leave. This has been Thursday and > Sunday nights for almost a year. > > Funny thing happened tonight after practice. My wife called me > downstairs and all the kids were in the kitchen. In the middle of the > floor was a new hardcase with a New Haven made Ovation six string > guitar. They had saved their money since November and pooled it > together to get me something they said I wouldn't spend the money on > for myself. It was their way of saying thanks. I nearly cried. > > The next generation is going to be just fine. > > DAve A great bunch of kids. Be proud! mw From mikew at crucis.net Fri Feb 29 18:24:04 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Fri Feb 29 18:24:41 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C7D13F.90507@ecs.soton.ac.uk> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> <47C76359.3030300@crucis.net> <47C7D13F.90507@ecs.soton.ac.uk> Message-ID: <47C84DC4.3090406@crucis.net> Trimmed to conserve space. Julian Field wrote: > > > Mike Watson wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Scott Silva wrote: >> | on 2-28-2008 1:35 PM Mike - W0TMW spake the following: >> |> Julian Field wrote: >> |>> >> |>> >> |>> Mike - W0TMW wrote: >> |>>> I've installed MS 4.66 on a new box and thanks to others here >> gotten it running. I have noticed something odd. >> |>>> >> |>>> I have clamav and f-prot installed for virus scanning. I have >> an older version of MS running on another box also with clamav and >> f-prot. On that older box, when an e-mail is being scanned, I see in >> the log that clamav and f-prot are used. On the new box however, I >> only see clamav mentioned. Both virus scanners are found when MS is >> started. snipped... >> | Change your %org-name% to crucis_net instead of crucis.net. That >> error has caused many logging problems. >> | And you might as well fix the other error so spamassassin ignores >> your locally generated headers. >> Done. No change. > Have you checked your /etc/MailScanner.conf recently? > A new version of F-Prot appeared with a totally new output format. > There is now the "f-prot-6" scanner which you should have in your > "Virus Scanners" setting. It's mentioned in the comments above. My F-prot is version 4.6.8, engine 3.16.16. It was downloaded from the F-Prot website last week. Would this version use "f-prot" or "F-prot-6"? F-prot works/scans in manual mode. >> >> mw >> > > Jules > From mgaudreault at reference.qc.ca Fri Feb 29 18:34:03 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 18:34:40 2008 Subject: Queue problem In-Reply-To: <625385e30802291004w55958c65i11ae1c2cd1c351b8@mail.gmail.com> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local><6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> <625385e30802291004w55958c65i11ae1c2cd1c351b8@mail.gmail.com> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451CC@jupiter.reference.local> Here's the output from running mailscanner with --debug: pf:/etc# /opt/MailScanner/bin/MailScanner --debug In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp [13679] warn: FuzzyOcr: Cannot find executable for pamthreshold [13679] warn: FuzzyOcr: Cannot find executable for pamtopnm max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' max message size is '30000' [13927] error: FuzzyOcr: Error running preprocessor(pamditherbw): pamditherbw -threshold [13927] warn: FuzzyOcr: Errors in Scanset "ocrad-decolorize-invert" [13927] warn: FuzzyOcr: Return code: 2048, Error: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. [13927] warn: FuzzyOcr: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. [13927] warn: FuzzyOcr: Skipping scanset because of errors, trying next... [13927] error: FuzzyOcr: Error running preprocessor(pamditherbw): pamditherbw -threshold [13927] warn: FuzzyOcr: Errors in Scanset "ocrad-decolorize" [13927] warn: FuzzyOcr: Return code: 2048, Error: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. [13927] warn: FuzzyOcr: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. [13927] warn: FuzzyOcr: Skipping scanset because of errors, trying next... max message size is '30000' Stopping now as you are debugging me. commit ineffective with AutoCommit enabled at /opt/MailScanner/etc/CustomFunctions/MailWatch.pm line 93, line 1365. Commmit ineffective while AutoCommit is on at /opt/MailScanner/etc/CustomFunctions/MailWatch.pm line 93, line 1365. Maxime Gaudreault Technicien ?????????????????????????????????????????????????? R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: February 29, 2008 1:05 PM To: MailScanner discussion Subject: Re: Queue problem On Fri, Feb 29, 2008 at 6:46 PM, Maxime Gaudreault wrote: > Hi > > The hold queue is actually at 415 emails > > Load Average: 0.11 0.25 0.53 > > htop show many of these process: > > MailScanner: checking with SpamAssassin > > MailScanner: checking with Spam Lists > > CPU is 3% > > Mem is 25% > > I don't understand Looks like the limiting factor is the network. Probably DCC, Razor or some RBL is acting up for you. Run MailScanner with --debug set and look where it pauses. Also look at your queue dirs so they are clean and not full of corrupt files that your MTA has to stat all the time. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Fri Feb 29 18:42:12 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Feb 29 18:41:47 2008 Subject: Off Topic: I had a good day In-Reply-To: <47C78283.7090808@pixelhammer.com> References: <47C78283.7090808@pixelhammer.com> Message-ID: DAve wrote: > Sorry for the off topic post but I just have to tell someone. > > I have a house full of teenagers twice a week. I let my sons band > practice downstairs, full drum kit and amps, the whole shootin match. > I give them a place to practice, make them dinner, fix their guitars, > tell them to drive careful when they leave. This has been Thursday > and Sunday nights for almost a year. > > Funny thing happened tonight after practice. My wife called me > downstairs and all the kids were in the kitchen. In the middle of the > floor was a new hardcase with a New Haven made Ovation six string > guitar. They had saved their money since November and pooled it > together to get me something they said I wouldn't spend the money on > for myself. It was their way of saying thanks. I nearly cried. > > The next generation is going to be just fine. Well, some of them. It all boils down to parental involvement in their lives. As much as teens want to think they're 'all grown up' they're usually running pretty scared. They need to know they're loved (don't we all!) and they need to know they're safe. There's a million ways to say 'I love you' and hosting the band practice, cooking dinner, fixing guitars, jamming w/'em and such are just a few of the cooler ways to do so. Good job dad. Keep up the good work... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Fri Feb 29 18:46:28 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 29 18:47:17 2008 Subject: small bug in 4.66.5 - log entries missing In-Reply-To: <47C7EEC1.4000709@nerc.ac.uk> References: <47C2DBB6.1060405@nerc.ac.uk> <47C2E121.6000301@nerc.ac.uk> <3eb901c878a7$a74bbf90$f5e33eb0$@com> <003801c878b5$8e92acd0$abb80670$@com> <47C4856A.3000104@ecs.soton.ac.uk> <47C6F386.3080509@nerc.ac.uk> <47C70B6F.6070701@ecs.soton.ac.uk> <47C7EEC1.4000709@nerc.ac.uk> Message-ID: on 2-29-2008 3:38 AM Greg Matthews spake the following: > Scott, Julian... > > Scott Silva wrote: >> on 2-28-2008 11:28 AM Julian Field spake the following: >>> Sure. Please gzip it first. Is all the other logging working okay? >>> Does it happen only with exactly this set? >>> Virus Scanners = clamavmodule >>> Exactly what log entries don't arrive in your syslog (when compared >>> to using a different virus scanner)? >>> >>> Jules >>> >> Sorry Julian, >> I think Greg wanted a copy of mine to see if he had differences, at >> least that is what I inferred. >> > > Got your SweepViruses.pm and the only difference between yours and mine > is the patch I posted to correct the log entries (ie using > "ClamAVModule" instead of $Name). > > I've compared your MailScanner -V output and there are a few minor > differences, most significant is probably Mail::ClamAV - you are using > 0.20 and I'm using 0.21. This may be a dead end tho as my test and dev > host also runs with 0.21 and doesnt have this problem. Although it is 0.20, it is Julian's patched version, if that makes any difference. I haven't had an opportunity to test 0.21, and am considering going to clamd since the clam code has been a moving target for the clam module lately. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/c9c7fab3/signature-0001.bin From Denis.Beauchemin at USherbrooke.ca Fri Feb 29 18:46:27 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Feb 29 18:47:18 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> Message-ID: <47C85303.4040402@USherbrooke.ca> Maxime Gaudreault a ?crit : > > Hi > > > > The hold queue is actually at 415 emails > > > > Load Average: 0.11 0.25 0.53 > > > > htop show many of these process: > > > > MailScanner: checking with SpamAssassin > > MailScanner: checking with Spam Lists > > > Maxime, Asking MS to perform spam lists checks is not a really good idea because it will slow things down. Since you are already using SA, those checks will be performed faster by SA because it will check them simultaneously. You should use a blank value for "Spam List =". Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From shuttlebox at gmail.com Fri Feb 29 18:51:35 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Feb 29 18:52:10 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451CC@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> <625385e30802291004w55958c65i11ae1c2cd1c351b8@mail.gmail.com> <6DD6B2C8A11BFC4092A148347F6126B85451CC@jupiter.reference.local> Message-ID: <625385e30802291051y40fef1b5h72783bbc681112e9@mail.gmail.com> On Fri, Feb 29, 2008 at 7:34 PM, Maxime Gaudreault wrote: > Here's the output from running mailscanner with --debug: > > pf:/etc# /opt/MailScanner/bin/MailScanner --debug > In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > [13679] warn: FuzzyOcr: Cannot find executable for pamthreshold > [13679] warn: FuzzyOcr: Cannot find executable for pamtopnm Could you either fix or disable FuzzyOCR? -- /peter From Denis.Beauchemin at USherbrooke.ca Fri Feb 29 18:58:43 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Feb 29 18:59:04 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451CC@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local><6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> <625385e30802291004w55958c65i11ae1c2cd1c351b8@mail.gmail.com> <6DD6B2C8A11BFC4092A148347F6126B85451CC@jupiter.reference.local> Message-ID: <47C855E3.8080707@USherbrooke.ca> Maxime Gaudreault a ?crit : > Here's the output from running mailscanner with --debug: > > pf:/etc# /opt/MailScanner/bin/MailScanner --debug > In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > [13679] warn: FuzzyOcr: Cannot find executable for pamthreshold > [13679] warn: FuzzyOcr: Cannot find executable for pamtopnm > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > max message size is '30000' > [13927] error: FuzzyOcr: Error running preprocessor(pamditherbw): pamditherbw -threshold > [13927] warn: FuzzyOcr: Errors in Scanset "ocrad-decolorize-invert" > [13927] warn: FuzzyOcr: Return code: 2048, Error: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. > [13927] warn: FuzzyOcr: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. > [13927] warn: FuzzyOcr: Skipping scanset because of errors, trying next... > [13927] error: FuzzyOcr: Error running preprocessor(pamditherbw): pamditherbw -threshold > [13927] warn: FuzzyOcr: Errors in Scanset "ocrad-decolorize" > [13927] warn: FuzzyOcr: Return code: 2048, Error: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. > [13927] warn: FuzzyOcr: save_execute: failed to exec pamditherbw -threshold: No such file or directory at /etc/mail/spamassassin/FuzzyOcr/Misc.pm line 173. > [13927] warn: FuzzyOcr: Skipping scanset because of errors, trying next... > max message size is '30000' > Stopping now as you are debugging me. > commit ineffective with AutoCommit enabled at /opt/MailScanner/etc/CustomFunctions/MailWatch.pm line 93, line 1365. > Commmit ineffective while AutoCommit is on at /opt/MailScanner/etc/CustomFunctions/MailWatch.pm line 93, line 1365. > Maxime, You seem to have many errors/warnings about FuzzyOcr. I would recommend removing it from your SA setup. It could help with the delays. I used to run FuzzyOcr but it didn't catch much spam and caused many false positives... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ssilva at sgvwater.com Fri Feb 29 18:58:57 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 29 18:59:25 2008 Subject: OT: Signed messages In-Reply-To: <47C7AE24.2010802@vanderkooij.org> References: <47C7AE24.2010802@vanderkooij.org> Message-ID: on 2-28-2008 11:03 PM Hugo van der Kooij spake the following: > > Mike and all those that sign their messages. > > Can you please verify you have uploaded your pgp public key to the > public key servers? Or include a link in your tagline. > > Not much use to sign messages if your public key is not public ;-) > > Thanks, > Hugo. > Do your keys propagate between servers, or do you need to post to a few? If more than one, do you have a list? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/7aabf7dd/signature.bin From mgaudreault at reference.qc.ca Fri Feb 29 19:09:47 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 19:10:24 2008 Subject: Queue problem In-Reply-To: <625385e30802291051y40fef1b5h72783bbc681112e9@mail.gmail.com> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local><6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local><625385e30802291004w55958c65i11ae1c2cd1c351b8@mail.gmail.com><6DD6B2C8A11BFC4092A148347F6126B85451CC@jupiter.reference.local> <625385e30802291051y40fef1b5h72783bbc681112e9@mail.gmail.com> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451D3@jupiter.reference.local> I fixed it Maxime Gaudreault Technicien ?????????????????????????????????????????????????? R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: February 29, 2008 1:52 PM To: MailScanner discussion Subject: Re: Queue problem On Fri, Feb 29, 2008 at 7:34 PM, Maxime Gaudreault wrote: > Here's the output from running mailscanner with --debug: > > pf:/etc# /opt/MailScanner/bin/MailScanner --debug > In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > [13679] warn: FuzzyOcr: Cannot find executable for pamthreshold > [13679] warn: FuzzyOcr: Cannot find executable for pamtopnm Could you either fix or disable FuzzyOCR? -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Phil.Udel at SalemCorp.com Fri Feb 29 19:15:43 2008 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Fri Feb 29 19:16:23 2008 Subject: Email Statistics In-Reply-To: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com> Message-ID: <00d401c87b07$7b218140$6102a8c0@salemcorp.com> Wow. Thanks guys. Very informative _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Thursday, February 28, 2008 8:27 AM To: mailscanner@lists.mailscanner.info Subject: Email Statistics I have been looking at my stats, I was curious what other people get Current doing about 100,000 emails a month with a 77% Spam hit. Also many of my users have a 90% spam Hit. Is that normal or average? We are a average company with about 250 mail boxes -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/fe16abb1/attachment.html From Phil.Udel at SalemCorp.com Fri Feb 29 19:17:09 2008 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Fri Feb 29 19:17:24 2008 Subject: Email Statistics In-Reply-To: <223f97700802290042i4f7b8658wee02a0b6f7cdb73c@mail.gmail.com> References: <005d01c87a0d$93023ca0$6102a8c0@salemcorp.com><1204207905.16349.27.camel@gblades-suse.linguaphone-intranet.co.uk><1204212885.16353.33.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700802290042i4f7b8658wee02a0b6f7cdb73c@mail.gmail.com> Message-ID: <00d901c87b07$ae3251e0$6102a8c0@salemcorp.com> YA. I thought I would turn SA off for one day just so they could see how good of a job I am doing lol -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Friday, February 29, 2008 3:42 AM To: MailScanner discussion Subject: Re: Email Statistics On 28/02/2008, Gareth wrote: > Oops I though you meant the spam detection rate and not the overall > percentage of spam you receive. > > I think we receive about 40% spam but I do have the spamhaus RBL > configured in postfix which rejects about 80% of spam before receipt. At which point one can start looking at ones pflogsumm stats and combining with the MW figures...:-). That's what I do, when reporting to "the powers that be"... Relevant for them to know exactly how protected they are:-). And put a stop to the whining about the occasional FN. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ugob at lubik.ca Fri Feb 29 19:29:14 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Feb 29 19:30:02 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Message-ID: Maxime Gaudreault wrote: > Hi > > > > I have a problem with my anti-spam gateway. The queue is fulling up very > quickly (1600+ mails in queue). > > > > The server's load average is <1 (0.60 ? 0.80) so I suppose this is not a > ressource problem. Try dig txt 2.0.0.127.zen.spamhaus.org does it time out? If it does, you've been blocked by spamhaus. You'll have to buy their rsync service, or use another RBL (spamcop is a good alternative). Ugo From mgaudreault at reference.qc.ca Fri Feb 29 19:47:31 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Fri Feb 29 19:48:09 2008 Subject: Queue problem In-Reply-To: References: <6DD6B2C8A11BFC4092A148347F6126B85451A5@jupiter.reference.local> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B85451DB@jupiter.reference.local> No timeout Maxime Gaudreault Technicien ?????????????????????????????????????????????????? R?f?rence Syst?mes inc. T?l. : 418.650.0997 T?l?c. : 418.650.9668 Courriel : mgaudreault@reference.qc.ca Site Internet : http://www.reference.qc.ca/ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance Sent: February 29, 2008 2:29 PM To: mailscanner@lists.mailscanner.info Subject: Re: Queue problem Maxime Gaudreault wrote: > Hi > > > > I have a problem with my anti-spam gateway. The queue is fulling up very > quickly (1600+ mails in queue). > > > > The server's load average is <1 (0.60 - 0.80) so I suppose this is not a > ressource problem. Try dig txt 2.0.0.127.zen.spamhaus.org does it time out? If it does, you've been blocked by spamhaus. You'll have to buy their rsync service, or use another RBL (spamcop is a good alternative). Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Fri Feb 29 19:49:43 2008 From: alex at nkpanama.com (Alex Neuman) Date: Fri Feb 29 19:51:10 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451D3@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local><6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local><625385e30802291004w55958c65i11ae1c2cd1c351b8@mail.gmail.com><6DD6B2C8A11BFC4092A148347F6126B85451CC@jupiter.reference.local> <625385e30802291051y40fef1b5h72783bbc681112e9@mail.gmail.com> <6DD6B2C8A11BFC4092A148347F6126B85451D3@jupiter.reference.local> Message-ID: <83F26D55-99C1-4B3A-8140-C40713263A44@nkpanama.com> How? So we'll know next time, yes? On Feb 29, 2008, at 2:09 PM, Maxime Gaudreault wrote: > I fixed it From wizard at jimhermann.com Fri Feb 29 20:20:42 2008 From: wizard at jimhermann.com (Jim Hermann) Date: Fri Feb 29 20:24:08 2008 Subject: FW: Another attack to fight off In-Reply-To: <608FC9263D077744B6AA7457C9D005F827E63C0E07@MBX72.ad2.softcom.biz> References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C7310E.3020004@ecs.soton.ac.uk> , <608FC9263D077744B6AA7457C9D005F827E63C0E07@MBX72.ad2.softcom.biz> Message-ID: ________________________________ From: Vlad Mazek [mailto:v@vladville.com] Sent: Thursday, February 28, 2008 04:43 PM To: MailScanner discussion Subject: Re: Another attack to fight off MailScanner doesn't seem to want to accept multiple incoming queues with sendmail. Incoming Queue Dir = doesn't seem to take anything other than a single directory. Documentation indicates it should take filesets but that doesn't work Starting MailScanner daemons: incoming sendmail: 451 4.0.0 can not chdir(/etc/MailScanner/rules/mqueue.in.list.conf/): Not a directory [ OK ] (I tried %rules-dir%/mqueue.in.list.conf, permissions are ok, the file contains the queue dir's one per line, etc all looks sane) -Vlad ----- Vlad, I use this setting: Incoming Queue Dir = /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue /home/virtual/site*/fst/var/spool/mqueue It collects email from 200 different directories. Jim From rcooper at dwford.com Fri Feb 29 20:25:21 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Feb 29 20:26:04 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Message-ID: <115b01c87b11$356d86d0$0301a8c0@SAHOMELT> _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hostmaster Sent: Friday, February 29, 2008 10:06 AM To: MailScanner discussion Subject: [Maybe OT] - RFC compliance checking at session Hi All, I would like to illicit some opinions from you other MailScanner using MX-administrators. I know that there was some discussion on list some time ago regarding session checking, particularly HELO/EHLO checking, and its compliance against RFC 821, as clarified and updated in 2821. We use Exim for both inbound and outbound message handling around MailScanner, and on the inbound, some quite complex ACL's to validate the session to try and cut down the amount of spam our users get. The first check we run is to ensure that the HELO/EHLO is an FQDN. We don't then validate if this FQDN can be resolved, or even if it is valid, it just has to be host.domain.tld, and this significantly cuts the number of RBL lookups we do. This hasn't caused us any problems with rejecting valid mail until now. One of our users complained that they were no longer receiving a newsletter they signed up for. I managed to find it in the exim reject logs, and sure enough, it was failing the host checking - the EHLO it sends is "(server3549)", and exim declines the session with a 550 - permanent reject for policy reasons. Now comes the fun part. That 550 is not enough for the sender - it ignores it and constantly retries the send, treating it more like a 450, but not following any normal MTA retry period I can establish. That would be enough for me to leave them blocked, but checking further, the IP for that host has no RDNS, also a big no-no in my opinion for a valid mail server, and the IP does not accept return SMTP - indicating that it's probably a web server and not an MTA itself. I even took the liberty of doing an IPWhois, phoning the helpdesk of the company responsible for the IP (only because they are UK based the same as us) and pointing the problem out, only to be met with "yeah, we know about that, it'll be fixed sometime next year when we put a new server in", even after I pointed out that they wouldn't be getting successful deliveries to organisations such as AOL (RDNS is a must) and BT/Yahoo (whose policies are incredibly strict)! So what do you guys think? Am I just being particularly awkward on a Friday afternoon and should I spend my time re-working our config to work around an organisation who is blatantly ignorant of common mail server practise, or just tell my user that the sending organisation needs to get their act together? [Rick Cooper] I also enforce a proper helo name. I just went through this with a rather large insurance company that switched mail servers and the new server was incorrectlu configured so it helo'd with something like boogabooga.internal (I don't remember the host name part). The smart ass mail admin said "what if that host doesn't have a FQDN" and I replied dotted quad in square brackets according to the RFCs... bud. I come across this now and then and I always try and contact the sender's responsible party to clear it up, it wrong, it breaks SPF, it breaks RFCs and it's VERY common to see unqualified names coming from BOTS, virus and spam. I bet if you look though your logs you will see most hosts that helo with a non FQDN or .internal/.local/.localdomain are mostly dynamic DSL or cable hosts. I dump a ton of them everyday. I also run Exim and I have a !hosts = /ListOfDickHeadsIHaveToAccept before each compliance check condition. For instance a Zurich subsidiary that helo'd as something_stupid.local, no RDNS, they did about everything but spit on the RFCs and we had to have thier mail. I put them in the list, inform the maintainers and remove them after 90 days and see what happens. The file can be just a flat text file in the format of 10.10.10.10 # Remove in April 10.10.10.1 # Remove In May They do not, of course, get a pass around virus, attachment, etc checking, just compliance checks. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080229/855e5d8c/attachment.html From richard.frovarp at sendit.nodak.edu Fri Feb 29 20:48:50 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Feb 29 20:49:26 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <115b01c87b11$356d86d0$0301a8c0@SAHOMELT> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <115b01c87b11$356d86d0$0301a8c0@SAHOMELT> Message-ID: <47C86FB2.2060207@sendit.nodak.edu> Rick Cooper wrote: > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Hostmaster > *Sent:* Friday, February 29, 2008 10:06 AM > *To:* MailScanner discussion > *Subject:* [Maybe OT] - RFC compliance checking at session > > Hi All, > > I would like to illicit some opinions from you other MailScanner > using MX-administrators. I know that there was some discussion on > list some time ago regarding session checking, particularly > HELO/EHLO checking, and its compliance against RFC 821, as > clarified and updated in 2821. > > > > We use Exim for both inbound and outbound message handling around > MailScanner, and on the inbound, some quite complex ACL?s to > validate the session to try and cut down the amount of spam our > users get. The first check we run is to ensure that the HELO/EHLO > is an FQDN. We don?t then validate if this FQDN can be resolved, > or even if it is valid, it just has to be host.domain.tld, and > this significantly cuts the number of RBL lookups we do. This > hasn?t caused us any problems with rejecting valid mail until now. > > One of our users complained that they were no longer receiving a > newsletter they signed up for. I managed to find it in the exim > reject logs, and sure enough, it was failing the host checking ? > the EHLO it sends is ?(server3549)?, and exim declines the session > with a 550 ? permanent reject for policy reasons. > > Now comes the fun part. That 550 is not enough for the sender ? it > ignores it and constantly retries the send, treating it more like > a 450, but not following any normal MTA retry period I can > establish. That would be enough for me to leave them blocked, but > checking further, the IP for that host has no RDNS, also a big > no-no in my opinion for a valid mail server, and the IP does not > accept return SMTP ? indicating that it?s probably a web server > and not an MTA itself. I even took the liberty of doing an > IPWhois, phoning the helpdesk of the company responsible for the > IP (only because they are UK based the same as us) and pointing > the problem out, only to be met with ?yeah, we know about that, > it?ll be fixed sometime next year when we put a new server in?, > even after I pointed out that they wouldn?t be getting successful > deliveries to organisations such as AOL (RDNS is a must) and > BT/Yahoo (whose policies are incredibly strict)! > > > > So what do you guys think? Am I just being particularly awkward on > a Friday afternoon and should I spend my time re-working our > config to work around an organisation who is blatantly ignorant of > common mail server practise, or just tell my user that the sending > organisation needs to get their act together? > [Rick Cooper] > > I also enforce a proper helo name. I just went through this with a > rather large insurance company that switched mail servers and the > new server was incorrectlu configured so it helo'd with something > like boogabooga.internal (I don't remember the host name part). > The smart ass mail admin said "what if that host doesn't have a > FQDN" and I replied dotted quad in square brackets according to > the RFCs... bud. > > I come across this now and then and I always try and contact the > sender's responsible party to clear it up, it wrong, it breaks > SPF, it breaks RFCs and it's VERY common to see unqualified names > coming from BOTS, virus and spam. I bet if you look though your > logs you will see most hosts that helo with a non FQDN or > .internal/.local/.localdomain are mostly dynamic DSL or cable > hosts. I dump a ton of them everyday. > > I also run Exim and I have a !hosts = > /ListOfDickHeadsIHaveToAccept before each compliance check > condition. For instance a Zurich subsidiary that helo'd as > something_stupid.local, no RDNS, they did about everything but > spit on the RFCs and we had to have thier mail. I put them in the > list, inform the maintainers and remove them after 90 days and see > what happens. The file can be just a flat text file in the format of > > 10.10.10.10 # Remove in April > > 10.10.10.1 # Remove In May > > They do not, of course, get a pass around virus, attachment, etc > checking, just compliance checks. > > Rick > I thought that rejecting on helo alone was against the RFCs. From mikea at mikea.ath.cx Fri Feb 29 21:29:57 2008 From: mikea at mikea.ath.cx (mikea) Date: Fri Feb 29 21:30:33 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <47C86FB2.2060207@sendit.nodak.edu> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <115b01c87b11$356d86d0$0301a8c0@SAHOMELT> <47C86FB2.2060207@sendit.nodak.edu> Message-ID: <20080229212956.GA2213@mikea.ath.cx> On Fri, Feb 29, 2008 at 02:48:50PM -0600, Richard Frovarp wrote: > Rick Cooper wrote: > > We use Exim for both inbound and outbound message handling around > > MailScanner, and on the inbound, some quite complex ACL’s to > > validate the session to try and cut down the amount of spam our > > users get. The first check we run is to ensure that the HELO/EHLO > > is an FQDN. We don’t then validate if this FQDN can be resolved, > > or even if it is valid, it just has to be host.domain.tld, and > > this significantly cuts the number of RBL lookups we do. This > > hasn’t caused us any problems with rejecting valid mail until now. > > > > One of our users complained that they were no longer receiving a > > newsletter they signed up for. I managed to find it in the exim > > reject logs, and sure enough, it was failing the host checking – > > the EHLO it sends is “(server3549)”, and exim declines the session > > with a 550 – permanent reject for policy reasons. > > > > Now comes the fun part. That 550 is not enough for the sender – it > > ignores it and constantly retries the send, treating it more like > > a 450, but not following any normal MTA retry period I can > > establish. That would be enough for me to leave them blocked, but > > checking further, the IP for that host has no RDNS, also a big > > no-no in my opinion for a valid mail server, and the IP does not > > accept return SMTP – indicating that it’s probably a web server > > and not an MTA itself. I even took the liberty of doing an > > IPWhois, phoning the helpdesk of the company responsible for the > > IP (only because they are UK based the same as us) and pointing > > the problem out, only to be met with “yeah, we know about that, > > it’ll be fixed sometime next year when we put a new server in”, > > even after I pointed out that they wouldn’t be getting successful > > deliveries to organisations such as AOL (RDNS is a must) and > > BT/Yahoo (whose policies are incredibly strict)! > > > > > > > > So what do you guys think? Am I just being particularly awkward on > > a Friday afternoon and should I spend my time re-working our > > config to work around an organisation who is blatantly ignorant of > > common mail server practise, or just tell my user that the sending > > organisation needs to get their act together? > > [Rick Cooper] > > > > I also enforce a proper helo name. I just went through this with a > > rather large insurance company that switched mail servers and the > > new server was incorrectlu configured so it helo'd with something > > like boogabooga.internal (I don't remember the host name part). > > The smart ass mail admin said "what if that host doesn't have a > > FQDN" and I replied dotted quad in square brackets according to > > the RFCs... bud. > > > > I come across this now and then and I always try and contact the > > sender's responsible party to clear it up, it wrong, it breaks > > SPF, it breaks RFCs and it's VERY common to see unqualified names > > coming from BOTS, virus and spam. I bet if you look though your > > logs you will see most hosts that helo with a non FQDN or > > .internal/.local/.localdomain are mostly dynamic DSL or cable > > hosts. I dump a ton of them everyday. > > > > I also run Exim and I have a !hosts = > > /ListOfDickHeadsIHaveToAccept before each compliance check > > condition. For instance a Zurich subsidiary that helo'd as > > something_stupid.local, no RDNS, they did about everything but > > spit on the RFCs and we had to have thier mail. I put them in the > > list, inform the maintainers and remove them after 90 days and see > > what happens. The file can be just a flat text file in the format of > > > > 10.10.10.10 # Remove in April > > > > 10.10.10.1 # Remove In May > > > > They do not, of course, get a pass around virus, attachment, etc > > checking, just compliance checks. > I thought that rejecting on helo alone was against the RFCs. It's my understanding that rejecting *because the hostname in the HELO can't be resolved* is in some senses contrary to the RFCs. Rejecting because the hostname in the HELO is totally bogus (not an FQDN, for example, or otherwise not compliant with RFC 2821) comes under policy decisions, which the server operator is free to make as he or she sees fit. >From RFC 2821: : 2.3.5 Domain : : A domain (or domain name) consists of one or more dot-separated : components. These components ("labels" in DNS terminology [22]) are : restricted for SMTP purposes to consist of a sequence of letters, : digits, and hyphens drawn from the ASCII character set [1]. Domain : names are used as names of hosts and of other entities in the domain : name hierarchy. For example, a domain may refer to an alias (label : of a CNAME RR) or the label of Mail eXchanger records to be used to : deliver mail instead of representing a host name. See [22] and : section 5 of this specification. : : The domain name, as described in this document and in [22], is the : entire, fully-qualified name (often referred to as an "FQDN"). A : domain name that is not in FQDN form is no more than a local alias. : Local aliases MUST NOT appear in any SMTP transaction. : : and : : 3.6 Domains : : Only resolvable, fully-qualified, domain names (FQDNs) are permitted : when domain names are used in SMTP. In other words, names that can : be resolved to MX RRs or A RRs (as discussed in section 5) are : permitted, as are CNAME RRs whose targets can be resolved, in turn, : to MX or A RRs. Local nicknames or unqualified names MUST NOT be : used. There are two exceptions to the rule requiring FQDNs: : : - The domain name given in the EHLO command MUST BE either a primary : host name (a domain name that resolves to an A RR) or, if the host : has no name, an address literal as described in section 4.1.1.1. : : - The reserved mailbox name "postmaster" may be used in a RCPT : command without domain qualification (see section 4.1.1.3) and : MUST be accepted if so used. : : and : : 4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO) : : These commands are used to identify the SMTP client to the SMTP : server. The argument field contains the fully-qualified domain name : of the SMTP client if one is available. In situations in which the : SMTP client system does not have a meaningful domain name (e.g., when : its address is dynamically allocated and no reverse mapping record is : available), the client SHOULD send an address literal (see section : 4.1.3), optionally followed by information that will help to identify : the client system. The SMTP server identifies itself to the SMTP : client in the connection greeting reply and in the response to this : command. : : A client SMTP SHOULD start an SMTP session by issuing the EHLO : command. If the SMTP server supports the SMTP service extensions it : will give a successful response, a failure response, or an error : response. If the SMTP server, in violation of this specification, : does not support any SMTP service extensions it will generate an : error response. Older client SMTP systems MAY, as discussed above, : use HELO (as specified in RFC 821) instead of EHLO, and servers MUST : support the HELO command and reply properly to it. In any event, a : client MUST issue HELO or EHLO before starting a mail transaction. : : These commands, and a "250 OK" reply to one of them, confirm that : both the SMTP client and the SMTP server are in the initial state, : that is, there is no transaction in progress and all state tables and : buffers are cleared. : : Syntax: : : ehlo = "EHLO" SP Domain CRLF : helo = "HELO" SP Domain CRLF "Local aliases MUST NOT appear in any SMTP transaction" is pretty definitive. This means that "HELO joe-computer", "EHLO ditlq", and "HELO Wireless_Broadband_Router", all of which just flew through my maillog at high speed, fail to comply with RFC 2821. Similarly, "HELO 123.234.134.124", with bare numbers and dots not enclsed by "[" and "]", is not compliant with RFC 2821, because 123.234.134.124 is not an address literal and there are no Top-Level-Domains (TLDs) which are all-numeric. "HELO [123.234.134.124]" would be compliant. I get to make a policy decision that non-compliant HELO/EHLO values and certain other RFC violations will get that SMTP transaction REJECTed, and I do: HELO/EHLO with no dots in the HELO domain value will get your mail rejected, and HELO/EHLO with a domain value that is all (numbers and dots) will get your mail rejected. It keeps a _lot_ of spam out. Occasionally some vendor's IT staff will forget to set a mailer up with a valid FQDN, we'll reject the mail, they'll call me or write me (out of band) to ask why. So far the result has uniformly been an embarrased "Oh. Forgot about that. Oops!" followed by a note checking if it's set up correctly now. Mind you, I have pretty free rein here, and since we're a government agency, we can be pretty stiff about what we'll accept. Your Mileage May Vary. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From glenn.steen at gmail.com Fri Feb 29 21:30:55 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 21:31:31 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Message-ID: <223f97700802291330k48428e8fgda4cd6711e1e7b91@mail.gmail.com> On 29/02/2008, Hostmaster wrote: > > > > > Hi All, > > I would like to illicit some opinions from you other MailScanner using > MX-administrators. I know that there was some discussion on list some time > ago regarding session checking, particularly HELO/EHLO checking, and its > compliance against RFC 821, as clarified and updated in 2821. > Not to mention 1123... Which cares for HELO, while 2821 caters for EHLO...:-). > > > > > We use Exim for both inbound and outbound message handling around > MailScanner, and on the inbound, some quite complex ACL's to validate the > session to try and cut down the amount of spam our users get. The first > check we run is to ensure that the HELO/EHLO is an FQDN. We don't then > validate if this FQDN can be resolved, or even if it is valid, it just has > to be host.domain.tld, and this significantly cuts the number of RBL lookups > we do. This hasn't caused us any problems with rejecting valid mail until > now. > Sensible. Exactly what every mail admin on the planet should do. > > > One of our users complained that they were no longer receiving a newsletter > they signed up for. I managed to find it in the exim reject logs, and sure > enough, it was failing the host checking ? the EHLO it sends is > "(server3549)", and exim declines the session with a 550 ? permanent reject > for policy reasons. > A clear violation. Your user lose, unless pressure to get _them_ to fix it is successfully applied... Think "Sopranos"....:-D Kidding aside, it is NOT your problem. If anything it is a thing between your user and the idiots operating the list in question... Your job is to make that crystal clear to the user. And that it is not an option to whitelist. If you do, where do you stop!? Acception viruses gratuitously? No. Just say no. There is no leeway on this, as one can have with other things in the RFCs, they can have no benefit from their broken system, so they shouldn't be excused. > > > Now comes the fun part. That 550 is not enough for the sender ? it ignores > it and constantly retries the send, treating it more like a 450, but not > following any normal MTA retry period I can establish. That would be enough > for me to leave them blocked, but checking further, the IP for that host has > no RDNS, also a big no-no in my opinion for a valid mail server, and the IP > does not accept return SMTP ? indicating that it's probably a web server and > not an MTghostscript-dvipdf-8.60-55.2mdv2008.0.i586.rpmA itself. I even took the liberty of doing an IPWhois, phoning the > helpdesk of the company responsible for the IP (only because they are UK > based the same as us) and pointing the problem out, only to be met with > "yeah, we know about that, it'll be fixed sometime next year when we put a > new server in", even after I pointed out that they wouldn't be getting > successful deliveries to organisations such as AOL (RDNS is a must) and > BT/Yahoo (whose policies are incredibly strict)! > So they add error after error, then shrug it off (I applaud your tenacity, doing all that work... The user isn't your CEO, by any chance? Even a CEO need hear a "no, it's not how things are best done, not even close" from time to time:-).... They get what they deserve. I had a similar incident a week or so back, where the press secretary (a C position with a lot of clout in our organization) got charged for a "leadership network seminar" she supposedly had been invited to (it's a "pay if you don't opt out" kind of thing. Gah), but that had been rejected since they EHLO'd as "bertil".... Well, after pointing out that they were in violation of email standards, and that there was no chance in I was going to do silly hoops to let them through... *she* took a contact demanding (and getting) a refund, as well as a promise (from the non-tech contact, with a certain amount of clout) that they would fix it ASAP. Morale of the story? Well: - Don't give in. - Make the user make a formal complaint to the *business* side of things. It is MUCH more effective, since they (unlike the tech you talked to) usually have a clearer view of where the beans are coming from. > > > > > So what do you guys think? Am I just being particularly awkward on a Friday > afternoon and should I spend my time re-working our config to work around an > organisation who is blatantly ignorant of common mail server practise, or > just tell my user that the sending organisation needs to get their act > together? Don't change a thing. Tell your user that they (the list owners, not the user:-) are idiots, and back it up with log snippets and RFC references (if needed). If possible, advice your user to shop elsewhere for that list content... and if you have a business relationship with them, tell your user to shop elsewhere, period. If they can't get a simple thing like this right (after being poked), what else do they get wrong?;-) > Best Regards, > Do a double-dash-space here, like -- ... and everything below will be trimmed by smart MUAs (or MUA users:-) > Richard Garner (A+, N+, AMBCS, MOS-O) ... as is, I'll just (snip) away...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rcooper at dwford.com Fri Feb 29 21:36:43 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Feb 29 21:37:27 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <47C86FB2.2060207@sendit.nodak.edu> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com><115b01c87b11$356d86d0$0301a8c0@SAHOMELT> <47C86FB2.2060207@sendit.nodak.edu> Message-ID: <116f01c87b1b$2dba0bc0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Richard Frovarp > Sent: Friday, February 29, 2008 3:49 PM > To: MailScanner discussion > Subject: Re: [Maybe OT] - RFC compliance checking at session > > Rick Cooper wrote: > > > > > ------------------------------------------------------------- > ----------- > > *From:* mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] > *On Behalf Of > > *Hostmaster > > *Sent:* Friday, February 29, 2008 10:06 AM > > *To:* MailScanner discussion > > *Subject:* [Maybe OT] - RFC compliance checking at session [...] > > > I also run Exim and I have a !hosts = > > /ListOfDickHeadsIHaveToAccept before each compliance check > > condition. For instance a Zurich subsidiary that helo'd as > > something_stupid.local, no RDNS, they did about everything but > > spit on the RFCs and we had to have thier mail. I put > them in the > > list, inform the maintainers and remove them after 90 > days and see > > what happens. The file can be just a flat text file in > the format of > > > > 10.10.10.10 # Remove in April > > > > 10.10.10.1 # Remove In May > > > > They do not, of course, get a pass around virus, > attachment, etc > > checking, just compliance checks. > > > > Rick > > > > I thought that rejecting on helo alone was against the RFCs. I admit that rejecting on helo alone is a violation and I thought about it long and hard before implementing. RFC 821 was written in, I believe, 1984 and the world has changed. In 1984 spam was a nasty kind of meat (except of course in Hawaii where it's primo food). 821 clearly states a MUST ensure the domain parameter is a valid principle domain name for the client host. It then states the receiver MUST NOT refuse if the helo validation fails and then has a note that the helo argument must still have a valid domain syntax otherwise a 501 error is to be sent. And of course later RFCs state that if a host doesn't have a valid FQDN the dotted quad IP should be sent inside square brackets in the form of [xxx.xxx.xxx.xxx]. That is just to obtuse and in today's world it doesn't make sense. RFC 821 even states the suggested procedure to use when a helo is invalid is to insert a note in the message header and gives the received header as an example. Now according to RFC 821 if I am MX mail.somedomain.com and I reside at IP 10.10.10.1 and a host residing at 10.9.1.1 helos as mail.somedomain.com I should accept the message even though this is *clearly* an attempt to circumvent security... I just don't buy that. In fact if you helo as any host from any domain under our company control and your IP places you outside any of the associated IPS I will drop the session right there as well. So yes, I am sorry to say that is one RFC section I will violate. But if I can validate any part of the helo, I will accept the message. But sans RDNS, heloing as BILLS_ROOM.local is getting the door slammed for sure. You give a proper helo, have something like proper DNS and even if you are a host on comcast's dynamic pool you will get past the helo, probably won't get very far past it but you will get past it. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 29 21:40:06 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 21:40:41 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <47C86FB2.2060207@sendit.nodak.edu> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <115b01c87b11$356d86d0$0301a8c0@SAHOMELT> <47C86FB2.2060207@sendit.nodak.edu> Message-ID: <223f97700802291340w22e50a1dmb472d0fba242eadd@mail.gmail.com> On 29/02/2008, Richard Frovarp wrote: > Rick Cooper wrote: > > > > ------------------------------------------------------------------------ > > *From:* mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > > *Hostmaster > > *Sent:* Friday, February 29, 2008 10:06 AM > > *To:* MailScanner discussion > > *Subject:* [Maybe OT] - RFC compliance checking at session > > > > Hi All, > > > > I would like to illicit some opinions from you other MailScanner > > using MX-administrators. I know that there was some discussion on > > list some time ago regarding session checking, particularly > > HELO/EHLO checking, and its compliance against RFC 821, as > > clarified and updated in 2821. > > > > > > > > We use Exim for both inbound and outbound message handling around > > MailScanner, and on the inbound, some quite complex ACL's to > > validate the session to try and cut down the amount of spam our > > users get. The first check we run is to ensure that the HELO/EHLO > > is an FQDN. We don't then validate if this FQDN can be resolved, > > or even if it is valid, it just has to be host.domain.tld, and > > this significantly cuts the number of RBL lookups we do. This > > hasn't caused us any problems with rejecting valid mail until now. > > > > One of our users complained that they were no longer receiving a > > newsletter they signed up for. I managed to find it in the exim > > reject logs, and sure enough, it was failing the host checking ? > > the EHLO it sends is "(server3549)", and exim declines the session > > with a 550 ? permanent reject for policy reasons. > > > > Now comes the fun part. That 550 is not enough for the sender ? it > > ignores it and constantly retries the send, treating it more like > > a 450, but not following any normal MTA retry period I can > > establish. That would be enough for me to leave them blocked, but > > checking further, the IP for that host has no RDNS, also a big > > no-no in my opinion for a valid mail server, and the IP does not > > accept return SMTP ? indicating that it's probably a web server > > and not an MTA itself. I even took the liberty of doing an > > IPWhois, phoning the helpdesk of the company responsible for the > > IP (only because they are UK based the same as us) and pointing > > the problem out, only to be met with "yeah, we know about that, > > it'll be fixed sometime next year when we put a new server in", > > even after I pointed out that they wouldn't be getting successful > > deliveries to organisations such as AOL (RDNS is a must) and > > BT/Yahoo (whose policies are incredibly strict)! > > > > > > > > So what do you guys think? Am I just being particularly awkward on > > a Friday afternoon and should I spend my time re-working our > > config to work around an organisation who is blatantly ignorant of > > common mail server practise, or just tell my user that the sending > > organisation needs to get their act together? > > [Rick Cooper] > > > > I also enforce a proper helo name. I just went through this with a > > rather large insurance company that switched mail servers and the > > new server was incorrectlu configured so it helo'd with something > > like boogabooga.internal (I don't remember the host name part). > > The smart ass mail admin said "what if that host doesn't have a > > FQDN" and I replied dotted quad in square brackets according to > > the RFCs... bud. > > > > I come across this now and then and I always try and contact the > > sender's responsible party to clear it up, it wrong, it breaks > > SPF, it breaks RFCs and it's VERY common to see unqualified names > > coming from BOTS, virus and spam. I bet if you look though your > > logs you will see most hosts that helo with a non FQDN or > > .internal/.local/.localdomain are mostly dynamic DSL or cable > > hosts. I dump a ton of them everyday. > > > > I also run Exim and I have a !hosts = > > /ListOfDickHeadsIHaveToAccept before each compliance check > > condition. For instance a Zurich subsidiary that helo'd as > > something_stupid.local, no RDNS, they did about everything but > > spit on the RFCs and we had to have thier mail. I put them in the > > list, inform the maintainers and remove them after 90 days and see > > what happens. The file can be just a flat text file in the format of > > > > 10.10.10.10 # Remove in April > > > > 10.10.10.1 # Remove In May > > > > They do not, of course, get a pass around virus, attachment, etc > > checking, just compliance checks. > > > > Rick > > > > > I thought that rejecting on helo alone was against the RFCs. > No it's not. Go read 1123 and 2821, and the thread I and Matt Kettler had a while back on that very subject. Quite an easy check, and effective. If one want's to play it safe, use the chack in conjunction with greylisting (as a greylist criteria), to sort of both have and eat the cake (wonder if I got that right...:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 29 21:44:58 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 21:45:34 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <47C8374F.9000502@evi-inc.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <47C8374F.9000502@evi-inc.com> Message-ID: <223f97700802291344t133458ep981b15b4e9ecc969@mail.gmail.com> On 29/02/2008, Matt Kettler wrote: > Hostmaster wrote: > > Hi All, > > > > I would like to illicit some opinions from you other MailScanner using > > MX-administrators. > > > Pretty much all your opinions here are valid, except: > > > > and the IP does not accept return SMTP ? indicating that > > it's probably a web server and not an MTA itself. > > > I find that conclusion irrational. Why wouldn't it be an MTA? > > Anyone large enough to have separate MX (inbound) and smarthost (outbound) > servers should *NOT* be accepting inbound SMTP connections to their smarthost > servers from the outside world. Only their internal network should be able to > SMTP to the smarthost. > > There's no reason to allow it, so best practice would suggest you should close > that off at the firewall. Any legitimate mail delivery attempts will go to the > MX servers. Therefore any attempts to connect to port 25 on the SmartHost from > the outside are either hackers, scans, or random pokes and prods at parts of > your network nobody on the outside belongs in. > > > I think it's a pretty far jump to assume that any system that generates SMTP but > doesn't accept inbound from you can't be an MTA. It's quite possible it is an > MTA, but you're not authorized to try to queue mail there and are firewalled out. > I'm not going to disagree (much:-) with you today/tonight Matt (not sober enough, and I need be very sharp when doing that:-):-), but what about all that stuff ... domain litterals etc... all there to facilitate bouncing when there is no DNS etc. Kind of implies that all SMTP sendersare supposed to be able to be receivers too, now don't it? Or maybe I'm in delirium tremens and that is just a figment of that state:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 29 21:54:00 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 21:54:36 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <20080229212956.GA2213@mikea.ath.cx> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <115b01c87b11$356d86d0$0301a8c0@SAHOMELT> <47C86FB2.2060207@sendit.nodak.edu> <20080229212956.GA2213@mikea.ath.cx> Message-ID: <223f97700802291354h1aa252e6yba4214737601b2b0@mail.gmail.com> On 29/02/2008, mikea wrote: > On Fri, Feb 29, 2008 at 02:48:50PM -0600, Richard Frovarp wrote: > > Rick Cooper wrote: > > > > We use Exim for both inbound and outbound message handling around > > > MailScanner, and on the inbound, some quite complex ACL's to > > > validate the session to try and cut down the amount of spam our > > > users get. The first check we run is to ensure that the HELO/EHLO > > > is an FQDN. We don't then validate if this FQDN can be resolved, > > > or even if it is valid, it just has to be host.domain.tld, and > > > this significantly cuts the number of RBL lookups we do. This > > > hasn't caused us any problems with rejecting valid mail until now. > > > > > > One of our users complained that they were no longer receiving a > > > newsletter they signed up for. I managed to find it in the exim > > > reject logs, and sure enough, it was failing the host checking ? > > > the EHLO it sends is "(server3549)", and exim declines the session > > > with a 550 ? permanent reject for policy reasons. > > > > > > Now comes the fun part. That 550 is not enough for the sender ? it > > > ignores it and constantly retries the send, treating it more like > > > a 450, but not following any normal MTA retry period I can > > > establish. That would be enough for me to leave them blocked, but > > > checking further, the IP for that host has no RDNS, also a big > > > no-no in my opinion for a valid mail server, and the IP does not > > > accept return SMTP ? indicating that it's probably a web server > > > and not an MTA itself. I even took the liberty of doing an > > > IPWhois, phoning the helpdesk of the company responsible for the > > > IP (only because they are UK based the same as us) and pointing > > > the problem out, only to be met with "yeah, we know about that, > > > it'll be fixed sometime next year when we put a new server in", > > > even after I pointed out that they wouldn't be getting successful > > > deliveries to organisations such as AOL (RDNS is a must) and > > > BT/Yahoo (whose policies are incredibly strict)! > > > > > > > > > > > > So what do you guys think? Am I just being particularly awkward on > > > a Friday afternoon and should I spend my time re-working our > > > config to work around an organisation who is blatantly ignorant of > > > common mail server practise, or just tell my user that the sending > > > organisation needs to get their act together? > > > [Rick Cooper] > > > > > > I also enforce a proper helo name. I just went through this with a > > > rather large insurance company that switched mail servers and the > > > new server was incorrectlu configured so it helo'd with something > > > like boogabooga.internal (I don't remember the host name part). > > > The smart ass mail admin said "what if that host doesn't have a > > > FQDN" and I replied dotted quad in square brackets according to > > > the RFCs... bud. > > > > > > I come across this now and then and I always try and contact the > > > sender's responsible party to clear it up, it wrong, it breaks > > > SPF, it breaks RFCs and it's VERY common to see unqualified names > > > coming from BOTS, virus and spam. I bet if you look though your > > > logs you will see most hosts that helo with a non FQDN or > > > .internal/.local/.localdomain are mostly dynamic DSL or cable > > > hosts. I dump a ton of them everyday. > > > > > > I also run Exim and I have a !hosts = > > > /ListOfDickHeadsIHaveToAccept before each compliance check > > > condition. For instance a Zurich subsidiary that helo'd as > > > something_stupid.local, no RDNS, they did about everything but > > > spit on the RFCs and we had to have thier mail. I put them in the > > > list, inform the maintainers and remove them after 90 days and see > > > what happens. The file can be just a flat text file in the format of > > > > > > 10.10.10.10 # Remove in April > > > > > > 10.10.10.1 # Remove In May > > > > > > They do not, of course, get a pass around virus, attachment, etc > > > checking, just compliance checks. > > > > I thought that rejecting on helo alone was against the RFCs. > > > It's my understanding that rejecting *because the hostname in the HELO > can't be resolved* is in some senses contrary to the RFCs. Rejecting > because the hostname in the HELO is totally bogus (not an FQDN, for > example, or otherwise not compliant with RFC 2821) comes under policy > decisions, which the server operator is free to make as he or she sees > fit. > > >From RFC 2821: > > : 2.3.5 Domain > : > : A domain (or domain name) consists of one or more dot-separated > : components. These components ("labels" in DNS terminology [22]) are > : restricted for SMTP purposes to consist of a sequence of letters, > : digits, and hyphens drawn from the ASCII character set [1]. Domain > : names are used as names of hosts and of other entities in the domain > : name hierarchy. For example, a domain may refer to an alias (label > : of a CNAME RR) or the label of Mail eXchanger records to be used to > : deliver mail instead of representing a host name. See [22] and > : section 5 of this specification. > : > : The domain name, as described in this document and in [22], is the > : entire, fully-qualified name (often referred to as an "FQDN"). A > : domain name that is not in FQDN form is no more than a local alias. > : Local aliases MUST NOT appear in any SMTP transaction. > : > : and > : > : 3.6 Domains > : > : Only resolvable, fully-qualified, domain names (FQDNs) are permitted > : when domain names are used in SMTP. In other words, names that can > : be resolved to MX RRs or A RRs (as discussed in section 5) are > : permitted, as are CNAME RRs whose targets can be resolved, in turn, > : to MX or A RRs. Local nicknames or unqualified names MUST NOT be > : used. There are two exceptions to the rule requiring FQDNs: > : > : - The domain name given in the EHLO command MUST BE either a primary > : host name (a domain name that resolves to an A RR) or, if the host > : has no name, an address literal as described in section 4.1.1.1. > : > : - The reserved mailbox name "postmaster" may be used in a RCPT > : command without domain qualification (see section 4.1.1.3) and > : MUST be accepted if so used. > : > : and > : > : 4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO) > : > : These commands are used to identify the SMTP client to the SMTP > : server. The argument field contains the fully-qualified domain name > : of the SMTP client if one is available. In situations in which the > : SMTP client system does not have a meaningful domain name (e.g., when > : its address is dynamically allocated and no reverse mapping record is > : available), the client SHOULD send an address literal (see section > : 4.1.3), optionally followed by information that will help to identify > : the client system. The SMTP server identifies itself to the SMTP > : client in the connection greeting reply and in the response to this > : command. > : > : A client SMTP SHOULD start an SMTP session by issuing the EHLO > : command. If the SMTP server supports the SMTP service extensions it > : will give a successful response, a failure response, or an error > : response. If the SMTP server, in violation of this specification, > : does not support any SMTP service extensions it will generate an > : error response. Older client SMTP systems MAY, as discussed above, > : use HELO (as specified in RFC 821) instead of EHLO, and servers MUST > : support the HELO command and reply properly to it. In any event, a > : client MUST issue HELO or EHLO before starting a mail transaction. > : > : These commands, and a "250 OK" reply to one of them, confirm that > : both the SMTP client and the SMTP server are in the initial state, > : that is, there is no transaction in progress and all state tables and > : buffers are cleared. > : > : Syntax: > : > : ehlo = "EHLO" SP Domain CRLF > : helo = "HELO" SP Domain CRLF > > "Local aliases MUST NOT appear in any SMTP transaction" is pretty > definitive. This means that "HELO joe-computer", "EHLO ditlq", and > "HELO Wireless_Broadband_Router", all of which just flew through my > maillog at high speed, fail to comply with RFC 2821. > > Similarly, "HELO 123.234.134.124", with bare numbers and dots > not enclsed by "[" and "]", is not compliant with RFC 2821, > because 123.234.134.124 is not an address literal and there > are no Top-Level-Domains (TLDs) which are all-numeric. "HELO > [123.234.134.124]" would be compliant. > > I get to make a policy decision that non-compliant HELO/EHLO values > and certain other RFC violations will get that SMTP transaction > REJECTed, and I do: HELO/EHLO with no dots in the HELO domain value > will get your mail rejected, and HELO/EHLO with a domain value that > is all (numbers and dots) will get your mail rejected. > > It keeps a _lot_ of spam out. Occasionally some vendor's IT staff will > forget to set a mailer up with a valid FQDN, we'll reject the mail, > they'll call me or write me (out of band) to ask why. So far the > result has uniformly been an embarrased "Oh. Forgot about that. Oops!" > followed by a note checking if it's set up correctly now. > > Mind you, I have pretty free rein here, and since we're a government > agency, we can be pretty stiff about what we'll accept. Your Mileage > May Vary. > Not disagreeing (much, here either:-), but the only policy decision I see is whether you decide to enforce 1123 and 2821 or not. They are rather clear on this... formal error... and (unfortunately) also clear that you cannot use a reverse lookup for rejections, although you are free to do one. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Fri Feb 29 22:19:36 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Feb 29 22:20:50 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> Message-ID: <47C884F8.20806@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hostmaster wrote: | So what do you guys think? Am I just being particularly awkward on a | Friday afternoon and should I spend my time re-working our config to | work around an organisation who is blatantly ignorant of common mail | server practise, or just tell my user that the sending organisation | needs to get their act together? If they are aware the setup is not working well I would not spend another milisecond on it. It's not your problem. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHyIT2BvzDRVjxmYERAr1+AJ9pa6qLlzXUNAl02xMxybMKnnL38ACgsW4n IXUhg1odAWdP6+JTtD8xxy4= =Y6// -----END PGP SIGNATURE----- From glenn.steen at gmail.com Fri Feb 29 22:21:27 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 22:22:03 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <116f01c87b1b$2dba0bc0$0301a8c0@SAHOMELT> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <115b01c87b11$356d86d0$0301a8c0@SAHOMELT> <47C86FB2.2060207@sendit.nodak.edu> <116f01c87b1b$2dba0bc0$0301a8c0@SAHOMELT> Message-ID: <223f97700802291421r2e0871a2reaad563b398d4832@mail.gmail.com> On 29/02/2008, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of Richard Frovarp > > Sent: Friday, February 29, 2008 3:49 PM > > To: MailScanner discussion > > Subject: Re: [Maybe OT] - RFC compliance checking at session > > > > Rick Cooper wrote: > > > > > > > > ------------------------------------------------------------- > > ----------- > > > *From:* mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] > > *On Behalf Of > > > *Hostmaster > > > *Sent:* Friday, February 29, 2008 10:06 AM > > > *To:* MailScanner discussion > > > *Subject:* [Maybe OT] - RFC compliance checking at session > > [...] > > > > > > I also run Exim and I have a !hosts = > > > /ListOfDickHeadsIHaveToAccept before each compliance check > > > condition. For instance a Zurich subsidiary that helo'd as > > > something_stupid.local, no RDNS, they did about everything but > > > spit on the RFCs and we had to have thier mail. I put > > them in the > > > list, inform the maintainers and remove them after 90 > > days and see > > > what happens. The file can be just a flat text file in > > the format of > > > > > > 10.10.10.10 # Remove in April > > > > > > 10.10.10.1 # Remove In May > > > > > > They do not, of course, get a pass around virus, > > attachment, etc > > > checking, just compliance checks. > > > > > > Rick > > > > > > > I thought that rejecting on helo alone was against the RFCs. > > > I admit that rejecting on helo alone is a violation and I thought about it > long and hard before implementing. RFC 821 was written in, I believe, 1984 > and the world has changed. In 1984 spam was a nasty kind of meat (except of > course in Hawaii where it's primo food). 821 clearly states a MUST ensure > the domain parameter is a valid principle domain name for the client host. > It then states the receiver MUST NOT refuse if the helo validation fails and > then has a note that the helo argument must still have a valid domain syntax > otherwise a 501 error is to be sent. And of course later RFCs state that if > a host doesn't have a valid FQDN the dotted quad IP should be sent inside > square brackets in the form of [xxx.xxx.xxx.xxx]. > > That is just to obtuse and in today's world it doesn't make sense. RFC 821 > even states the suggested procedure to use when a helo is invalid is to > insert a note in the message header and gives the received header as an > example. Now according to RFC 821 if I am MX mail.somedomain.com and I > reside at IP 10.10.10.1 and a host residing at 10.9.1.1 helos as > mail.somedomain.com I should accept the message even though this is > *clearly* an attempt to circumvent security... I just don't buy that. In > fact if you helo as any host from any domain under our company control and > your IP places you outside any of the associated IPS I will drop the session > right there as well. So yes, I am sorry to say that is one RFC section I > will violate. But if I can validate any part of the helo, I will accept the > message. But sans RDNS, heloing as BILLS_ROOM.local is getting the door > slammed for sure. You give a proper helo, have something like proper DNS and > even if you are a host on comcast's dynamic pool you will get past the helo, > probably won't get very far past it but you will get past it. > Mostly truee for 1123 too... Since I get a good effect from the strict part, I don't do the rdns valitation... When the srtictness checks stop being effective I might start looking at it, but by then... there might be a new RFC outdating both 2821 and 1123 (and 821, which is already superseded) that actually tell us that we MUST validate the domain.... No, wait, that ust be another beverage-induced fever-dream;-D. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Fri Feb 29 22:27:50 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Feb 29 22:28:37 2008 Subject: OT: Signed messages In-Reply-To: References: <47C7AE24.2010802@vanderkooij.org> Message-ID: <47C886E6.2010906@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: | on 2-28-2008 11:03 PM Hugo van der Kooij spake the following: |> |> Mike and all those that sign their messages. |> |> Can you please verify you have uploaded your pgp public key to the |> public key servers? Or include a link in your tagline. |> |> Not much use to sign messages if your public key is not public ;-) |> |> Thanks, |> Hugo. |> | Do your keys propagate between servers, or do you need to post to a few? | If more than one, do you have a list? To the best of my knowledge you only need to send it to one. I select one at random from the list below: pool.sks-keyservers.net subkeys.pgp.net pgp.mit.edu ldap://certserver.pgp.com Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHyIbkBvzDRVjxmYERAjXHAKCiGYmDUYzBnLVuSpkH1JWg5pCJLwCfeCeo KeCSTUH165Evl7K/zdQ19/0= =KShy -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Fri Feb 29 22:29:50 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Feb 29 22:30:30 2008 Subject: Off Topic: I had a good day In-Reply-To: References: <47C78283.7090808@pixelhammer.com> <200802290819.55069.dyioulos@firstbhph.com> Message-ID: <47C8875E.2080303@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman wrote: | Hear, hear! | | On Feb 29, 2008, at 8:19 AM, Dimitri Yioulos wrote: | |> Some of the best humor and best human-interest stories |> I've read, have come from the technical mailing lists I subscribe to. We |> most certainly are an interesting group of folk. We all know there are 10 kind of people. And I guess you know both kinds. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHyIdcBvzDRVjxmYERApZZAKCbo62C4RR01hfr0/sFIwo7ilFI5QCfYBNg znyf96POEA3PDgKHkncU2yM= =qSl0 -----END PGP SIGNATURE----- From mikew at crucis.net Fri Feb 29 22:34:55 2008 From: mikew at crucis.net (Mike - W0TMW) Date: Fri Feb 29 22:35:33 2008 Subject: OT: Signed messages In-Reply-To: References: <47C7AE24.2010802@vanderkooij.org> Message-ID: <47C8888F.9030901@crucis.net> The pub key was there last I looked. It's been out there for several years now. Mike W "Lose not thy airspeed lest the ground rises up and smites thee." - Anon. Scott Silva wrote: > on 2-28-2008 11:03 PM Hugo van der Kooij spake the following: >> >> Mike and all those that sign their messages. >> >> Can you please verify you have uploaded your pgp public key to the >> public key servers? Or include a link in your tagline. >> >> Not much use to sign messages if your public key is not public ;-) >> >> Thanks, >> Hugo. >> > Do your keys propagate between servers, or do you need to post to a few? > If more than one, do you have a list? > From mkettler at evi-inc.com Fri Feb 29 22:41:29 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Feb 29 22:42:37 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <223f97700802291344t133458ep981b15b4e9ecc969@mail.gmail.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <47C8374F.9000502@evi-inc.com> <223f97700802291344t133458ep981b15b4e9ecc969@mail.gmail.com> Message-ID: <47C88A19.1040306@evi-inc.com> Glenn Steen wrote: > On 29/02/2008, Matt Kettler wrote: >> Hostmaster wrote: >> > Hi All, >> > >> > I would like to illicit some opinions from you other MailScanner using >> > MX-administrators. >> >> >> Pretty much all your opinions here are valid, except: >> >> >> > and the IP does not accept return SMTP ? indicating that >> > it's probably a web server and not an MTA itself. >> >> >> I find that conclusion irrational. Why wouldn't it be an MTA? >> >> Anyone large enough to have separate MX (inbound) and smarthost (outbound) >> servers should *NOT* be accepting inbound SMTP connections to their smarthost >> servers from the outside world. Only their internal network should be able to >> SMTP to the smarthost. >> >> There's no reason to allow it, so best practice would suggest you should close >> that off at the firewall. Any legitimate mail delivery attempts will go to the >> MX servers. Therefore any attempts to connect to port 25 on the SmartHost from >> the outside are either hackers, scans, or random pokes and prods at parts of >> your network nobody on the outside belongs in. >> >> >> I think it's a pretty far jump to assume that any system that generates SMTP but >> doesn't accept inbound from you can't be an MTA. It's quite possible it is an >> MTA, but you're not authorized to try to queue mail there and are firewalled out. >> > I'm not going to disagree (much:-) with you today/tonight Matt (not > sober enough, and I need be very sharp when doing that:-):-), but what > about all that stuff ... domain litterals etc... all there to > facilitate bouncing when there is no DNS etc. Kind of implies that all > SMTP sendersare supposed to be able to be receivers too, now don't it? > Or maybe I'm in delirium tremens and that is just a figment of that state:-):-) Follow up again later.. I can't make much sense of what you're saying right now. Domain literals exist to handle sending messages when DNS is down. But I don't see anywhere that suggests using them for bounces. As best I can tell it's a flagrant violation of many RFCs to send a bounce (or any other DSN) to anything other than the return path. Trying to create a domain literal using the IP address of the host that delivered the email strikes me as absurdly broken. If nothing else, doing this would require that all SMTP clients also be mailservers... Ouch! Relevant RFC's describing that delivery failure notifications be sent to the reverse path in the MAIL FROM: command: RFC 821 section 3.6 (MUST) RFC 2821 section 3.7 (MUST) RFC 1123 section 5.3.3 (specifies SHOULD be the envelope return, not must) RFC 3461 section 6.1 (simply described as fact, with no MUST or SHOULD.) From MailScanner at ecs.soton.ac.uk Fri Feb 29 22:49:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 29 22:50:46 2008 Subject: Queue problem In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> Message-ID: <47C88BFA.4030906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maxime Gaudreault wrote: > > Hi > > The hold queue is actually at 415 emails > > Load Average: 0.11 0.25 0.53 > > htop show many of these process: > > MailScanner: checking with SpamAssassin > > MailScanner: checking with Spam Lists > > CPU is 3% > > Mem is 25% > I would start checking your DNS setup. How long does it take for various random "dig" commands to produce results? MailScanner should spend a very small %-age of its time saying "checking with Spam Lists". If you can see several of them in that state, then that's likely a DNS lookup problem. > I don't understand > > *Maxime Gaudreault* > > Technicien > > _ _ > > R?f?rence Syst?mes inc. > > T?l. : 418.650.0997 > > T?l?c. : 418.650.9668 > > Courriel : _mgaudreault_@reference.qc.ca > > > Site Internet : http://www.reference.qc.ca/ > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Maxime Gaudreault > *Sent:* February 29, 2008 10:54 AM > *To:* MailScanner discussion > *Subject:* Queue problem > > Hi > > I have a problem with my anti-spam gateway. The queue is fulling up > very quickly (1600+ mails in queue). > > The server's load average is <1 (0.60 ? 0.80) so I suppose this is not > a ressource problem. > > Then I have to change the port forwarding directly to my Imail server > to let the anti-spam's queue going down. > > I used many tweak to maximize the efficacity of the anti-spam > (mailscanner work directory in ram, dns cache server, increasing > memory). I only got 1 CPU but I suppose this is not the problem > because when the queue is full, the load average is under 1. > > Any idea ? > > PS: Sorry for my bad english > > PPS: Sorry if you received my message twice > > *Maxime Gaudreault* > > Technicien > > _ _ > > R?f?rence Syst?mes inc. > > T?l. : 418.650.0997 > > T?l?c. : 418.650.9668 > > Courriel : _mgaudreault_@reference.qc.ca > > > Site Internet : http://www.reference.qc.ca/ > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: windows-1252 wj8DBQFHyIwcEfZZRxQVtlQRAuPxAKD9kZyTPfF/rfAZwnYgYtTJ7wBQtACgn2PT eFc95lOZub+5/sADM2GStSY= =9oag -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 29 22:59:04 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 29 22:59:31 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C84DC4.3090406@crucis.net> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> <47C76359.3030300@crucis.net> <47C7D13F.90507@ecs.soton.ac.uk> <47C84DC4.3090406@crucis.net> Message-ID: <47C88E38.3040805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike - W0TMW wrote: > Trimmed to conserve space. > > Julian Field wrote: >> >> >> Mike Watson wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Scott Silva wrote: >>> | on 2-28-2008 1:35 PM Mike - W0TMW spake the following: >>> |> Julian Field wrote: >>> |>> >>> |>> >>> |>> Mike - W0TMW wrote: >>> |>>> I've installed MS 4.66 on a new box and thanks to others here >>> gotten it running. I have noticed something odd. >>> |>>> >>> |>>> I have clamav and f-prot installed for virus scanning. I have >>> an older version of MS running on another box also with clamav and >>> f-prot. On that older box, when an e-mail is being scanned, I see >>> in the log that clamav and f-prot are used. On the new box however, >>> I only see clamav mentioned. Both virus scanners are found when MS >>> is started. > snipped... >>> | Change your %org-name% to crucis_net instead of crucis.net. That >>> error has caused many logging problems. >>> | And you might as well fix the other error so spamassassin ignores >>> your locally generated headers. >>> > Done. No change. >> Have you checked your /etc/MailScanner.conf recently? >> A new version of F-Prot appeared with a totally new output format. >> There is now the "f-prot-6" scanner which you should have in your >> "Virus Scanners" setting. It's mentioned in the comments above. > My F-prot is version 4.6.8, engine 3.16.16. It was downloaded from > the F-Prot website last week. Would this version use "f-prot" or > "F-prot-6"? F-prot works/scans in manual mode. When you installed it, did it require a installation key number? On the website, when you download it, there is version 3 and version 6 available. Once you have put in your customer number, you get taken to a page which lists the downloads and keys you can get for that number. That tells you the version number there. I would guess you are using version 6. Set Virus Scanners in MailScanner.conf to include "f-prot-6" and then do a MailScanner --lint and you'll see what it finds and whether it locates a virus report in the F-Prot 6 output. Note that after you unpack the F-Prot 6 (by default it appears to prefer /opt/f-prot) there is an installation script in there. You don't want any of the daemons or cron jobs or anything, but you will need to type in your installation key number (very long string with dashes in it) in order to be able to download the updates. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHyI5BEfZZRxQVtlQRAjmsAJ9q2xvnfpBJTL8TSXWiut+gOqaqvACdHDtg WKVDaH8DodwRxwrscSC1q3o= =1Oq/ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 29 23:04:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 29 23:05:43 2008 Subject: FW: Another attack to fight off In-Reply-To: References: <47C6BBD8.61A4.0000.0@caspercollege.edu> <47C7310E.3020004@ecs.soton.ac.uk> , <608FC9263D077744B6AA7457C9D005F827E63C0E07@MBX72.ad2.softcom.biz> Message-ID: <47C88F89.8050309@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just for the list's reference, this is an init.d script problem, as it doesn't directly support multiple incoming queues. So it has trouble starting up the incoming sendmail process. INQDIR is calculated in /etc/sysconfig/MailScanner and used to set the -OQueueDirectory= command-line option in /etc/init.d/MailScanner. It is read straight out of MailScanner.conf. So if MailScanner.conf's setting refers to a text file listing directory names, the init.d script tries to start up sendmail with the QueueDirectory option set to a text file, so it shouts and screams about it :-( MailScanner itself is working just fine. Ideally a fancier init.d script would find the text file and make nasty noises that it won't be able to start up the incoming sendmail without modification. Jim Hermann wrote: > ________________________________ > > From: Vlad Mazek [mailto:v@vladville.com] > Sent: Thursday, February 28, 2008 04:43 PM > To: MailScanner discussion > Subject: Re: Another attack to fight off > > > MailScanner doesn't seem to want to accept multiple incoming queues with sendmail. Incoming Queue Dir = doesn't seem to take anything other than a single directory. Documentation indicates it should take filesets but that doesn't work > > Starting MailScanner daemons: > incoming sendmail: 451 4.0.0 can not chdir(/etc/MailScanner/rules/mqueue.in.list.conf/): Not a directory [ OK ] > > (I tried %rules-dir%/mqueue.in.list.conf, permissions are ok, the file contains the queue dir's one per line, etc all looks sane) > > -Vlad > ----- > > Vlad, > > I use this setting: > > Incoming Queue Dir = /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue /home/virtual/site*/fst/var/spool/mqueue > > It collects email from 200 different directories. > > Jim > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHyI+yEfZZRxQVtlQRAkNcAJ4gfTo7JMyAXug08sBf4DtWQ45t/ACfR278 sUdj49gua//d2e3yZmqS2QQ= =FFlg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 29 23:42:47 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 23:43:22 2008 Subject: [Maybe OT] - RFC compliance checking at session In-Reply-To: <47C88A19.1040306@evi-inc.com> References: <3D9C92F3075F5144B46AA2C590F48E2A7A73CF@commssrv01.computerservicecentre.com> <47C8374F.9000502@evi-inc.com> <223f97700802291344t133458ep981b15b4e9ecc969@mail.gmail.com> <47C88A19.1040306@evi-inc.com> Message-ID: <223f97700802291542i1bd99197u883fbc9c3628f126@mail.gmail.com> On 29/02/2008, Matt Kettler wrote: > Glenn Steen wrote: > > On 29/02/2008, Matt Kettler wrote: > >> Hostmaster wrote: > >> > Hi All, > >> > > >> > I would like to illicit some opinions from you other MailScanner using > >> > MX-administrators. > >> > >> > >> Pretty much all your opinions here are valid, except: > >> > >> > >> > and the IP does not accept return SMTP ? indicating that > >> > it's probably a web server and not an MTA itself. > >> > >> > >> I find that conclusion irrational. Why wouldn't it be an MTA? > >> > >> Anyone large enough to have separate MX (inbound) and smarthost (outbound) > >> servers should *NOT* be accepting inbound SMTP connections to their smarthost > >> servers from the outside world. Only their internal network should be able to > >> SMTP to the smarthost. > >> > >> There's no reason to allow it, so best practice would suggest you should close > >> that off at the firewall. Any legitimate mail delivery attempts will go to the > >> MX servers. Therefore any attempts to connect to port 25 on the SmartHost from > >> the outside are either hackers, scans, or random pokes and prods at parts of > >> your network nobody on the outside belongs in. > >> > >> > >> I think it's a pretty far jump to assume that any system that generates SMTP but > >> doesn't accept inbound from you can't be an MTA. It's quite possible it is an > >> MTA, but you're not authorized to try to queue mail there and are firewalled out. > >> > > I'm not going to disagree (much:-) with you today/tonight Matt (not > > sober enough, and I need be very sharp when doing that:-):-), but what > > about all that stuff ... domain litterals etc... all there to > > facilitate bouncing when there is no DNS etc. Kind of implies that all > > SMTP sendersare supposed to be able to be receivers too, now don't it? > > Or maybe I'm in delirium tremens and that is just a figment of that state:-):-) > > > Follow up again later.. I can't make much sense of what you're saying right now. > > Domain literals exist to handle sending messages when DNS is down. But I don't > see anywhere that suggests using them for bounces. > > As best I can tell it's a flagrant violation of many RFCs to send a bounce (or > any other DSN) to anything other than the return path. > > Trying to create a domain literal using the IP address of the host that > delivered the email strikes me as absurdly broken. If nothing else, doing this > would require that all SMTP clients also be mailservers... Ouch! Yeah... It must be the booze. Sorry:-). I'm certain I've seen something like that though (in a DISCUSSION clause, but ... well, the memory isn't good when sober... So ....:-). > Relevant RFC's describing that delivery failure notifications be sent to the > reverse path in the MAIL FROM: command: > > RFC 821 section 3.6 (MUST) > RFC 2821 section 3.7 (MUST) > RFC 1123 section 5.3.3 (specifies SHOULD be the envelope return, not must) > RFC 3461 section 6.1 (simply described as fact, with no MUST or SHOULD.) > Probably me getting confused with one of those. Thanks for taking the time Matt. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 29 23:46:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 29 23:46:48 2008 Subject: Queue problem In-Reply-To: <47C88BFA.4030906@ecs.soton.ac.uk> References: <6DD6B2C8A11BFC4092A148347F6126B85451AE@jupiter.reference.local> <6DD6B2C8A11BFC4092A148347F6126B85451C6@jupiter.reference.local> <47C88BFA.4030906@ecs.soton.ac.uk> Message-ID: <223f97700802291546m50b3108cr2a407a7ff9487465@mail.gmail.com> On 29/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Maxime Gaudreault wrote: > > > > Hi > > > > The hold queue is actually at 415 emails > > > > Load Average: 0.11 0.25 0.53 > > > > htop show many of these process: > > > > MailScanner: checking with SpamAssassin > > > > MailScanner: checking with Spam Lists > > > > CPU is 3% > > > > Mem is 25% > > > > I would start checking your DNS setup. How long does it take for various > random "dig" commands to produce results? MailScanner should spend a > very small %-age of its time saying "checking with Spam Lists". If you > can see several of them in that state, then that's likely a DNS lookup > problem. > Or having a dead one in the list perhaps? What does your list look like Maxime? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mikew at crucis.net Fri Feb 29 23:55:25 2008 From: mikew at crucis.net (Mike Watson) Date: Fri Feb 29 23:56:21 2008 Subject: F-Prot use not appearing in log file In-Reply-To: <47C88E38.3040805@ecs.soton.ac.uk> References: <47C714B2.6060603@crucis.net> <47C71FAE.1020007@ecs.soton.ac.uk> <47C7290E.20700@crucis.net> <47C76359.3030300@crucis.net> <47C7D13F.90507@ecs.soton.ac.uk> <47C84DC4.3090406@crucis.net> <47C88E38.3040805@ecs.soton.ac.uk> Message-ID: <47C89B6D.4000401@crucis.net> See below. Julian Field wrote: > > > Mike - W0TMW wrote: > > Trimmed to conserve space. > > > Julian Field wrote: > >> > >> Mike Watson wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA1 > >>> > >>> Scott Silva wrote: > >>> | on 2-28-2008 1:35 PM Mike - W0TMW spake the following: > >>> |> Julian Field wrote: > >>> |>> > >>> |>> > >>> |>> Mike - W0TMW wrote: > >>> |>>> I've installed MS 4.66 on a new box and thanks to others here > >>> gotten it running. I have noticed something odd. > >>> |>>> > >>> |>>> I have clamav and f-prot installed for virus scanning. I have > >>> an older version of MS running on another box also with clamav and > >>> f-prot. On that older box, when an e-mail is being scanned, I see > >>> in the log that clamav and f-prot are used. On the new box however, > >>> I only see clamav mentioned. Both virus scanners are found when MS > >>> is started. > > snipped... > >>> | Change your %org-name% to crucis_net instead of crucis.net. That > >>> error has caused many logging problems. > >>> | And you might as well fix the other error so spamassassin ignores > >>> your locally generated headers. > >>> > > Done. No change. > >> Have you checked your /etc/MailScanner.conf recently? > >> A new version of F-Prot appeared with a totally new output format. > >> There is now the "f-prot-6" scanner which you should have in your > >> "Virus Scanners" setting. It's mentioned in the comments above. > > My F-prot is version 4.6.8, engine 3.16.16. It was downloaded from > > the F-Prot website last week. Would this version use "f-prot" or > > "F-prot-6"? F-prot works/scans in manual mode. > When you installed it, did it require a installation key number? No. > On the > website, when you download it, there is version 3 and version 6 > available. Once you have put in your customer number, you get taken to a > page which lists the downloads and keys you can get for that number. > That tells you the version number there. I would guess you are using > version 6. I'm using version 4.6.8, engine 3.16.16 I have MailScanner.conf set to "auto". It finds f-prot during startup. > > Set Virus Scanners in MailScanner.conf to include "f-prot-6" and then do > a MailScanner --lint and you'll see what it finds and whether it locates > a virus report in the F-Prot 6 output. > > Note that after you unpack the F-Prot 6 (by default it appears to prefer > /opt/f-prot) there is an installation script in there. You don't want > any of the daemons or cron jobs or anything, but you will need to type > in your installation key number (very long string with dashes in it) in > order to be able to download the updates. This is a personal mailserver. I'm not providing a commercial service. I'm not using the commercial F-Prot virus scanner. Here's the output of MailScanner --lint with anti-virus set to "auto." [root@cygni ~]# MailScanner --lint Trying to setlogsock(unix) Checking version numbers... Version number in MailScanner.conf (4.66.5) is correct. Your setting "Mail Header" contains illegal characters. This is most likely caused by your "%org-name%" setting which must not contain and "." or "_" characters as these are known to cause problems with some mail systems. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav, f-prot =========================================================================== =========================================================================== Virus Scanner test reports: F-Prot said "./1/eicar.com Infection: EICAR_Test_File" ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav,f-prot) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. [root@cygni ~]# I'll change the virus scanner to f-prot-6 later and pass the lint result along to you. Mike W > > Jules > -- This message has been scanned for viruses and dangerous content by MailScanner@CYGNI, and is believed to be clean.