From pascal.maes at elec.ucl.ac.be Fri Feb 1 08:00:09 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Feb 1 08:00:29 2008 Subject: "Is Definitely Spam" rule not working ? Message-ID: Hello, In MailScanner.conf, we have # Spam Blacklist: # Make this point to a ruleset, and anything in that ruleset whose value # is "yes" will *always* be marked as spam. # This value can be over-ridden by the "Is Definitely Not Spam" setting. # This can also be the filename of a ruleset. Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no In spam_blacklist.rules, we have : From: 66.63.168. yes FromOrTo: default no As this rule could be over-ridden, I check that Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules the file spam_whitelist.rules doesn't contain anything about that domain or IP or the recipient Then, I wonder why the following mail was not tagged as SPAM Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be > for (ORCPT email_address); Thu, 31 Jan 2008 20:21:28 +0100 (CET) Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id hk8fra01g741; Thu, 31 Jan 2008 14:19:07 -0500 Date: Thu, 31 Jan 2008 14:18:49 -0500 Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) From: Travel Offers X-SGSI-MailScanner: Found to be clean X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) X-SGSI-Spam-Score: sss X-SGSI-From: travel-offers@mytravfolks.com X-SGSI-Spam-Status: No -- Pascal From MailScanner at ecs.soton.ac.uk Fri Feb 1 11:38:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 1 11:39:01 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: Message-ID: <47A304B8.30803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pascal Maes wrote: > Hello, > > > In MailScanner.conf, we have > > # Spam Blacklist: > # Make this point to a ruleset, and anything in that ruleset whose value > # is "yes" will *always* be marked as spam. > # This value can be over-ridden by the "Is Definitely Not Spam" setting. > # This can also be the filename of a ruleset. > Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no > > > In spam_blacklist.rules, we have : > > From: 66.63.168. yes > > FromOrTo: default no > > > > As this rule could be over-ridden, I check that > > Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > > the file spam_whitelist.rules doesn't contain anything about that > domain or IP or the recipient > > > Then, I wonder why the following mail was not tagged as SPAM > > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server > 6.3-4.01 (built > Aug 3 2007; 32bit)) with ESMTP id > <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> > for (ORCPT email_address); Thu, > 31 Jan 2008 20:21:28 +0100 (CET) > Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for > ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) > Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; Thu, > 31 Jan 2008 20:21:38 +0100 (CET) > Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id > hk8fra01g741; Thu, > 31 Jan 2008 14:19:07 -0500 > Date: Thu, 31 Jan 2008 14:18:49 -0500 > Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) > From: Travel Offers > X-SGSI-MailScanner: Found to be clean > X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, > requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) Because it scored 3.5 where the required score is 5. > > X-SGSI-Spam-Score: sss > X-SGSI-From: travel-offers@mytravfolks.com > X-SGSI-Spam-Status: No > > -- > Pascal > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHowS5EfZZRxQVtlQRAoS1AJ9Uf6apK8lK0B6Q1+pwhQ9kVL+dsQCfXavR Q7U9lOocb7AVJhAMmjEqVVA= =mfBj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 1 11:39:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 1 11:40:12 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: Message-ID: <47A30504.5010408@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, ignore my last comment. Not sure on this one. Have you tested the ruleset with the command-line? Run "MailScanner --help" to start with. Pascal Maes wrote: > Hello, > > > In MailScanner.conf, we have > > # Spam Blacklist: > # Make this point to a ruleset, and anything in that ruleset whose value > # is "yes" will *always* be marked as spam. > # This value can be over-ridden by the "Is Definitely Not Spam" setting. > # This can also be the filename of a ruleset. > Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no > > > In spam_blacklist.rules, we have : > > From: 66.63.168. yes > > FromOrTo: default no > > > > As this rule could be over-ridden, I check that > > Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > > the file spam_whitelist.rules doesn't contain anything about that > domain or IP or the recipient > > > Then, I wonder why the following mail was not tagged as SPAM > > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server > 6.3-4.01 (built > Aug 3 2007; 32bit)) with ESMTP id > <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> > for (ORCPT email_address); Thu, > 31 Jan 2008 20:21:28 +0100 (CET) > Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for > ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) > Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; Thu, > 31 Jan 2008 20:21:38 +0100 (CET) > Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id > hk8fra01g741; Thu, > 31 Jan 2008 14:19:07 -0500 > Date: Thu, 31 Jan 2008 14:18:49 -0500 > Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) > From: Travel Offers > X-SGSI-MailScanner: Found to be clean > X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, > requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) > X-SGSI-Spam-Score: sss > X-SGSI-From: travel-offers@mytravfolks.com > X-SGSI-Spam-Status: No > > -- > Pascal > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHowUFEfZZRxQVtlQRAu+rAJ4oZWaoo/87oTfx5edWwsLLsDvXdQCfZiUt ts3Q7kQejs5GYKgWtJa+P4w= =K2v9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Fri Feb 1 11:56:59 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Feb 1 11:57:13 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A304B8.30803@ecs.soton.ac.uk> References: <47A304B8.30803@ecs.soton.ac.uk> Message-ID: Le 01-f?vr.-08 ? 12:38, Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Pascal Maes wrote: >> Hello, >> >> >> In MailScanner.conf, we have >> >> # Spam Blacklist: >> # Make this point to a ruleset, and anything in that ruleset whose >> value >> # is "yes" will *always* be marked as spam. >> # This value can be over-ridden by the "Is Definitely Not Spam" >> setting. >> # This can also be the filename of a ruleset. >> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >> >> >> In spam_blacklist.rules, we have : >> >> From: 66.63.168. yes >> >> FromOrTo: default no >> >> >> >> As this rule could be over-ridden, I check that >> >> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >> >> the file spam_whitelist.rules doesn't contain anything about that >> domain or IP or the recipient >> >> >> Then, I wonder why the following mail was not tagged as SPAM >> >> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >> 6.3-4.01 (built >> Aug 3 2007; 32bit)) with ESMTP id >> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >> for (ORCPT email_address); Thu, >> 31 Jan 2008 20:21:28 +0100 (CET) >> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >> [127.0.0.1]) >> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >> ; Thu, >> 31 Jan 2008 20:21:38 +0100 (CET) >> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >> hk8fra01g741; Thu, >> 31 Jan 2008 14:19:07 -0500 >> Date: Thu, 31 Jan 2008 14:18:49 -0500 >> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >> From: Travel Offers >> X-SGSI-MailScanner: Found to be clean >> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) > Because it scored 3.5 where the required score is 5. >> >> X-SGSI-Spam-Score: sss >> X-SGSI-From: travel-offers@mytravfolks.com >> X-SGSI-Spam-Status: No >> >> -- >> Pascal >> >> >> > > Jules > yes but as we have the header Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) which matches the rule in spam_blacklist.rules From: 66.63.168. yes The message should have been tagged Spam -- Pascal From pascal.maes at elec.ucl.ac.be Fri Feb 1 13:12:26 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Feb 1 13:12:53 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A30504.5010408@ecs.soton.ac.uk> References: <47A30504.5010408@ecs.soton.ac.uk> Message-ID: Le 01-f?vr.-08 ? 12:39, Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry, ignore my last comment. > Not sure on this one. Have you tested the ruleset with the command- > line? > Run "MailScanner --help" to start with. > /opt/MailScanner/bin/MailScanner --value="Is Definitely Spam" -- ip=66.63.168.38 /opt/MailScanner/etc/MailScanner.conf Looked up internal option name "spamblacklist" With sender = Client IP = 66.63.168.38 Virus = Result is "1" 0=No 1=Yes -- Pascal From Stefan.Fournier at gmx.de Fri Feb 1 16:19:26 2008 From: Stefan.Fournier at gmx.de (Stefan Fournier) Date: Fri Feb 1 16:19:34 2008 Subject: filter on empty from, <>, postmaster Message-ID: <20080201161926.286950@gmx.net> Hi, I wonder if there's apossibilty to create a ruleset that matches on the postmaster address Mail From: <> I want all that mails to have in a different outqueuedir. I tried all type of things with "<>", "", //, ... with no success We have MailScanner-4.56.8 on ubuntu 6.06 Any hints? Thanks, Stefan -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From ssilva at sgvwater.com Fri Feb 1 19:33:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 1 19:34:18 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <47A304B8.30803@ecs.soton.ac.uk> Message-ID: on 2/1/2008 3:56 AM Pascal Maes spake the following: > > Le 01-f?vr.-08 ? 12:38, Julian Field a ?crit : > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Pascal Maes wrote: >>> Hello, >>> >>> >>> In MailScanner.conf, we have >>> >>> # Spam Blacklist: >>> # Make this point to a ruleset, and anything in that ruleset whose value >>> # is "yes" will *always* be marked as spam. >>> # This value can be over-ridden by the "Is Definitely Not Spam" setting. >>> # This can also be the filename of a ruleset. >>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>> >>> >>> In spam_blacklist.rules, we have : >>> >>> From: 66.63.168. yes >>> >>> FromOrTo: default no >>> >>> >>> >>> As this rule could be over-ridden, I check that >>> >>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>> >>> the file spam_whitelist.rules doesn't contain anything about that >>> domain or IP or the recipient >>> >>> >>> Then, I wonder why the following mail was not tagged as SPAM >>> >>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>> 6.3-4.01 (built >>> Aug 3 2007; 32bit)) with ESMTP id >>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>> for (ORCPT email_address); Thu, >>> 31 Jan 2008 20:21:28 +0100 (CET) >>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) >>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for ; >>> Thu, >>> 31 Jan 2008 20:21:38 +0100 (CET) >>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>> hk8fra01g741; Thu, >>> 31 Jan 2008 14:19:07 -0500 >>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>> From: Travel Offers >>> X-SGSI-MailScanner: Found to be clean >>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >> Because it scored 3.5 where the required score is 5. >>> >>> X-SGSI-Spam-Score: sss >>> X-SGSI-From: travel-offers@mytravfolks.com >>> X-SGSI-Spam-Status: No >>> >>> -- >>> Pascal >>> >>> >>> >> >> Jules >> > > yes but as we have the header > > Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > > which matches the rule in spam_blacklist.rules > > From: 66.63.168. yes > > The message should have been tagged Spam > > > -- > Pascal > > > Do those rules check all received headers, or just the last one received from? Julian would know for sure. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080201/4e532a36/signature.bin From hvdkooij at vanderkooij.org Sat Feb 2 10:15:12 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Feb 2 10:15:43 2008 Subject: OT? SPAM network top 100 of 2008-02-02 Message-ID: <47A442B0.6080901@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Another top 100 of spam sending networks due to popular requests. If you want a fresh view daily I suggest you request a trial license of Trend Micro's Email Reputation Services. Even with an expired acount you ~ will be able to check out their top 100. So you do not have to spend a dime on Trend Micro. And getting a new trial license each month is not that hard. Just a monthly webform to fill in. Hugo. Rank This Week Rank Last Week ASN ISP Name Spam Volume(24hrs) Botnet Activity 001 001 9121 TTNET TTnet Autonomous System 4.10B -29.5 002 002 3269 ASN-IBSNAZ TELECOM ITALIA 2.50B -25.1 003 003 19262 VZGNI-TRANSIT - Verizon Internet Services Inc. 2.74B 4.1 004 004 5617 TPNET Polish Telecom's commercial IP network 1.39B -33.7 005 005 6147 Telefonica del Peru S.A.A. 1.13B 21.7 006 006 15557 LDCOMNET NEUF CEGETEL (formerly LDCOM NETWORKS) 974.6M -28.4 007 007 7738 Telecomunicacoes da Bahia S.A. 938.1M 2.9 008 008 4766 KIXS-AS-KR Korea Telecom 852.0M 1.9 009 010 22927 Telefonica de Argentina 785.8M 7.2 010 011 1267 ASN-INFOSTRADA Infostrada S.p.A. 738.1M -26.4 011 012 2856 BT-UK-AS BTnet UK Regional network 696.9M -36.7 012 018 27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP 599.1M 0.9 013 016 8167 TELESC - Telecomunicacoes de Santa Catarina SA 641.7M 5.3 014 013 3352 TELEFONICA-DATA-ESPANA Internet Access Network of TDE 450.0M -24.8 015 014 9498 BBIL-AP BHARTI BT INTERNET LTD. 467.3M 9.4 016 017 8359 COMSTAR COMSTAR-Direct Moscow region network 482.1M -26.4 017 026 6739 ONO-AS Cableuropa - ONO 484.1M -19.1 018 030 4134 CHINANET-BACKBONE No.31,Jin-rong Street 394.3M 0.7 019 027 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 265.2M -1.8 020 022 5462 CABLEINET Telewest Broadband 482.1M -35.6 021 031 12876 AS12876 Telecom Italia France 416.9M -31.2 022 032 9318 HANARO-AS Hanaro Telecom Inc. 346.6M 2.0 023 025 7418 Terra Networks Chile S.A. 367.8M 18.8 024 034 28573 NET Servicos de Comunicao S.A. 375.0M 4.5 025 023 9829 BSNL-NIB National Internet Backbone 355.3M 9.1 026 019 3215 AS3215 France Telecom - Orange 231.4M -19.2 027 041 4788 TMNET-AS-AP TM Net, Internet Service Provider 319.1M 5.9 028 036 6713 IAM-AS 334.8M -33.7 029 038 16338 AUNA_TELECOM-AS Cableuropa - ONO 301.4M -19.4 030 037 8612 TISCALI-IT Tiscali Italia SpA. 300.9M -23.6 031 043 13184 HANSENET HanseNet Telekommunikation GmbH 334.4M -26.0 032 039 7132 SBIS-AS - AT&T Internet Services 342.0M 7.1 033 042 8151 Uninet S.A. de C.V. 308.4M 8.9 034 062 12322 PROXAD AS for Proxad/Free ISP 187.8M -18.6 035 047 19429 ETB - Colombia 209.8M 10.2 036 053 8228 CEGETEL-AS CEGETEL ENTREPRISES 214.1M -27.6 037 056 11351 RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC 223.1M 0.9 038 055 12479 UNI2-AS Uni2 Autonomous System 199.6M -25.7 039 051 4755 VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System 211.1M 2.5 040 060 7643 VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 193.3M 1.0 041 058 11426 SCRR-11426 - Road Runner HoldCo LLC 220.8M 1.2 042 063 12271 SCRR-12271 - Road Runner HoldCo LLC 228.1M 13.0 043 061 3462 HINET Data Communication Business Group 143.0M 2.1 044 057 8997 ASN-SPBNIT SPBNIT-RU Autonomous System 187.0M -26.1 045 067 9299 IPG-AS-AP Philippine Long Distance Telephone Company 190.2M 4.2 046 076 8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone 146.7M -9.2 047 071 9143 ATHOME-BENELUX-BV AtHome Benelux BV provides broadband ISP services 164.8M -32.7 048 069 12741 INTERNETIA-AS Netia SA 163.1M -29.3 049 064 3816 COLOMBIA TELECOMUNICACIONES S.A. ESP 151.5M 15.5 050 075 6849 UKRTELNET JSC UKRTELECOM, 163.8M -24.6 051 074 4813 BACKBONE-GUANGDONG-AP China Telecom(Group) 108.9M -1.1 052 077 11427 SCRR-11427 - Road Runner HoldCo LLC 167.1M 9.7 053 068 17858 KRNIC-ASBLOCK-AP KRNIC 18.4M -1.5 054 052 5384 EMIRATES-INTERNET Emirates Internet 75.8M -12.5 055 078 9141 AS9141 UPC Poland 120.3M -32.0 056 087 6678 AS-NOOS NOOS Autonomous System 123.1M -22.1 057 079 13285 OPALTELECOM-AS Opal Telecom 130.4M -32.1 058 085 4589 EASYNET Easynet Group Plc 131.0M -30.4 059 089 4713 OCN NTT Communications Corporation 129.4M -5.0 060 103 3243 TELEPAC PT.Com - Comunicacoes Interactivas, S.A. 121.1M -13.5 061 090 22291 CHARTER-LA - Charter Communications 122.8M 16.1 062 083 6332 Telefonos del Noroeste S.A. de C.V. 121.8M 25.6 063 092 5391 T-HT T-Com Croatia Internet network 127.6M -33.7 064 093 13343 SCRR-13343 - Road Runner HoldCo LLC 139.9M 12.5 065 105 9116 GOLDENLINES-ASN Golden Lines Main Autonomous System 112.6M -8.8 066 106 8584 BARAK Netvision 013 Barak - Barak Network 98.6M -9.4 067 114 12715 JAZZNET Jazz Telecom S.A. 86.6M -14.8 068 102 6855 SK SLOVAK TELECOM, AS6855 114.3M -35.3 069 095 6478 ATT-INTERNET3 - AT&T WorldNet Services 10.8M 3.6 070 099 12338 EUSKALTEL Euskaltel Autonomous System 95.5M -22.8 071 111 33287 DNEO-OSP4 - Comcast Cable Communications, Inc. 120.5M 3.3 072 112 6746 ASTRAL ASTRAL Telecom SA, Romania 107.7M -29.4 073 108 1221 ASN-TELSTRA Telstra Pty Ltd 95.5M -3.6 074 113 12542 TVCABO Autonomous System 90.9M -10.3 075 104 5713 SAIX-NET 105.8M -4.8 076 115 5486 SMILE-ASN Euronet Digital Communications, (1992) LTD, Israel 82.5M -6.2 077 157 12695 DINET-AS Digital Network JSC 150.7M -19.3 078 118 6799 OTENET-GR OTEnet S.A. Multiprotocol Backbone & ISP 95.4M - -28.2 079 101 6458 Telgua 90.5M 6.6 080 117 5668 AS-5668 - CenturyTel Internet Holdings, Inc. 106.7M 6.5 081 131 18881 Global Village Telecom 92.7M 5.0 082 029 9737 TOTNET-TH-AS-AP Telephone Organization of Thailand 5.0M 0.3 083 125 8764 TEOLTAB TEO LT AB Autonomous System 87.2M -25.2 084 164 6327 SHAW - Shaw Communications Inc. 63.4M 32.0 085 150 12874 FASTWEB Fastweb Autonomous System 69.8M -25.5 086 129 8881 VERSATEL Versatel Deutschland 75.6M -25.5 087 119 33491 DNEO-OSP7 - Comcast Cable Communications, Inc. 7.8M 2.7 088 121 5466 EIRCOM Eircom 79.6M -17.1 089 140 12357 COMUNITEL Comunitel Global Autonomous System 59.8M -27.4 090 141 1257 TELE2 63.3M -39.9 091 127 8696 INVITEL INVITEL Telecommunications 75.9M -23.1 092 154 36727 INSIGHT-COMMUNICATIONS-CORP-AS1 - INSIGHT COMMUNICATIONS COMPANY, L.P. 103.0M 7.7 093 133 3216 SOVAM-AS Golden Telecom, Moscow, Russia 65.6M -2.9 094 134 3292 TDC TDC Data Networks 75.8M -35.2 095 167 24326 TTT-AS-AP Maxnet, Internet Service Provider, Bangkok 116.3M 0.1 096 126 21826 Internet Cable Plus C. A. 71.3M 4.3 097 135 19444 CHARTER-STL - CHARTER COMMUNICATIONS 66.0M 5.9 098 128 8866 BTC-AS Bulgarian Telecommunication Company Plc. 71.0M -12.6 099 124 22773 CCINET-2 - Cox Communications Inc. 71.6M 20.2 100 136 7552 VIETEL-AS-AP Vietel Corporation 59.7M 4.1 - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpEKuBvzDRVjxmYERAocgAKCF7TU1owmxJ8bWvqMVy2W+QMn0pgCfaH5N ftBL75Wvelv27bligbefb68= =/k9d -----END PGP SIGNATURE----- From subscribe at kringstad.net Sat Feb 2 10:16:50 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 10:17:11 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <47A1EE26.9020802@sequestered.net> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> Message-ID: Hi, I have a problem when I start MailScanner on Ubuntu 6.06 LTS. **** ERROR: You must upgrade your perl IO module to at least **** ERROR: version 1.2301 or MailScanner will not work! Does anyone know which package that I need to upgrade? Regards, Trond From glenn.steen at gmail.com Sat Feb 2 10:25:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 2 10:25:42 2008 Subject: filter on empty from, <>, postmaster In-Reply-To: <20080201161926.286950@gmx.net> References: <20080201161926.286950@gmx.net> Message-ID: <223f97700802020225h1ac0f986pb782ae392e05bb81@mail.gmail.com> On 01/02/2008, Stefan Fournier wrote: > Hi, > > I wonder if there's apossibilty to create a ruleset that matches > on the postmaster address Mail From: <> > I want all that mails to have in a different outqueuedir. > I tried all type of things with "<>", "", //, ... with no success > > We have MailScanner-4.56.8 on ubuntu 6.06 > > Any hints? > > Thanks, > Stefan Um, did you try matching the empty field like in /^$/ .... or something similar (on the From: field, presumably)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Feb 2 10:28:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 2 10:28:55 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <47A442B0.6080901@vanderkooij.org> References: <47A442B0.6080901@vanderkooij.org> Message-ID: <223f97700802020228q386a5993k699300cfabbe8eb6@mail.gmail.com> On 02/02/2008, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Another top 100 of spam sending networks due to popular requests. > > If you want a fresh view daily I suggest you request a trial license of > Trend Micro's Email Reputation Services. Even with an expired acount you > ~ will be able to check out their top 100. So you do not have to spend a > dime on Trend Micro. And getting a new trial license each month is not > that hard. Just a monthly webform to fill in. > > Hugo. > > Rank This Week Rank Last Week ASN ISP Name Spam Volume(24hrs) Botnet > Activity > 001 001 9121 TTNET TTnet Autonomous System 4.10B -29.5 > 002 002 3269 ASN-IBSNAZ TELECOM ITALIA 2.50B -25.1 > 003 003 19262 VZGNI-TRANSIT - Verizon Internet Services Inc. 2.74B 4.1 > 004 004 5617 TPNET Polish Telecom's commercial IP network 1.39B -33.7 > 005 005 6147 Telefonica del Peru S.A.A. 1.13B 21.7 > 006 006 15557 LDCOMNET NEUF CEGETEL (formerly LDCOM NETWORKS) 974.6M -28.4 > 007 007 7738 Telecomunicacoes da Bahia S.A. 938.1M 2.9 > 008 008 4766 KIXS-AS-KR Korea Telecom 852.0M 1.9 > 009 010 22927 Telefonica de Argentina 785.8M 7.2 > 010 011 1267 ASN-INFOSTRADA Infostrada S.p.A. 738.1M -26.4 > 011 012 2856 BT-UK-AS BTnet UK Regional network 696.9M -36.7 > 012 018 27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP 599.1M 0.9 > 013 016 8167 TELESC - Telecomunicacoes de Santa Catarina SA 641.7M 5.3 > 014 013 3352 TELEFONICA-DATA-ESPANA Internet Access Network of TDE > 450.0M -24.8 > 015 014 9498 BBIL-AP BHARTI BT INTERNET LTD. 467.3M 9.4 > 016 017 8359 COMSTAR COMSTAR-Direct Moscow region network 482.1M -26.4 > 017 026 6739 ONO-AS Cableuropa - ONO 484.1M -19.1 > 018 030 4134 CHINANET-BACKBONE No.31,Jin-rong Street 394.3M 0.7 > 019 027 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 265.2M -1.8 > 020 022 5462 CABLEINET Telewest Broadband 482.1M -35.6 > 021 031 12876 AS12876 Telecom Italia France 416.9M -31.2 > 022 032 9318 HANARO-AS Hanaro Telecom Inc. 346.6M 2.0 > 023 025 7418 Terra Networks Chile S.A. 367.8M 18.8 > 024 034 28573 NET Servicos de Comunicao S.A. 375.0M 4.5 > 025 023 9829 BSNL-NIB National Internet Backbone 355.3M 9.1 > 026 019 3215 AS3215 France Telecom - Orange 231.4M -19.2 > 027 041 4788 TMNET-AS-AP TM Net, Internet Service Provider 319.1M 5.9 > 028 036 6713 IAM-AS 334.8M -33.7 > 029 038 16338 AUNA_TELECOM-AS Cableuropa - ONO 301.4M -19.4 > 030 037 8612 TISCALI-IT Tiscali Italia SpA. 300.9M -23.6 > 031 043 13184 HANSENET HanseNet Telekommunikation GmbH 334.4M -26.0 > 032 039 7132 SBIS-AS - AT&T Internet Services 342.0M 7.1 > 033 042 8151 Uninet S.A. de C.V. 308.4M 8.9 > 034 062 12322 PROXAD AS for Proxad/Free ISP 187.8M -18.6 > 035 047 19429 ETB - Colombia 209.8M 10.2 > 036 053 8228 CEGETEL-AS CEGETEL ENTREPRISES 214.1M -27.6 > 037 056 11351 RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC 223.1M 0.9 > 038 055 12479 UNI2-AS Uni2 Autonomous System 199.6M -25.7 > 039 051 4755 VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System > 211.1M 2.5 > 040 060 7643 VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) > 193.3M 1.0 > 041 058 11426 SCRR-11426 - Road Runner HoldCo LLC 220.8M 1.2 > 042 063 12271 SCRR-12271 - Road Runner HoldCo LLC 228.1M 13.0 > 043 061 3462 HINET Data Communication Business Group 143.0M 2.1 > 044 057 8997 ASN-SPBNIT SPBNIT-RU Autonomous System 187.0M -26.1 > 045 067 9299 IPG-AS-AP Philippine Long Distance Telephone Company > 190.2M 4.2 > 046 076 8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone 146.7M -9.2 > 047 071 9143 ATHOME-BENELUX-BV AtHome Benelux BV provides broadband ISP > services 164.8M -32.7 > 048 069 12741 INTERNETIA-AS Netia SA 163.1M -29.3 > 049 064 3816 COLOMBIA TELECOMUNICACIONES S.A. ESP 151.5M 15.5 > 050 075 6849 UKRTELNET JSC UKRTELECOM, 163.8M -24.6 > 051 074 4813 BACKBONE-GUANGDONG-AP China Telecom(Group) 108.9M -1.1 > 052 077 11427 SCRR-11427 - Road Runner HoldCo LLC 167.1M 9.7 > 053 068 17858 KRNIC-ASBLOCK-AP KRNIC 18.4M -1.5 > 054 052 5384 EMIRATES-INTERNET Emirates Internet 75.8M -12.5 > 055 078 9141 AS9141 UPC Poland 120.3M -32.0 > 056 087 6678 AS-NOOS NOOS Autonomous System 123.1M -22.1 > 057 079 13285 OPALTELECOM-AS Opal Telecom 130.4M -32.1 > 058 085 4589 EASYNET Easynet Group Plc 131.0M -30.4 > 059 089 4713 OCN NTT Communications Corporation 129.4M -5.0 > 060 103 3243 TELEPAC PT.Com - Comunicacoes Interactivas, S.A. 121.1M -13.5 > 061 090 22291 CHARTER-LA - Charter Communications 122.8M 16.1 > 062 083 6332 Telefonos del Noroeste S.A. de C.V. 121.8M 25.6 > 063 092 5391 T-HT T-Com Croatia Internet network 127.6M -33.7 > 064 093 13343 SCRR-13343 - Road Runner HoldCo LLC 139.9M 12.5 > 065 105 9116 GOLDENLINES-ASN Golden Lines Main Autonomous System > 112.6M -8.8 > 066 106 8584 BARAK Netvision 013 Barak - Barak Network 98.6M -9.4 > 067 114 12715 JAZZNET Jazz Telecom S.A. 86.6M -14.8 > 068 102 6855 SK SLOVAK TELECOM, AS6855 114.3M -35.3 > 069 095 6478 ATT-INTERNET3 - AT&T WorldNet Services 10.8M 3.6 > 070 099 12338 EUSKALTEL Euskaltel Autonomous System 95.5M -22.8 > 071 111 33287 DNEO-OSP4 - Comcast Cable Communications, Inc. 120.5M 3.3 > 072 112 6746 ASTRAL ASTRAL Telecom SA, Romania 107.7M -29.4 > 073 108 1221 ASN-TELSTRA Telstra Pty Ltd 95.5M -3.6 > 074 113 12542 TVCABO Autonomous System 90.9M -10.3 > 075 104 5713 SAIX-NET 105.8M -4.8 > 076 115 5486 SMILE-ASN Euronet Digital Communications, (1992) LTD, > Israel 82.5M -6.2 > 077 157 12695 DINET-AS Digital Network JSC 150.7M -19.3 > 078 118 6799 OTENET-GR OTEnet S.A. Multiprotocol Backbone & ISP 95.4M > - -28.2 > 079 101 6458 Telgua 90.5M 6.6 > 080 117 5668 AS-5668 - CenturyTel Internet Holdings, Inc. 106.7M 6.5 > 081 131 18881 Global Village Telecom 92.7M 5.0 > 082 029 9737 TOTNET-TH-AS-AP Telephone Organization of Thailand 5.0M 0.3 > 083 125 8764 TEOLTAB TEO LT AB Autonomous System 87.2M -25.2 > 084 164 6327 SHAW - Shaw Communications Inc. 63.4M 32.0 > 085 150 12874 FASTWEB Fastweb Autonomous System 69.8M -25.5 > 086 129 8881 VERSATEL Versatel Deutschland 75.6M -25.5 > 087 119 33491 DNEO-OSP7 - Comcast Cable Communications, Inc. 7.8M 2.7 > 088 121 5466 EIRCOM Eircom 79.6M -17.1 > 089 140 12357 COMUNITEL Comunitel Global Autonomous System 59.8M -27.4 > 090 141 1257 TELE2 63.3M -39.9 > 091 127 8696 INVITEL INVITEL Telecommunications 75.9M -23.1 > 092 154 36727 INSIGHT-COMMUNICATIONS-CORP-AS1 - INSIGHT COMMUNICATIONS > COMPANY, L.P. 103.0M 7.7 > 093 133 3216 SOVAM-AS Golden Telecom, Moscow, Russia 65.6M -2.9 > 094 134 3292 TDC TDC Data Networks 75.8M -35.2 > 095 167 24326 TTT-AS-AP Maxnet, Internet Service Provider, Bangkok > 116.3M 0.1 > 096 126 21826 Internet Cable Plus C. A. 71.3M 4.3 > 097 135 19444 CHARTER-STL - CHARTER COMMUNICATIONS 66.0M 5.9 > 098 128 8866 BTC-AS Bulgarian Telecommunication Company Plc. 71.0M -12.6 > 099 124 22773 CCINET-2 - Cox Communications Inc. 71.6M 20.2 > 100 136 7552 VIETEL-AS-AP Vietel Corporation 59.7M 4.1 > > Hasn't those ....... (fill in your own sentiment:) at Trend ruined all their credibility? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sat Feb 2 10:35:00 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Feb 2 10:35:29 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> Message-ID: <47A44754.3000504@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 subscribe wrote: | Hi, | I have a problem when I start MailScanner on Ubuntu 6.06 LTS. | | **** ERROR: You must upgrade your perl IO module to at least | **** ERROR: version 1.2301 or MailScanner will not work! | | Does anyone know which package that I need to upgrade? Look at what you got installed now. I think you should be able to detect the name if you search the list of installed packages. I also noticed some remarks that the IO module is part or perl itself but I think it is unlikely that ubuntu is shipped with a stone-age version of perl. Not being an ubuntu user myself I can not provide you with an exact name. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpEdSBvzDRVjxmYERAt8mAJwNleVRpxrrQzEytYrFsiD7PogoXQCfWP/h 8Ua+uk9+hwJ3lJxEzIWMWFg= =A/MJ -----END PGP SIGNATURE----- From subscribe at kringstad.net Sat Feb 2 10:52:24 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 10:52:38 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <47A44754.3000504@vanderkooij.org> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> Message-ID: I think it is libio-zlib-perl, but I can't find newer ones at Ubuntu. root@worf:~# dpkg -l| grep perl| egrep io ii libarchive-zip-perl 1.16-1 Module for manipulation of ZIP archives ii libcompress-zlib-perl 1.41-1 Perl module for creation and manipulation of ii libhtml-parser-perl 3.48-1 A collection of modules that parse HTML text ii libio-stringy-perl 2.110-1 Perl5 modules for IO from scalars and arrays ii libio-zlib-perl 1.04-1 IO:: style interface to Compress::Zlib ii liblocale-gettext-perl 1.05-1 Using libc functions for internationalizatio ii libnet-ip-perl 1.24-1 Perl extension for manipulating IPv4/IPv6 ad ii libplrpc-perl 0.2017-1 Perl extensions for writing PlRPC servers an ii libsnmp-session-perl 1.08-1 Perl support for accessing SNMP-aware device ii libsocket6-perl 0.17-1 Perl extensions for IPv6 ii libtext-wrapi18n-perl 0.06-4 internationalized substitute of Text::Wrap ii libtimedate-perl 1.1600-5 Time and date functions for Perl ii perl 5.8.7-10ubuntu1.1 Larry Wall's Practical Extraction and Report ii perl-doc 5.8.7-10ubuntu1.1 Perl documentation Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 2. februar 2008 11:35 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 subscribe wrote: | Hi, | I have a problem when I start MailScanner on Ubuntu 6.06 LTS. | | **** ERROR: You must upgrade your perl IO module to at least | **** ERROR: version 1.2301 or MailScanner will not work! | | Does anyone know which package that I need to upgrade? Look at what you got installed now. I think you should be able to detect the name if you search the list of installed packages. I also noticed some remarks that the IO module is part or perl itself but I think it is unlikely that ubuntu is shipped with a stone-age version of perl. Not being an ubuntu user myself I can not provide you with an exact name. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpEdSBvzDRVjxmYERAt8mAJwNleVRpxrrQzEytYrFsiD7PogoXQCfWP/h 8Ua+uk9+hwJ3lJxEzIWMWFg= =A/MJ -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From shuttlebox at gmail.com Sat Feb 2 11:00:16 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Feb 2 11:00:25 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <47A44754.3000504@vanderkooij.org> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> Message-ID: <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> On Feb 2, 2008 11:35 AM, Hugo van der Kooij wrote: > Look at what you got installed now. I think you should be able to detect > the name if you search the list of installed packages. I also noticed > some remarks that the IO module is part or perl itself but I think it is > unlikely that ubuntu is shipped with a stone-age version of perl. IO is included in core Perl but not even the brand new 5.10 includes 1.2301. -- /peter From subscribe at kringstad.net Sat Feb 2 11:19:15 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 11:19:24 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> Message-ID: How should I install it then? Or is it a bug in MailScanner? Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: 2. februar 2008 12:00 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 On Feb 2, 2008 11:35 AM, Hugo van der Kooij wrote: > Look at what you got installed now. I think you should be able to detect > the name if you search the list of installed packages. I also noticed > some remarks that the IO module is part or perl itself but I think it is > unlikely that ubuntu is shipped with a stone-age version of perl. IO is included in core Perl but not even the brand new 5.10 includes 1.2301. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From shuttlebox at gmail.com Sat Feb 2 11:28:04 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Feb 2 11:28:13 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> Message-ID: <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> On Feb 2, 2008 12:19 PM, subscribe wrote: > How should I install it then? Or is it a bug in MailScanner? How did you install MailScanner? Did you use the tar dist? It should contain IO 1.2301. -- /peter From subscribe at kringstad.net Sat Feb 2 12:48:29 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 12:48:39 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> Message-ID: I used the tar.gz, but damn I might just install it again then :) I upgraded the packages on my Ubuntu server, that might have written over the one who came with MailScanner. Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: 2. februar 2008 12:28 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 On Feb 2, 2008 12:19 PM, subscribe wrote: > How should I install it then? Or is it a bug in MailScanner? How did you install MailScanner? Did you use the tar dist? It should contain IO 1.2301. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From info at applyingsystems.com Sat Feb 2 12:57:59 2008 From: info at applyingsystems.com (Philip Doran) Date: Sat Feb 2 13:00:25 2008 Subject: Logwatch not including blacklisted emails in mailscanner report section Message-ID: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> I am having a problem with blacklisted emails not showing up on the mailscanner logwatch report., whitelisted emails are showing up. The blacklisted emails are showing up in the mail log (all default locations) just not the report. Anyone have this problem? -v output: This is MailScanner version 4.65.3 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.86 Math::BigInt 3.07 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.07 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.815 DB_File 1.13 DBD::SQLite 1.56 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS missing Inline missing IO::String 1.04 IO::Zlib missing IP::Country missing Mail::ClamAV 3.002003 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query 0.19 Math::BigRat missing Module::Build missing Net::CIDR::Lite 0.61 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML ---- -lint output Checking version numbers... Version number in MailScanner.conf (4.65.3) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-TAMB-MailScanner-From Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /etc/MailScanner/rules/spam.whitelist.rules config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /etc/MailScanner/rules/spam.blacklist.rules SpamAssassin reported an error. MailScanner.conf says "Virus Scanners = f-prot" Found these virus scanners installed: f-prot =========================================================================== =========================================================================== Virus Scanner test reports: F-Prot said "./1/eicar.com Infection: EICAR_Test_File" If any of your virus scanners (f-prot) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. From subscribe at kringstad.net Sat Feb 2 13:11:10 2008 From: subscribe at kringstad.net (subscribe) Date: Sat Feb 2 13:11:23 2008 Subject: Perl IO Modules on Ubuntu 6.06 In-Reply-To: References: <21439388.1211201794279085.JavaMail.root@office.splatnix.net> <47A1EE26.9020802@sequestered.net> <47A44754.3000504@vanderkooij.org> <625385e30802020300u2114fe34tdb307bc18e1e4302@mail.gmail.com> <625385e30802020328x6192e5edy64f34b3107960cb9@mail.gmail.com> Message-ID: It worked. Thx! Regards, Trond -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of subscribe Sent: 2. februar 2008 13:48 To: MailScanner discussion Subject: RE: Perl IO Modules on Ubuntu 6.06 I used the tar.gz, but damn I might just install it again then :) I upgraded the packages on my Ubuntu server, that might have written over the one who came with MailScanner. Regards, Trond Kringstad -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: 2. februar 2008 12:28 To: MailScanner discussion Subject: Re: Perl IO Modules on Ubuntu 6.06 On Feb 2, 2008 12:19 PM, subscribe wrote: > How should I install it then? Or is it a bug in MailScanner? How did you install MailScanner? Did you use the tar dist? It should contain IO 1.2301. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sat Feb 2 14:13:54 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Feb 2 14:14:32 2008 Subject: Logwatch not including blacklisted emails in mailscanner report section In-Reply-To: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> References: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> Message-ID: <47A47AA2.7010207@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philip Doran wrote: | I am having a problem with blacklisted emails not showing up on the | mailscanner logwatch report., whitelisted emails are showing up. The | blacklisted emails are showing up in the mail log (all default locations) | just not the report. Anyone have this problem? Sounds more like a logwatch issue. I suggest you raise this issue on the ~ logwatch mailinglist. But do not forget to include MS and logwatch version info as well as the distro and most importantly: Samples of lines that get detected and lines that don't get detected. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHpHqhBvzDRVjxmYERAm2TAKCvbzT4U6eyY6sh+I9HmurNr2QcaQCgm+va V8stdg8O4/fJ74UrBwqOCdE= =MfVG -----END PGP SIGNATURE----- From ssilva at sgvwater.com Sat Feb 2 18:08:25 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 2 18:08:49 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <47A442B0.6080901@vanderkooij.org> References: <47A442B0.6080901@vanderkooij.org> Message-ID: on 2/2/2008 2:15 AM Hugo van der Kooij spake the following: > Another top 100 of spam sending networks due to popular requests. > > If you want a fresh view daily I suggest you request a trial license of > Trend Micro's Email Reputation Services. Even with an expired acount you > ~ will be able to check out their top 100. So you do not have to spend a > dime on Trend Micro. And getting a new trial license each month is not > that hard. Just a monthly webform to fill in. > I'd be afraid they would sue me! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080202/c93776b7/signature.bin From uxbod at splatnix.net Sat Feb 2 18:39:22 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sat Feb 2 18:39:51 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: Message-ID: <15333103.01201977562595.JavaMail.root@office.splatnix.net> LOL :) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Scott Silva" wrote: > on 2/2/2008 2:15 AM Hugo van der Kooij spake the following: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmane at tippingmar.com Sun Feb 3 00:17:01 2008 From: gmane at tippingmar.com (Mark Nienberg) Date: Sun Feb 3 00:17:20 2008 Subject: Logwatch not including blacklisted emails in mailscanner report section In-Reply-To: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> References: <002701c8659b$3cfcdd00$1644a8c0@local.appsysinc.com> Message-ID: Philip Doran wrote: > -lint output > > Checking version numbers... > Version number in MailScanner.conf (4.65.3) is correct. > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-TAMB-MailScanner-From > > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.blacklist.rules > SpamAssassin reported an error. Are you sure your white/black lists are really working? You should fix the errors noted. Are you confusing MailScanner's white/black lists with spamassassin's? I don't think there should be references to /etc/MailScanner/rules in mailscanner.cf (which is a link to spam.assassin.prefs.conf). They should be in MailScanner.conf. Does this help? Mark From gcle at smcaus.com.au Mon Feb 4 02:49:08 2008 From: gcle at smcaus.com.au (Gerard Cleary) Date: Mon Feb 4 02:49:34 2008 Subject: MailScanner cannot analyse tif files Message-ID: <200802041349.08195.gcle@smcaus.com.au> Hi there, Our company has started receiving tif files from our parent company in Japan. Unfortunately, MailScanner cannot analyse them and it produces a message: ?MailScanner: Could not analyze message?. When I bypass MailScanner, the file gets delivered and when I run the ?file? command I get the following output: [gcle@msf ~]$ file XAM00011.tif XAM00011.tif: TIFF image data, little-endian [gcle@msf ~]$ file -i XAM00011.tif XAM00011.tif: image/tiff I have tried to get tif files bypassed by MailScanner using the following line in filename.rules.conf: (without the diamond brackets of course and with the whitespace between fields all TABs) and a matching line in filetype.rules.conf: (same provisos as above). Getting desperate, I put an entry into allow.filenames.rules: and an entry into allow.filetypes.rules: (again, with the same provisos as above). I still get the ?couldn't analyze? message so I then asked for a sample of the tif file from our technical department who use these files in their work. When I received it I ran the ?file? command as usual and I got the following results: [gcle@msf ~]$ file XAL00471.tif XAL00471.tif: TIFF image data, big-endian [gcle@msf ~]$ file -i XAL00471.tif XAL00471.tif: image/tiff It seems that once the file has been through the technical department, it is turned into a ?big-endian? file and MailScanner has no problem with it at all. (Our parent company in Japan use AS400 mainframes.) I am using MailScanner 4.65.3 on Centos Release 4.4 and Sendmail 8.14.0. I have tried having the MailScanner configuration ?TNEF Expander? saying ?internal? and then saying ?/usr/bin/tnef? (with an accompanying maxsize setting many times greater than these tif files) but there is no change in the resulting message. I have checked the archives for "endian" entries but the four entries that come up have "endian" as a minor detail. I had thought that the ?endian? bit format would be transparent to users because the operating systems were meant to ?deal? with it but maybe I'm badly mistaken. Does anybody know what the problem really is please and how I can get around it in MailScanner? I can provide the two named files above if anybody thought that might be useful. In the meantime, I have turned off all MailScanner checking of any eMail from our parent company but this is not our preferred option. Gerard. -- Gerard Cleary Systems Administrator SMC Pneumatics (Australia) P/L Ph: +61 2 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From Stefan.Fournier at gmx.de Mon Feb 4 08:37:48 2008 From: Stefan.Fournier at gmx.de (Stefan Fournier) Date: Mon Feb 4 08:38:01 2008 Subject: filter on empty from, <>, postmaster Message-ID: <20080204083748.145850@gmx.net> > Um, did you try matching the empty field like in >/^$/ > .... or something similar (on the From: field, presumably)? Right, this works! Stupid of me to not having tried that one. Thanks, Stefan -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail From martinh at solidstatelogic.com Mon Feb 4 09:00:06 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Feb 4 09:00:19 2008 Subject: MailScanner cannot analyse tif files In-Reply-To: <200802041349.08195.gcle@smcaus.com.au> Message-ID: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> Hi This is normally an antivirus issue, and the error comes from that. What AV you using? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gerard Cleary > Sent: 04 February 2008 02:49 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner cannot analyse tif files > > Hi there, > > Our company has started receiving tif files from our parent company in > Japan. > Unfortunately, MailScanner cannot analyse them and it produces a message: > "MailScanner: Could not analyze message". > > When I bypass MailScanner, the file gets delivered and when I run the > "file" > command I get the following output: > [gcle@msf ~]$ file XAM00011.tif > XAM00011.tif: TIFF image data, little-endian > [gcle@msf ~]$ file -i XAM00011.tif > XAM00011.tif: image/tiff > > I have tried to get tif files bypassed by MailScanner using the following > line > in filename.rules.conf: (without the > diamond > brackets of course and with the whitespace between fields all TABs) and a > matching line in filetype.rules.conf: (same > provisos as above). > > Getting desperate, I put an entry into allow.filenames.rules: \.tif> and an entry into allow.filetypes.rules: > (again, > with the same provisos as above). > > I still get the "couldn't analyze" message so I then asked for a sample of > the > tif file from our technical department who use these files in their work. > > When I received it I ran the "file" command as usual and I got the > following > results: > [gcle@msf ~]$ file XAL00471.tif > XAL00471.tif: TIFF image data, big-endian > [gcle@msf ~]$ file -i XAL00471.tif > XAL00471.tif: image/tiff > > It seems that once the file has been through the technical department, it > is > turned into a "big-endian" file and MailScanner has no problem with it at > all. (Our parent company in Japan use AS400 mainframes.) > > I am using MailScanner 4.65.3 on Centos Release 4.4 and Sendmail 8.14.0. > > I have tried having the MailScanner configuration "TNEF Expander" > saying "internal" and then saying "/usr/bin/tnef" (with an accompanying > maxsize setting many times greater than these tif files) but there is no > change in the resulting message. > > I have checked the archives for "endian" entries but the four entries that > come up have "endian" as a minor detail. > > I had thought that the "endian" bit format would be transparent to users > because the operating systems were meant to "deal" with it but maybe I'm > badly mistaken. > > Does anybody know what the problem really is please and how I can get > around > it in MailScanner? I can provide the two named files above if anybody > thought that might be useful. > > In the meantime, I have turned off all MailScanner checking of any eMail > from > our parent company but this is not our preferred option. > > Gerard. > -- > Gerard Cleary > Systems Administrator > SMC Pneumatics (Australia) P/L > Ph: +61 2 9354 8222 > > -- > This email message and any related attachments are confidential and should > only be read by those persons to whom they were addressed. They may > contain > copyright, personal or legally privileged information. If you are not the > intended recipient of this email, any use of this information is strictly > prohibited and it must be deleted from your system. Views expressed in > this > message are the views of the sender and are not necessarily views of SMC > Corporation, or it's subsidiaries, except where the message expressly > states > otherwise. > Any advice contained herein should be treated as preliminary advice only > and > subject to formal written confirmation. Although this email and any > attachments are believed to be free of any virus or any other defect which > may > cause damage or loss, it is the responsibility of the recipient to ensure > that > they are virus-free. SMC accepts no liability for any loss or damage that > may > occur as a result of the transmission of this email or its attachments to > the > recipient. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From m.anderlini at database.it Mon Feb 4 11:04:47 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Feb 4 11:23:33 2008 Subject: How to understand spamassasin speed In-Reply-To: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> References: <200802041349.08195.gcle@smcaus.com.au> <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> Message-ID: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Hello everybody, Is there any way to test the speed of single spamassassin test so to know which is slowing my system ? I've done spamassassin -D --lint 2>/tmp/speed.txt but there is now way to understand how may time each process takes long ? Thanks for your help and sorry for my worst English Best regards Marcello -- Messaggio verificato dal servizio antivirus di Database Informatica From MailScanner at ecs.soton.ac.uk Mon Feb 4 12:01:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 12:02:16 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <47A304B8.30803@ecs.soton.ac.uk> Message-ID: <47A6FEAF.5050306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > * PGP Signed by an unknown key > > on 2/1/2008 3:56 AM Pascal Maes spake the following: >> >> Le 01-f?vr.-08 ? 12:38, Julian Field a ?crit : >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Pascal Maes wrote: >>>> Hello, >>>> >>>> >>>> In MailScanner.conf, we have >>>> >>>> # Spam Blacklist: >>>> # Make this point to a ruleset, and anything in that ruleset whose >>>> value >>>> # is "yes" will *always* be marked as spam. >>>> # This value can be over-ridden by the "Is Definitely Not Spam" >>>> setting. >>>> # This can also be the filename of a ruleset. >>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>>> >>>> >>>> In spam_blacklist.rules, we have : >>>> >>>> From: 66.63.168. yes >>>> >>>> FromOrTo: default no >>>> >>>> >>>> >>>> As this rule could be over-ridden, I check that >>>> >>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>> >>>> the file spam_whitelist.rules doesn't contain anything about that >>>> domain or IP or the recipient >>>> >>>> >>>> Then, I wonder why the following mail was not tagged as SPAM >>>> >>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>>> 6.3-4.01 (built >>>> Aug 3 2007; 32bit)) with ESMTP id >>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>>> for (ORCPT email_address); Thu, >>>> 31 Jan 2008 20:21:28 +0100 (CET) >>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >>>> [127.0.0.1]) >>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >>>> ; Thu, >>>> 31 Jan 2008 20:21:38 +0100 (CET) >>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>>> hk8fra01g741; Thu, >>>> 31 Jan 2008 14:19:07 -0500 >>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>>> From: Travel Offers >>>> X-SGSI-MailScanner: Found to be clean >>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >>> Because it scored 3.5 where the required score is 5. >>>> >>>> X-SGSI-Spam-Score: sss >>>> X-SGSI-From: travel-offers@mytravfolks.com >>>> X-SGSI-Spam-Status: No >>>> >>>> -- >>>> Pascal >>>> >>>> >>>> >>> >>> Jules >>> >> >> yes but as we have the header >> >> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >> >> which matches the rule in spam_blacklist.rules >> >> From: 66.63.168. yes >> >> The message should have been tagged Spam >> >> >> -- >> Pascal >> >> >> > Do those rules check all received headers, or just the last one > received from? > Julian would know for sure. > They just check the last one, the IP address of the SMTP client that sent the message to your server. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: UTF-8 wj8DBQFHpv6wEfZZRxQVtlQRAvWfAJ9VCrnu7thMsekTo9u7ManoZFevyQCeOJb2 tC67pwyIz36t5X+1+sEuP+o= =jl6X -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Mon Feb 4 13:11:33 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Feb 4 13:12:07 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <47A442B0.6080901@vanderkooij.org> Message-ID: <027801c8672f$76d65160$0202fea9@support01> Thanks for the list - is it available as a MailScanner blacklist so I can just drop it in place and live a quiet life??? NK From hofu12 at physik.tu-darmstadt.de Mon Feb 4 13:29:23 2008 From: hofu12 at physik.tu-darmstadt.de (Joachim Holzfuss) Date: Mon Feb 4 13:29:45 2008 Subject: rules: IP Address in To: expression reports Config Error Message-ID: Hi, I was under the impression from reading the examples and README files located in the rules directory that I can setup a highscore spam policy based on a receiving mailserver specified like To: IP.AD.DR.ESS delete This works for From: but not for To: or FromOrTo: Instead I get in the logs: Config Error: Cannot match against destination IP address when resolving configuration option "highscorespamactions.rule" Is this intended or not yet needed by someone else? Greetings Joachim From shuttlebox at gmail.com Mon Feb 4 13:38:40 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Feb 4 13:38:50 2008 Subject: rules: IP Address in To: expression reports Config Error In-Reply-To: References: Message-ID: <625385e30802040538p2d6d0d99p412752db3a3e615f@mail.gmail.com> On Feb 4, 2008 2:29 PM, Joachim Holzfuss wrote: > Hi, > > I was under the impression from reading the examples and README files > located in the rules directory > that I can setup a highscore spam policy based > on a receiving mailserver specified like > > To: IP.AD.DR.ESS delete > > This works for From: but not for To: or FromOrTo: > Instead I get in the logs: > Config Error: Cannot match against destination IP address > when resolving configuration option "highscorespamactions.rule" > > Is this intended or not yet needed by someone else? The destination is not yet known, it's worked out by your MTA after MailScanner releases control over the mail. -- /peter From MailScanner at ecs.soton.ac.uk Mon Feb 4 13:40:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 13:40:41 2008 Subject: rules: IP Address in To: expression reports Config Error In-Reply-To: References: Message-ID: <47A715C0.3000108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joachim Holzfuss wrote: > Hi, > > I was under the impression from reading the examples and README files > located in the rules directory > that I can setup a highscore spam policy based > on a receiving mailserver specified like > > To: IP.AD.DR.ESS delete > > This works for From: but not for To: or FromOrTo: > Instead I get in the logs: > Config Error: Cannot match against destination IP address > when resolving configuration option "highscorespamactions.rule" > > Is this intended or not yet needed by someone else? > It's intended. You don't know the IP address you are delivering a message to until you have delivered it. So you can't test against the delivery IP address. > Greetings > Joachim > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHpxXAEfZZRxQVtlQRArcnAKDcr+mha1tkRmBUGzi8zHgN3ihtPACfSiPp F8zWbfKY2/yMsXUNxZ7uAd8= =5qtz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Feb 4 14:16:27 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 4 14:16:38 2008 Subject: How to understand spamassasin speed In-Reply-To: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> References: <200802041349.08195.gcle@smcaus.com.au> <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Message-ID: <223f97700802040616j59598419p2a267b1a1f814ead@mail.gmail.com> On 04/02/2008, Marcello Anderlini wrote: > Hello everybody, > Is there any way to test the speed of single spamassassin test so to know > which is slowing my system ? > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there is now way to > understand how may time each process takes long ? > > Thanks for your help and sorry for my worst English > > Best regards > > Marcello > Two things, one simple, one a little less simple: 1) Don't redirect the debug info to a file, just let it scroll by. When it pauses, you'll likely see what it has done (which isn't the cause) and will (with a little luck and speed on ... redirecting stderr to stdout isn't bad either) see what took so long to perform ionce it "unclogs";). 2) Install and use MailWatch. On the Tools page you have a link "SpamAssassin lint (Test)" which will colorize and time each line of the output... Unfortunately, this will likely not test the most obvious culprits... Network related tests... To test these, one cannot just do a simple lint anymore, one has to provide a test message like in spamassassin -D -t < /path/to/message file ... It shouldn't be hard to make MailWatch do that though:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From donald.dawson at bakerbotts.com Mon Feb 4 15:26:57 2008 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Feb 4 15:27:10 2008 Subject: How to understand spamassasin speed In-Reply-To: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Marcello Anderlini > Sent: Monday, February 04, 2008 5:05 AM > To: 'MailScanner discussion' > Subject: How to understand spamassasin speed > > > Hello everybody, > Is there any way to test the speed of single spamassassin > test so to know > which is slowing my system ? > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > is now way to > understand how may time each process takes long ? > > Thanks for your help and sorry for my worst English > > Best regards > > Marcello > One of our new mail servers had been blocked by spamhaus and that was causing additional delays. I added the following to the spamassassin prefs file on our MX server and the processing time per message improved by 3 seconds. Someone with more experience in this mail list can verify if this is correct, or too extensive in dropping RBL lookups. # 11/22/07 DLD - from ms listsever - stops spamhaus lookups score __RCVD_IN_ZEN 0.0 score RCVD_IN_SBL 0.0 score RCVD_IN_XBL 0.0 score RCVD_IN_PBL 0.0 score URIBL_SBL 0.0 # 11/26/07 DLD Timeouts using ms debug score URIBL_RHS_DOB 0.0 score DNS_FROM_DOB 0.0 I ran: # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", strftime("%T"), $0}' | tee /tmp/mstest.log This will run MailScanner in debug mode showing all of the rule lookups and checks to RBLs. The time stamp will help show what part of the process takes more time. from the mailscanner output: 17:57:41 [557] dbg: async: escaping: lost or timed out requests or responses 17:57:41 [557] dbg: async: aborting after 6.184 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:9.135.130.12 17:57:41 [557] dbg: async: aborting after 6.184 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:8.135.130.12 17:57:41 [557] dbg: async: aborting after 7.286 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:42.195.169.12 17:57:41 [557] dbg: async: aborting after 7.287 s, deadline shrunk: URI-DNSBL, DNSBL:sbl.spamhaus.org.:202.77.202.74 17:57:41 [557] dbg: async: aborting after 9.813 s, deadline shrunk: DNSBL-A, dns:A:195.136.130.12.zen.spamhaus.org. 17:57:41 [557] dbg: async: aborted 5 remaining lookups also: 09:21:31 [22541] dbg: check: subtests=__BOTNET_NOTRUST,__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__ MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_ WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID 09:21:31 [22541] dbg: bayes: untie-ing 09:21:39 [22668] dbg: dns: name server: 63.241.249.10, LocalAddr: 0.0.0.0 8 seconds for a bayes process Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 From glenn.steen at gmail.com Mon Feb 4 16:02:58 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 4 16:03:10 2008 Subject: How to understand spamassasin speed In-Reply-To: References: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> Message-ID: <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> On 04/02/2008, donald.dawson@bakerbotts.com wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Marcello Anderlini > > Sent: Monday, February 04, 2008 5:05 AM > > To: 'MailScanner discussion' > > Subject: How to understand spamassasin speed > > > > > > Hello everybody, > > Is there any way to test the speed of single spamassassin > > test so to know > > which is slowing my system ? > > > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > > is now way to > > understand how may time each process takes long ? > > > > Thanks for your help and sorry for my worst English > > > > Best regards > > > > Marcello > > > One of our new mail servers had been blocked by spamhaus and that was > causing additional delays. > > I added the following to the spamassassin prefs file on our MX server > and the processing time per message improved by 3 seconds. Someone with > more experience in this mail list can verify if this is correct, or too > extensive in dropping RBL lookups. > > # 11/22/07 DLD - from ms listsever - stops spamhaus lookups > score __RCVD_IN_ZEN 0.0 > score RCVD_IN_SBL 0.0 > score RCVD_IN_XBL 0.0 > score RCVD_IN_PBL 0.0 > score URIBL_SBL 0.0 > > # 11/26/07 DLD Timeouts using ms debug > score URIBL_RHS_DOB 0.0 > score DNS_FROM_DOB 0.0 > > I ran: > > # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", > strftime("%T"), $0}' | tee /tmp/mstest.log > Granularity of seconds is a bit limited.... Use strftime("&t:%N") for subsecond timings. Granted, seconds will likely be enough to see any blatant problems. Also, since we're debugging SA, it'd be better to just use spamassassin -D -t < /path/to/message file | awk '{printf"%s %s\n",strftime("%T:%N"), $0}' | tee /tmp/mstest.log ... IMO:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Feb 4 16:07:25 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 4 16:07:36 2008 Subject: How to understand spamassasin speed In-Reply-To: <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> References: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> Message-ID: <223f97700802040807ga6b7e80p5f34b03d5736aba0@mail.gmail.com> On 04/02/2008, Glenn Steen wrote: > On 04/02/2008, donald.dawson@bakerbotts.com > wrote: > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > > Of Marcello Anderlini > > > Sent: Monday, February 04, 2008 5:05 AM > > > To: 'MailScanner discussion' > > > Subject: How to understand spamassasin speed > > > > > > > > > Hello everybody, > > > Is there any way to test the speed of single spamassassin > > > test so to know > > > which is slowing my system ? > > > > > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > > > is now way to > > > understand how may time each process takes long ? > > > > > > Thanks for your help and sorry for my worst English > > > > > > Best regards > > > > > > Marcello > > > > > One of our new mail servers had been blocked by spamhaus and that was > > causing additional delays. > > > > I added the following to the spamassassin prefs file on our MX server > > and the processing time per message improved by 3 seconds. Someone with > > more experience in this mail list can verify if this is correct, or too > > extensive in dropping RBL lookups. > > > > # 11/22/07 DLD - from ms listsever - stops spamhaus lookups > > score __RCVD_IN_ZEN 0.0 > > score RCVD_IN_SBL 0.0 > > score RCVD_IN_XBL 0.0 > > score RCVD_IN_PBL 0.0 > > score URIBL_SBL 0.0 > > > > # 11/26/07 DLD Timeouts using ms debug > > score URIBL_RHS_DOB 0.0 > > score DNS_FROM_DOB 0.0 > > > > I ran: > > > > # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", > > strftime("%T"), $0}' | tee /tmp/mstest.log > > > Granularity of seconds is a bit limited.... Use strftime("&t:%N") for > subsecond timings. > Granted, seconds will likely be enough to see any blatant problems. > Also, since we're debugging SA, it'd be better to just use > spamassassin -D -t < /path/to/message file | awk '{printf"%s > %s\n",strftime("%T:%N"), $0}' | tee /tmp/mstest.log > ... IMO:) What a crock of BS... Please disregard.... I'm obviously still not recovered from last weeks illness. Sigh. Sorry. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From J.Ede at birchenallhowden.co.uk Mon Feb 4 16:18:11 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Feb 4 16:19:20 2008 Subject: How to understand spamassasin speed In-Reply-To: <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> References: <009501c8671d$c196b0d0$2e01a8c0@dbdomain.database.it> , <223f97700802040802i489c112bh7f412910c5d19d74@mail.gmail.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760CE7581D68@server02.bhl.local> Information about running the debug with time stamps would probably be quite useful in the Wiki as its something quite handy to know. Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen [glenn.steen@gmail.com] Sent: 04 February 2008 16:02 To: MailScanner discussion Subject: Re: How to understand spamassasin speed On 04/02/2008, donald.dawson@bakerbotts.com wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Marcello Anderlini > > Sent: Monday, February 04, 2008 5:05 AM > > To: 'MailScanner discussion' > > Subject: How to understand spamassasin speed > > > > > > Hello everybody, > > Is there any way to test the speed of single spamassassin > > test so to know > > which is slowing my system ? > > > > I've done spamassassin -D --lint 2>/tmp/speed.txt but there > > is now way to > > understand how may time each process takes long ? > > > > Thanks for your help and sorry for my worst English > > > > Best regards > > > > Marcello > > > One of our new mail servers had been blocked by spamhaus and that was > causing additional delays. > > I added the following to the spamassassin prefs file on our MX server > and the processing time per message improved by 3 seconds. Someone with > more experience in this mail list can verify if this is correct, or too > extensive in dropping RBL lookups. > > # 11/22/07 DLD - from ms listsever - stops spamhaus lookups > score __RCVD_IN_ZEN 0.0 > score RCVD_IN_SBL 0.0 > score RCVD_IN_XBL 0.0 > score RCVD_IN_PBL 0.0 > score URIBL_SBL 0.0 > > # 11/26/07 DLD Timeouts using ms debug > score URIBL_RHS_DOB 0.0 > score DNS_FROM_DOB 0.0 > > I ran: > > # MailScanner --debug --debug-sa 2>&1 | awk '{printf"%s %s\n", > strftime("%T"), $0}' | tee /tmp/mstest.log > Granularity of seconds is a bit limited.... Use strftime("&t:%N") for subsecond timings. Granted, seconds will likely be enough to see any blatant problems. Also, since we're debugging SA, it'd be better to just use spamassassin -D -t < /path/to/message file | awk '{printf"%s %s\n",strftime("%T:%N"), $0}' | tee /tmp/mstest.log ... IMO:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Feb 4 16:36:22 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 4 16:36:52 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A6FEAF.5050306@ecs.soton.ac.uk> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> Message-ID: on 2/4/2008 4:01 AM Julian Field spake the following: > > > Scott Silva wrote: >> * PGP Signed by an unknown key > >> on 2/1/2008 3:56 AM Pascal Maes spake the following: >>> Le 01-f??vr.-08 ? 12:38, Julian Field a ??crit : >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> Pascal Maes wrote: >>>>> Hello, >>>>> >>>>> >>>>> In MailScanner.conf, we have >>>>> >>>>> # Spam Blacklist: >>>>> # Make this point to a ruleset, and anything in that ruleset whose >>>>> value >>>>> # is "yes" will *always* be marked as spam. >>>>> # This value can be over-ridden by the "Is Definitely Not Spam" >>>>> setting. >>>>> # This can also be the filename of a ruleset. >>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>>>> >>>>> >>>>> In spam_blacklist.rules, we have : >>>>> >>>>> From: 66.63.168. yes >>>>> >>>>> FromOrTo: default no >>>>> >>>>> >>>>> >>>>> As this rule could be over-ridden, I check that >>>>> >>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>>> >>>>> the file spam_whitelist.rules doesn't contain anything about that >>>>> domain or IP or the recipient >>>>> >>>>> >>>>> Then, I wonder why the following mail was not tagged as SPAM >>>>> >>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>>>> 6.3-4.01 (built >>>>> Aug 3 2007; 32bit)) with ESMTP id >>>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>>>> for (ORCPT email_address); Thu, >>>>> 31 Jan 2008 20:21:28 +0100 (CET) >>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >>>>> [127.0.0.1]) >>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >>>>> ; Thu, >>>>> 31 Jan 2008 20:21:38 +0100 (CET) >>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>>>> hk8fra01g741; Thu, >>>>> 31 Jan 2008 14:19:07 -0500 >>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>>>> From: Travel Offers >>>>> X-SGSI-MailScanner: Found to be clean >>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, score=3.5, >>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >>>> Because it scored 3.5 where the required score is 5. >>>>> X-SGSI-Spam-Score: sss >>>>> X-SGSI-From: travel-offers@mytravfolks.com >>>>> X-SGSI-Spam-Status: No >>>>> >>>>> -- >>>>> Pascal >>>>> >>>>> >>>>> >>>> Jules >>>> >>> yes but as we have the header >>> >>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>> >>> which matches the rule in spam_blacklist.rules >>> >>> From: 66.63.168. yes >>> >>> The message should have been tagged Spam >>> >>> >>> -- >>> Pascal >>> >>> >>> >> Do those rules check all received headers, or just the last one >> received from? >> Julian would know for sure. > > They just check the last one, the IP address of the SMTP client that > sent the message to your server. > > Jules > Then there is the answer. As far as mailscanner is concerned, the above message came from; Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) which doesn't match your blacklist. The only host that it would have matched on would have been smtp4.sgsi.ucl.ac.be if that is in your control. Thanks Julian for the clarification! MailScanner rocks!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080204/a8490ec5/signature.bin From ugob at lubik.ca Mon Feb 4 16:51:07 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 16:51:36 2008 Subject: Mail::ClamAV Message-ID: Hi, Server: Centos 4 X64 Resolved: Problem 1: Can't compile Mail::ClamAV 0.21. Tried CPAN, source, and Julian's package, they all give the same result. I had to install bzip2-devel and then it compiled. Problem 2: I also tried the perl-Mail-ClamAV from the rpmforge repository. However, MailScanner can't find it, even after a 'ldconfig'. Here is the list of the flies included by perl-Mail-ClamAV /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail/ClamAV.pm /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.bs /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so /usr/share/doc/perl-Mail-ClamAV-0.21 /usr/share/doc/perl-Mail-ClamAV-0.21/Changes /usr/share/doc/perl-Mail-ClamAV-0.21/INSTALL /usr/share/doc/perl-Mail-ClamAV-0.21/MANIFEST /usr/share/doc/perl-Mail-ClamAV-0.21/META.yml /usr/share/doc/perl-Mail-ClamAV-0.21/README /usr/share/man/man3/Mail::ClamAV.3pm.gz Compiled at Aug 15 2006 05:56:23 @INC: /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib64/perl5/site_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.1/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.1/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . I don't understand how come MailScanner can't find it... Regards, Ugo From MailScanner at ecs.soton.ac.uk Mon Feb 4 18:13:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 18:14:13 2008 Subject: Mail::ClamAV In-Reply-To: References: Message-ID: <47A755DB.7080706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Hi, > > Server: Centos 4 X64 > > Resolved: Problem 1: Can't compile Mail::ClamAV 0.21. Tried CPAN, > source, and Julian's package, they all give the same result. I had to > install bzip2-devel and then it compiled. > > Problem 2: I also tried the perl-Mail-ClamAV from the rpmforge > repository. However, MailScanner can't find it, even after a 'ldconfig'. > > Here is the list of the flies included by perl-Mail-ClamAV > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/Mail/ClamAV.pm > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.bs > > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so > What do you get from an "ldd" on this file? > /usr/share/doc/perl-Mail-ClamAV-0.21 > /usr/share/doc/perl-Mail-ClamAV-0.21/Changes > /usr/share/doc/perl-Mail-ClamAV-0.21/INSTALL > /usr/share/doc/perl-Mail-ClamAV-0.21/MANIFEST > /usr/share/doc/perl-Mail-ClamAV-0.21/META.yml > /usr/share/doc/perl-Mail-ClamAV-0.21/README > /usr/share/man/man3/Mail::ClamAV.3pm.gz > > > > Compiled at Aug 15 2006 05:56:23 > @INC: > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi > /usr/lib/perl5/5.8.5 > /usr/lib64/perl5/site_perl/5.8.5/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.4/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.3/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.2/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.1/x86_64-linux-thread-multi > /usr/lib64/perl5/site_perl/5.8.0/x86_64-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.5 > /usr/lib/perl5/site_perl/5.8.4 > /usr/lib/perl5/site_perl/5.8.3 > /usr/lib/perl5/site_perl/5.8.2 > /usr/lib/perl5/site_perl/5.8.1 > /usr/lib/perl5/site_perl/5.8.0 > /usr/lib/perl5/site_perl > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.4/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.3/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.2/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.1/x86_64-linux-thread-multi > /usr/lib64/perl5/vendor_perl/5.8.0/x86_64-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.5 > /usr/lib/perl5/vendor_perl/5.8.4 > /usr/lib/perl5/vendor_perl/5.8.3 > /usr/lib/perl5/vendor_perl/5.8.2 > /usr/lib/perl5/vendor_perl/5.8.1 > /usr/lib/perl5/vendor_perl/5.8.0 > /usr/lib/perl5/vendor_perl > . > > > I don't understand how come MailScanner can't find it... > > Regards, > Ugo > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp1XdEfZZRxQVtlQRAuv9AKDYcrnmfpuVL/8slAfTvx7gcLpQWQCfQBCa a/GV0YHqOr2XeMtsIisvKms= =o+TY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Mon Feb 4 18:27:52 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 18:30:18 2008 Subject: Mail::ClamAV In-Reply-To: <47A755DB.7080706@ecs.soton.ac.uk> References: <47A755DB.7080706@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >> /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so >> > What do you get from an "ldd" on this file? [root@relay9 Mail-ClamAV-0.21]# ldd /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so libz.so.1 => /usr/lib64/libz.so.1 (0x0000002a9566a000) libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x0000002a9577d000) libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x0000002a9588c000) libclamav.so.3 => /usr/lib64/libclamav.so.3 (0x0000002a959c1000) libc.so.6 => /lib64/tls/libc.so.6 (0x0000002a95b5a000) libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x0000002a95d8f000) libclamunrar_iface.so.3 => /usr/lib64/libclamunrar_iface.so.3 (0x0000002a95ea5000) libnsl.so.1 => /lib64/libnsl.so.1 (0x0000002a95fa7000) /lib64/ld-linux-x86-64.so.2 (0x000000552aaaa000) libclamunrar.so.3 => /usr/lib64/libclamunrar.so.3 (0x0000002a960be000) Regards, Ugo From MailScanner at ecs.soton.ac.uk Mon Feb 4 18:40:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 18:40:52 2008 Subject: Mail::ClamAV In-Reply-To: References: <47A755DB.7080706@ecs.soton.ac.uk> Message-ID: <47A75C1A.9090003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you try to build the module by hand, does it work when you do the "make test" stage? Don't do the "make install", just all the steps up to it. Ugo Bellavance wrote: > Julian Field wrote: >>> /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so >>> >> What do you get from an "ldd" on this file? > > [root@relay9 Mail-ClamAV-0.21]# ldd > /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi/auto/Mail/ClamAV/ClamAV.so > > libz.so.1 => /usr/lib64/libz.so.1 (0x0000002a9566a000) > libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x0000002a9577d000) > libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x0000002a9588c000) > libclamav.so.3 => /usr/lib64/libclamav.so.3 (0x0000002a959c1000) > libc.so.6 => /lib64/tls/libc.so.6 (0x0000002a95b5a000) > libpthread.so.0 => /lib64/tls/libpthread.so.0 > (0x0000002a95d8f000) > libclamunrar_iface.so.3 => /usr/lib64/libclamunrar_iface.so.3 > (0x0000002a95ea5000) > libnsl.so.1 => /lib64/libnsl.so.1 (0x0000002a95fa7000) > /lib64/ld-linux-x86-64.so.2 (0x000000552aaaa000) > libclamunrar.so.3 => /usr/lib64/libclamunrar.so.3 > (0x0000002a960be000) > > Regards, > > Ugo > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp1wcEfZZRxQVtlQRAqF+AKDSzhvhj3yuli2qw17HUb7dJh+6LgCg7lrH /lhyfR05zOVmzeXOYRkTKlI= =RvTV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Mon Feb 4 18:53:03 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 18:53:25 2008 Subject: Mail::ClamAV In-Reply-To: <47A75C1A.9090003@ecs.soton.ac.uk> References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you try to build the module by hand, does it work when you do the > "make test" stage? > Don't do the "make install", just all the steps up to it. [root@server Mail-ClamAV-0.21]# make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/Mail-ClamAV....ok All tests successful. Files=1, Tests=10, 3 wallclock secs ( 2.47 cusr + 0.12 csys = 2.59 CPU) From MailScanner at ecs.soton.ac.uk Mon Feb 4 19:30:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 19:31:09 2008 Subject: Mail::ClamAV In-Reply-To: References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> Message-ID: <47A767DC.2040900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmmm..... If you set "Virus Scanners = clamavmodule", then what does "MailScanner - --debug" say? Anything interesting? And "MailScanner --lint"? Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> If you try to build the module by hand, does it work when you do the >> "make test" stage? >> Don't do the "make install", just all the steps up to it. > > [root@server Mail-ClamAV-0.21]# make test > PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" > "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t > t/Mail-ClamAV....ok > All tests successful. > Files=1, Tests=10, 3 wallclock secs ( 2.47 cusr + 0.12 csys = 2.59 > CPU) > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp2fjEfZZRxQVtlQRAppxAJ9iVAvidDIXRNOVCyFAVFSALkKSfwCg600z 5CooKhk8LFOusNlAHo5l8eE= =lgoF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Feb 4 19:49:11 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 4 19:50:08 2008 Subject: OT? SPAM network top 100 of 2008-02-02 In-Reply-To: <027801c8672f$76d65160$0202fea9@support01> References: <027801c8672f$76d65160$0202fea9@support01> Message-ID: <47A76C37.6080206@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nigel Kendrick wrote: | Thanks for the list - is it available as a MailScanner blacklist so I can | just drop it in place and live a quiet life??? Just go to the Trend Micro website and test the ERS RBL. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHp2wzBvzDRVjxmYERAjSgAJ9ayexMOaoKAQ9wRqAvRnXklJ052gCfW7Td 5vAuoP4J3H+VstXQyLG4Dpw= =2FIr -----END PGP SIGNATURE----- From ugob at lubik.ca Mon Feb 4 19:55:07 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 19:55:29 2008 Subject: Mail::ClamAV In-Reply-To: <47A767DC.2040900@ecs.soton.ac.uk> References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> <47A767DC.2040900@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hmmm..... > If you set "Virus Scanners = clamavmodule", then what does "MailScanner > - --debug" say? Anything interesting? And "MailScanner --lint"? [root@server ~]# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp ClamAV Perl module not found, did you install it? at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 507 Same thing with --lint From ugob at lubik.ca Mon Feb 4 20:37:36 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Feb 4 20:38:10 2008 Subject: Can't upgrade some perl modules In-Reply-To: <57368.10.0.0.31.1197908211.squirrel@webmail.rpcs.net> References: <57368.10.0.0.31.1197908211.squirrel@webmail.rpcs.net> Message-ID: Richard Potter wrote: > On Mon, December 17, 2007 9:14 am, Ugo Bellavance wrote: > >> Hi, >> >> This is MailScanner version 4.61.7 >> >> When I try a yum update (using rpmforge), I get these errors, so I can't >> really update my systems: >> >> file /usr/share/man/man3/bigint.3pm.gz conflicts between attempted >> installs of perl-5.8.0-97.EL3 and perl-bignum-0.22-1.el3.rf >> file /usr/share/man/man3/bignum.3pm.gz conflicts between attempted >> installs of perl-5.8.0-97.EL3 and perl-bignum-0.22-1.el3.rf >> file /usr/share/man/man3/bigrat.3pm.gz conflicts between attempted >> installs of perl-5.8.0-97.EL3 and perl-bignum-0.22-1.el3.rf >> file /usr/share/man/man3/Test::Builder.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> file /usr/share/man/man3/Test::More.3pm.gz conflicts between attempted >> installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> file /usr/share/man/man3/Test::Simple.3pm.gz conflicts between attempted >> installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> file /usr/share/man/man3/Test::Tutorial.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.74-1.el3.rf and perl-5.8.0-97.EL3 >> >> Is there a way to update w/o having to upgrade MS? > > This *appears* to be a yum problem. I have installed the following > plugins, to work around this problem. This is on my testing box. > > # yum install yum-fastestmirror yum-skip-broken yum-kmod yum-kernel-module > yum-priorities yum-plugin-priorities, yum-plugin-fastestmirror, in fact... (maybe it has changed name) Ugo From gcle at smcaus.com.au Mon Feb 4 21:09:42 2008 From: gcle at smcaus.com.au (Gerard Cleary) Date: Mon Feb 4 21:10:05 2008 Subject: MailScanner cannot analyse tif files In-Reply-To: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> References: <9da1d3183d985e4dad43a9e37dbcc67e@solidstatelogic.com> Message-ID: <200802050809.42529.gcle@smcaus.com.au> On Mon, 4 Feb 2008 20:00:06 Martin.Hepworth wrote: > Hi > > This is normally an antivirus issue, and the error comes from that. > > What AV you using? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 Thanks for the reply. We use Kaspersky - scanner for Linux version 5.5. Gerard. > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Gerard Cleary > > Sent: 04 February 2008 02:49 > > To: mailscanner@lists.mailscanner.info > > Subject: MailScanner cannot analyse tif files > > > > Hi there, > > > > Our company has started receiving tif files from our parent company in > > Japan. > > Unfortunately, MailScanner cannot analyse them and it produces a message: > > "MailScanner: Could not analyze message". > > > > When I bypass MailScanner, the file gets delivered and when I run the > > "file" > > command I get the following output: > > [gcle@msf ~]$ file XAM00011.tif > > XAM00011.tif: TIFF image data, little-endian > > [gcle@msf ~]$ file -i XAM00011.tif > > XAM00011.tif: image/tiff > > > > I have tried to get tif files bypassed by MailScanner using the following > > line > > in filename.rules.conf: (without the > > diamond > > brackets of course and with the whitespace between fields all TABs) and a > > matching line in filetype.rules.conf: (same > > provisos as above). > > > > Getting desperate, I put an entry into allow.filenames.rules: > \.tif> and an entry into allow.filetypes.rules: > > (again, > > with the same provisos as above). > > > > I still get the "couldn't analyze" message so I then asked for a sample > > of the > > tif file from our technical department who use these files in their work. > > > > When I received it I ran the "file" command as usual and I got the > > following > > results: > > [gcle@msf ~]$ file XAL00471.tif > > XAL00471.tif: TIFF image data, big-endian > > [gcle@msf ~]$ file -i XAL00471.tif > > XAL00471.tif: image/tiff > > > > It seems that once the file has been through the technical department, it > > is > > turned into a "big-endian" file and MailScanner has no problem with it at > > all. (Our parent company in Japan use AS400 mainframes.) > > > > I am using MailScanner 4.65.3 on Centos Release 4.4 and Sendmail 8.14.0. > > > > I have tried having the MailScanner configuration "TNEF Expander" > > saying "internal" and then saying "/usr/bin/tnef" (with an accompanying > > maxsize setting many times greater than these tif files) but there is no > > change in the resulting message. > > > > I have checked the archives for "endian" entries but the four entries > > that come up have "endian" as a minor detail. > > > > I had thought that the "endian" bit format would be transparent to users > > because the operating systems were meant to "deal" with it but maybe I'm > > badly mistaken. > > > > Does anybody know what the problem really is please and how I can get > > around > > it in MailScanner? I can provide the two named files above if anybody > > thought that might be useful. > > > > In the meantime, I have turned off all MailScanner checking of any eMail > > from > > our parent company but this is not our preferred option. > > > > Gerard. > > -- -- Gerard Cleary Systems Administrator SMC Pneumatics (Australia) P/L Ph: +61 2 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From MailScanner at ecs.soton.ac.uk Mon Feb 4 22:38:13 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 4 22:38:40 2008 Subject: Mail::ClamAV In-Reply-To: References: <47A755DB.7080706@ecs.soton.ac.uk> <47A75C1A.9090003@ecs.soton.ac.uk> <47A767DC.2040900@ecs.soton.ac.uk> Message-ID: <47A793D5.1040002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In /etc/MailScanner/virus.scanners.conf, does the clamavmodule line say this: clamavmodule /bin/false /tmp ? If it does, then I'm starting to run out of ideas. :-( Jules. Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hmmm..... >> If you set "Virus Scanners = clamavmodule", then what does >> "MailScanner - --debug" say? Anything interesting? And "MailScanner >> --lint"? > > > [root@server ~]# MailScanner --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > ClamAV Perl module not found, did you install it? at > /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 507 > > Same thing with --lint > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHp5PYEfZZRxQVtlQRAmTeAKCigSX7pa4BMMtZHi+6xk0MnsX+MwCdFUmF TZUACbJV9nAiLLBIpr7gikU= =Ypxh -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Tue Feb 5 08:28:29 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Tue Feb 5 08:28:48 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> Message-ID: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> Le 04-f?vr.-08 ? 17:36, Scott Silva a ?crit : > on 2/4/2008 4:01 AM Julian Field spake the following: >> Scott Silva wrote: >>> * PGP Signed by an unknown key >>> on 2/1/2008 3:56 AM Pascal Maes spake the following: >>>> Le 01-f??vr.-08 ? 12:38, Julian Field a ??crit : >>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> >>>>> >>>>> Pascal Maes wrote: >>>>>> Hello, >>>>>> >>>>>> >>>>>> In MailScanner.conf, we have >>>>>> >>>>>> # Spam Blacklist: >>>>>> # Make this point to a ruleset, and anything in that ruleset >>>>>> whose value >>>>>> # is "yes" will *always* be marked as spam. >>>>>> # This value can be over-ridden by the "Is Definitely Not Spam" >>>>>> setting. >>>>>> # This can also be the filename of a ruleset. >>>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no >>>>>> >>>>>> >>>>>> In spam_blacklist.rules, we have : >>>>>> >>>>>> From: 66.63.168. yes >>>>>> >>>>>> FromOrTo: default no >>>>>> >>>>>> >>>>>> >>>>>> As this rule could be over-ridden, I check that >>>>>> >>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>>>> >>>>>> the file spam_whitelist.rules doesn't contain anything about that >>>>>> domain or IP or the recipient >>>>>> >>>>>> >>>>>> Then, I wonder why the following mail was not tagged as SPAM >>>>>> >>>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) >>>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server >>>>>> 6.3-4.01 (built >>>>>> Aug 3 2007; 32bit)) with ESMTP id >>>>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> >>>>>> for (ORCPT email_address); Thu, >>>>>> 31 Jan 2008 20:21:28 +0100 (CET) >>>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain >>>>>> [127.0.0.1]) >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for >>>>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) >>>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for >>>>>> ; Thu, >>>>>> 31 Jan 2008 20:21:38 +0100 (CET) >>>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id >>>>>> hk8fra01g741; Thu, >>>>>> 31 Jan 2008 14:19:07 -0500 >>>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 >>>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) >>>>>> From: Travel Offers >>>>>> X-SGSI-MailScanner: Found to be clean >>>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, >>>>>> score=3.5, >>>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) >>>>> Because it scored 3.5 where the required score is 5. >>>>>> X-SGSI-Spam-Score: sss >>>>>> X-SGSI-From: travel-offers@mytravfolks.com >>>>>> X-SGSI-Spam-Status: No >>>>>> >>>>>> -- >>>>>> Pascal >>>>>> >>>>>> >>>>>> >>>>> Jules >>>>> >>>> yes but as we have the header >>>> >>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) >>>> >>>> which matches the rule in spam_blacklist.rules >>>> >>>> From: 66.63.168. yes >>>> >>>> The message should have been tagged Spam >>>> >>>> >>>> -- >>>> Pascal >>>> >>>> >>>> >>> Do those rules check all received headers, or just the last one >>> received from? >>> Julian would know for sure. >> They just check the last one, the IP address of the SMTP client >> that sent the message to your server. >> Jules > Then there is the answer. As far as mailscanner is concerned, the > above message came from; > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > which doesn't match your blacklist. > The only host that it would have matched on would have been > smtp4.sgsi.ucl.ac.be if that is in your control. > > Thanks Julian for the clarification! > MailScanner rocks!!! > I'm not sure. The message here above is the message which is in the mailbox but MailScanner is acting before: Mail --> SMTP4 (Postfix) -> MailScanner -> Postfix -> Mailboxes (1) (2) (3) In (1), you have Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) In (2), Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain [127.0.0.1]) In (3), Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) The master.cf file for Postfix looks like smtp inet n - n - 500 smtpd -o smtpd_client_connection_count_limit=500 -o smtpd_proxy_filter=127.0.0.1:10025 -o receive_override_options=no_address_mappings # # For injecting mail back into postfix from ClamSMTP 127.0.0.1:10026 inet n - n - - smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 Our SMTP box receives the message. The message goes through some "before-filters" and goes back to postfix with the option smtpd_authorized_xforward_hosts=127.0.0.0/8 to keep the headers of the previous MTA server. Then Postfix puts the message in the HOLD queue where MailScanner takes it and puts it back into the Postfix queue. I'm pretty sure that MailScanner should see the 66.63.168.38 IP address otherwise why is the "Is Definitely Not Spam" rule working : Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org ) is whitelisted Regards -- Pascal From glenn.steen at gmail.com Tue Feb 5 08:40:28 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 08:40:46 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> Message-ID: <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> On 05/02/2008, Pascal Maes wrote: > > Le 04-f?vr.-08 ? 17:36, Scott Silva a ?crit : > > > on 2/4/2008 4:01 AM Julian Field spake the following: > >> Scott Silva wrote: > >>> * PGP Signed by an unknown key > >>> on 2/1/2008 3:56 AM Pascal Maes spake the following: > >>>> Le 01-f?(c)vr.-08 ? 12:38, Julian Field a ?(c)crit : > >>>> > >>>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>>> Hash: SHA1 > >>>>> > >>>>> > >>>>> > >>>>> Pascal Maes wrote: > >>>>>> Hello, > >>>>>> > >>>>>> > >>>>>> In MailScanner.conf, we have > >>>>>> > >>>>>> # Spam Blacklist: > >>>>>> # Make this point to a ruleset, and anything in that ruleset > >>>>>> whose value > >>>>>> # is "yes" will *always* be marked as spam. > >>>>>> # This value can be over-ridden by the "Is Definitely Not Spam" > >>>>>> setting. > >>>>>> # This can also be the filename of a ruleset. > >>>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no > >>>>>> > >>>>>> > >>>>>> In spam_blacklist.rules, we have : > >>>>>> > >>>>>> From: 66.63.168. yes > >>>>>> > >>>>>> FromOrTo: default no > >>>>>> > >>>>>> > >>>>>> > >>>>>> As this rule could be over-ridden, I check that > >>>>>> > >>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > >>>>>> > >>>>>> the file spam_whitelist.rules doesn't contain anything about that > >>>>>> domain or IP or the recipient > >>>>>> > >>>>>> > >>>>>> Then, I wonder why the following mail was not tagged as SPAM > >>>>>> > >>>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > >>>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server > >>>>>> 6.3-4.01 (built > >>>>>> Aug 3 2007; 32bit)) with ESMTP id > >>>>>> <0JVI00FQIWFSZ240@mmp.sipr-dc.ucl.ac.be> > >>>>>> for (ORCPT email_address); Thu, > >>>>>> 31 Jan 2008 20:21:28 +0100 (CET) > >>>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain > >>>>>> [127.0.0.1]) > >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for > >>>>>> ; Thu, 31 Jan 2008 20:21:38 +0100 (CET) > >>>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for > >>>>>> ; Thu, > >>>>>> 31 Jan 2008 20:21:38 +0100 (CET) > >>>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id > >>>>>> hk8fra01g741; Thu, > >>>>>> 31 Jan 2008 14:19:07 -0500 > >>>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500 > >>>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST) > >>>>>> From: Travel Offers > >>>>>> X-SGSI-MailScanner: Found to be clean > >>>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached, > >>>>>> score=3.5, > >>>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50) > >>>>> Because it scored 3.5 where the required score is 5. > >>>>>> X-SGSI-Spam-Score: sss > >>>>>> X-SGSI-From: travel-offers@mytravfolks.com > >>>>>> X-SGSI-Spam-Status: No > >>>>>> > >>>>>> -- > >>>>>> Pascal > >>>>>> > >>>>>> > >>>>>> > >>>>> Jules > >>>>> > >>>> yes but as we have the header > >>>> > >>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38]) > >>>> > >>>> which matches the rule in spam_blacklist.rules > >>>> > >>>> From: 66.63.168. yes > >>>> > >>>> The message should have been tagged Spam > >>>> > >>>> > >>>> -- > >>>> Pascal > >>>> > >>>> > >>>> > >>> Do those rules check all received headers, or just the last one > >>> received from? > >>> Julian would know for sure. > >> They just check the last one, the IP address of the SMTP client > >> that sent the message to your server. > >> Jules > > Then there is the answer. As far as mailscanner is concerned, the > > above message came from; > > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > > which doesn't match your blacklist. > > The only host that it would have matched on would have been > > smtp4.sgsi.ucl.ac.be if that is in your control. > > > > Thanks Julian for the clarification! > > MailScanner rocks!!! > > > > I'm not sure. > The message here above is the message which is in the mailbox but > MailScanner is acting before: > > Mail --> SMTP4 (Postfix) -> MailScanner -> Postfix -> Mailboxes > (1) (2) (3) > > In (1), you have Received: from rssl2.mytravfolks.com (unknown > [66.63.168.38]) > > In (2), Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain > [127.0.0.1]) > > In (3), Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) > > The master.cf file for Postfix looks like > > smtp inet n - n - 500 smtpd > -o smtpd_client_connection_count_limit=500 > -o smtpd_proxy_filter=127.0.0.1:10025 > -o receive_override_options=no_address_mappings > # > # For injecting mail back into postfix from ClamSMTP > 127.0.0.1:10026 inet n - n - - smtpd > -o content_filter= > -o receive_override_options=no_unknown_recipient_checks > -o smtpd_helo_restrictions= > -o smtpd_client_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o mynetworks_style=host > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > > > Our SMTP box receives the message. > The message goes through some "before-filters" and goes back to > postfix with the option > > smtpd_authorized_xforward_hosts=127.0.0.0/8 > > to keep the headers of the previous MTA server. > Then Postfix puts the message in the HOLD queue where MailScanner > takes it and puts it back into the Postfix queue. > > I'm pretty sure that MailScanner should see the 66.63.168.38 IP > address otherwise why is the "Is Definitely Not Spam" rule working : > > Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 > from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > ) is whitelisted > > > Regards Anything happening to the message _after_ MailScaner doesn't hjave any impact on your problem... What happens before though... You have to make sure that your SA trust_path is OK, and all should be well. Why do you use the ClamSMTP thing at all? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 5 08:45:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 08:53:06 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> Message-ID: <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> On 05/02/2008, Glenn Steen wrote: > On 05/02/2008, Pascal Maes wrote: (snip) > > Then Postfix puts the message in the HOLD queue where MailScanner > > takes it and puts it back into the Postfix queue. > > > > I'm pretty sure that MailScanner should see the 66.63.168.38 IP > > address otherwise why is the "Is Definitely Not Spam" rule working : > > > > Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 > > from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > > ) is whitelisted > > > > > > Regards > Anything happening to the message _after_ MailScaner doesn't hjave any > impact on your problem... What happens before though... You have to > make sure that your SA trust_path is OK, and all should be well. Why > do you use the ClamSMTP thing at all? > > Cheers Oh, sorry, not an sa issue... Still, yhe last client to handle this is the clamsmtp thing, which might just be the problem. Again, why do you use that? Theoretically MailScanner (through the batching, and using either clamavmodule or clamd) should be more efficient and less likely to be able to be DoS'd... That "not-really-part-of-SMTP-flow insulation" is ... golden. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pascal.maes at elec.ucl.ac.be Tue Feb 5 09:36:03 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Tue Feb 5 09:36:20 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> Message-ID: <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > On 05/02/2008, Glenn Steen wrote: >> On 05/02/2008, Pascal Maes wrote: > (snip) >>> Then Postfix puts the message in the HOLD queue where MailScanner >>> takes it and puts it back into the Postfix queue. >>> >>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>> address otherwise why is the "Is Definitely Not Spam" rule working : >>> >>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 >>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>> ) is whitelisted >>> >>> >>> Regards >> Anything happening to the message _after_ MailScaner doesn't hjave >> any >> impact on your problem... What happens before though... You have to >> make sure that your SA trust_path is OK, and all should be well. Why >> do you use the ClamSMTP thing at all? >> >> Cheers > Oh, sorry, not an sa issue... Still, yhe last client to handle this is > the clamsmtp thing, which might just be the problem. > Again, why do you use that? Theoretically MailScanner (through the > batching, and using either clamavmodule or clamd) should be more > efficient and less likely to be able to be DoS'd... That > "not-really-part-of-SMTP-flow insulation" is ... golden. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se One advantage of using ClamSMTP is the reject of the worm at the connection time. As we receive a lot of mail per day, it's not negligible. As MailScanner is using McAffe, we have two different AV to check the messages. -- Pascal From edward at tdcs.com.au Tue Feb 5 11:02:41 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Feb 5 11:03:50 2008 Subject: How to get certain things through Message-ID: Example of rejected message I'm sending (relevant names/IPs changed) Our e-mail content detector has just been triggered by a message you sent: To: Subject: Try again Date: Tue Feb 5 19:22:40 2008 One or more of the attachments (menu_content.js, warrantyresult.asp.htm, validate.js, support.js, utilities.js, Westan.zip, fw_menu.js) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: Report: MailScanner: JScript Scripts are dangerous in email (menu_content.js) Report: MailScanner: Attempt to hide real filename extension (warrantyresult.asp.htm) Report: MailScanner: JScript Scripts are dangerous in email (support.js) Report: MailScanner: JScript Scripts are dangerous in email (validate.js) Report: MailScanner: JScript Scripts are dangerous in email (utilities.js) Report: MailScanner: JScript Scripts are dangerous in email (fw_menu.js) -- MailScanner Email Virus Scanner For all your IT requirements visit: http://www.transtec.co.uk I've added my recipient to the spam.whitelist.rules and whitelist.rules: FromOrTo: *@ yes The message attachment still gets quarantined. Is there any way to say like "listen up MailScanner - whenever I send to the following address, just shut the hell up and send it already, don't even bother looking at this message" Reason I ask is that this is the second time something like this has happened, and when I send stuff OUT of my network, sometimes I need to send stuff like this. I'd already zipped the files too, but MailScanner is obviously too clever for that as well. Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Feb 5 11:31:36 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 11:31:46 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> Message-ID: <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> On 05/02/2008, Pascal Maes wrote: > > Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > > > On 05/02/2008, Glenn Steen wrote: > >> On 05/02/2008, Pascal Maes wrote: > > (snip) > >>> Then Postfix puts the message in the HOLD queue where MailScanner > >>> takes it and puts it back into the Postfix queue. > >>> > >>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>> address otherwise why is the "Is Definitely Not Spam" rule working : > >>> > >>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655 > >>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>> ) is whitelisted > >>> > >>> > >>> Regards > >> Anything happening to the message _after_ MailScaner doesn't hjave > >> any > >> impact on your problem... What happens before though... You have to > >> make sure that your SA trust_path is OK, and all should be well. Why > >> do you use the ClamSMTP thing at all? > >> > >> Cheers > > Oh, sorry, not an sa issue... Still, yhe last client to handle this is > > the clamsmtp thing, which might just be the problem. > > Again, why do you use that? Theoretically MailScanner (through the > > batching, and using either clamavmodule or clamd) should be more > > efficient and less likely to be able to be DoS'd... That > > "not-really-part-of-SMTP-flow insulation" is ... golden. > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > One advantage of using ClamSMTP is the reject of the worm at the > connection time. > As we receive a lot of mail per day, it's not negligible. No, but then neither is the resource drain;-). > As MailScanner is using McAffe, we have two different AV to check the > messages. Prudent, but did you look at processing times etc for the "all MS" case? Sure, the real killer is likely SA, and the ClamSMTP thing will avoid that... I wonder if the clamav milter would be a "nicer" solution, avoiding your current problem... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Tue Feb 5 11:45:21 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 5 11:45:48 2008 Subject: OT: RepuScore Message-ID: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> Any of you stumbled across this http://isr.uncc.edu/RepuScore/ yet ? Looks pretty interesting. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Feb 5 12:04:04 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 12:04:15 2008 Subject: How to get certain things through In-Reply-To: References: Message-ID: <223f97700802050404l3c5d71ebi4de1635d131f964a@mail.gmail.com> On 05/02/2008, Edward Dekkers wrote: > Example of rejected message I'm sending (relevant names/IPs changed) > > Our e-mail content detector has just been triggered by a message you sent: > To: > Subject: Try again > Date: Tue Feb 5 19:22:40 2008 > > One or more of the attachments (menu_content.js, warrantyresult.asp.htm, > validate.js, support.js, utilities.js, Westan.zip, fw_menu.js) are on > the list of unacceptable attachments for this site and will not have > been delivered. > > Consider renaming the files to avoid this constraint. > > The virus detector said this about the message: > Report: Report: MailScanner: JScript Scripts are dangerous in email > (menu_content.js) > Report: MailScanner: Attempt to hide real filename extension > (warrantyresult.asp.htm) > Report: MailScanner: JScript Scripts are dangerous in email (support.js) > Report: MailScanner: JScript Scripts are dangerous in email (validate.js) > Report: MailScanner: JScript Scripts are dangerous in email (utilities.js) > Report: MailScanner: JScript Scripts are dangerous in email (fw_menu.js) > > > -- > MailScanner > Email Virus Scanner > > > > For all your IT requirements visit: http://www.transtec.co.uk > > I've added my recipient to the spam.whitelist.rules and whitelist.rules: > > FromOrTo: *@ yes > > The message attachment still gets quarantined. Yes, of course. What would the SPAM whitelist have to do with Dangerous Content scanning? Nothing, of course:-). This is a rule in filename.rules.conf that trigger. To "whitelist" that, look at this wiki page: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading ... To easily create a filename.whitelist.rules.conf, just copy the existing file and change every deny (in the first column) to accept ... then apply that as described on the page;-) > Is there any way to say like "listen up MailScanner - whenever I send to the > following address, just shut the hell up and send it already, don't even > bother looking at this message" Yes, with a ruleset on the "Scan Messages" setting ... > Reason I ask is that this is the second time something like this has > happened, and when I send stuff OUT of my network, sometimes I need to send > stuff like this. > > I'd already zipped the files too, but MailScanner is obviously too clever > for that as well. > You can use the Archive Depth thing to control this. Has been covered in the past. Look in the archives. > Regards, > Ed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Tue Feb 5 12:45:14 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Feb 5 12:45:37 2008 Subject: How to get certain things through In-Reply-To: Message-ID: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Edward There's a 'big knob' at the top of MailScanner.conf called Scan Messages. You can add ruleset here for the addresses you want NO scanning at all to happen.....NB best to avoid FROM fred@domain.com as this is easily spoofed. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Edward Dekkers > Sent: 05 February 2008 11:03 > To: MailScanner discussion > Subject: How to get certain things through > > Example of rejected message I'm sending (relevant names/IPs changed) > > Our e-mail content detector has just been triggered by a message you sent: > To: > Subject: Try again > Date: Tue Feb 5 19:22:40 2008 > > One or more of the attachments (menu_content.js, warrantyresult.asp.htm, > validate.js, support.js, utilities.js, Westan.zip, fw_menu.js) are on > the list of unacceptable attachments for this site and will not have > been delivered. > > Consider renaming the files to avoid this constraint. > > The virus detector said this about the message: > Report: Report: MailScanner: JScript Scripts are dangerous in email > (menu_content.js) > Report: MailScanner: Attempt to hide real filename extension > (warrantyresult.asp.htm) > Report: MailScanner: JScript Scripts are dangerous in email (support.js) > Report: MailScanner: JScript Scripts are dangerous in email (validate.js) > Report: MailScanner: JScript Scripts are dangerous in email (utilities.js) > Report: MailScanner: JScript Scripts are dangerous in email (fw_menu.js) > > > -- > MailScanner > Email Virus Scanner > > > > For all your IT requirements visit: http://www.transtec.co.uk > > I've added my recipient to the spam.whitelist.rules and whitelist.rules: > > FromOrTo: *@ yes > > The message attachment still gets quarantined. > > Is there any way to say like "listen up MailScanner - whenever I send to > the > following address, just shut the hell up and send it already, don't even > bother looking at this message" > > Reason I ask is that this is the second time something like this has > happened, and when I send stuff OUT of my network, sometimes I need to > send > stuff like this. > > I'd already zipped the files too, but MailScanner is obviously too clever > for that as well. > > Regards, > Ed. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From pascal.maes at elec.ucl.ac.be Tue Feb 5 13:18:07 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Tue Feb 5 13:18:19 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> Message-ID: <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > On 05/02/2008, Pascal Maes wrote: >> >> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : >> >>> On 05/02/2008, Glenn Steen wrote: >>>> On 05/02/2008, Pascal Maes wrote: >>> (snip) >>>>> Then Postfix puts the message in the HOLD queue where MailScanner >>>>> takes it and puts it back into the Postfix queue. >>>>> >>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>>>> address otherwise why is the "Is Definitely Not Spam" rule >>>>> working : >>>>> >>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message >>>>> E8686E9102.A7655 >>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>>>> ) is whitelisted >>>>> >>>>> >>>>> Regards >>>> Anything happening to the message _after_ MailScaner doesn't hjave >>>> any >>>> impact on your problem... What happens before though... You have to >>>> make sure that your SA trust_path is OK, and all should be well. >>>> Why >>>> do you use the ClamSMTP thing at all? >>>> >>>> Cheers >>> Oh, sorry, not an sa issue... Still, yhe last client to handle >>> this is >>> the clamsmtp thing, which might just be the problem. >>> Again, why do you use that? Theoretically MailScanner (through the >>> batching, and using either clamavmodule or clamd) should be more >>> efficient and less likely to be able to be DoS'd... That >>> "not-really-part-of-SMTP-flow insulation" is ... golden. >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >> >> One advantage of using ClamSMTP is the reject of the worm at the >> connection time. >> As we receive a lot of mail per day, it's not negligible. > > No, but then neither is the resource drain;-). > >> As MailScanner is using McAffe, we have two different AV to check the >> messages. > > Prudent, but did you look at processing times etc for the "all MS" > case? > Sure, the real killer is likely SA, and the ClamSMTP thing will > avoid that... > I wonder if the clamav milter would be a "nicer" solution, avoiding > your current problem... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- OK, I have included some MailScanner::Log::InfoLog in Config.pm to see what happens. All the clientip are 127.0.0.1 :-( Whitelisting is working because the check is done on the From address and not on the client IP. The blacklisting, in that case doesn't work because it's an IP address. So, we can't use before-filter with Postifx and MailScanner and hope that the white or black listing will work with IP addresses even we use the smtpd_authorized_xforward_hosts. Is that right ? If yes, what's the use of smtpd_authorized_xforward_hosts (to be posted on the postfix list also) ? -- Pascal From glenn.steen at gmail.com Tue Feb 5 13:35:03 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 13:35:15 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> References: <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> Message-ID: <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> On 05/02/2008, Pascal Maes wrote: > > Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > > > On 05/02/2008, Pascal Maes wrote: > >> > >> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >> > >>> On 05/02/2008, Glenn Steen wrote: > >>>> On 05/02/2008, Pascal Maes wrote: > >>> (snip) > >>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>> takes it and puts it back into the Postfix queue. > >>>>> > >>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>> working : > >>>>> > >>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>> E8686E9102.A7655 > >>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>> ) is whitelisted > >>>>> > >>>>> > >>>>> Regards > >>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>> any > >>>> impact on your problem... What happens before though... You have to > >>>> make sure that your SA trust_path is OK, and all should be well. > >>>> Why > >>>> do you use the ClamSMTP thing at all? > >>>> > >>>> Cheers > >>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>> this is > >>> the clamsmtp thing, which might just be the problem. > >>> Again, why do you use that? Theoretically MailScanner (through the > >>> batching, and using either clamavmodule or clamd) should be more > >>> efficient and less likely to be able to be DoS'd... That > >>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>> > >>> Cheers > >>> -- > >>> -- Glenn > >>> email: glenn < dot > steen < at > gmail < dot > com > >>> work: glenn < dot > steen < at > ap1 < dot > se > >> > >> One advantage of using ClamSMTP is the reject of the worm at the > >> connection time. > >> As we receive a lot of mail per day, it's not negligible. > > > > No, but then neither is the resource drain;-). > > > >> As MailScanner is using McAffe, we have two different AV to check the > >> messages. > > > > Prudent, but did you look at processing times etc for the "all MS" > > case? > > Sure, the real killer is likely SA, and the ClamSMTP thing will > > avoid that... > > I wonder if the clamav milter would be a "nicer" solution, avoiding > > your current problem... > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > what happens. > All the clientip are 127.0.0.1 :-( > > Whitelisting is working because the check is done on the From address > and not on the client IP. > The blacklisting, in that case doesn't work because it's an IP address. > > So, we can't use before-filter with Postifx and MailScanner and hope > that the white or black listing will work with IP addresses even we > use the smtpd_authorized_xforward_hosts. > > Is that right ? Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" loopback when determining the ip... Perhaps a bit like SA does it (with the trust thing). > If yes, what's the use of smtpd_authorized_xforward_hosts (to be > posted on the postfix list also) ? Good question. Perhaps one (Jules) could use that...:). BTW, wear your asbetos underwear when telling the pf-list your problem... they seriously dislike MS... still...:(. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at usherbrooke.ca Tue Feb 5 15:46:25 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue Feb 5 15:48:29 2008 Subject: SPAM in .DOC Message-ID: <47A884D1.4010806@USherbrooke.ca> Hello all, How do you fight spam in .DOC files? We seem to be receiving more every day and it slips through most of the time. Is there some SA plugin that could be used? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Tue Feb 5 18:01:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 5 18:02:01 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> References: <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> Message-ID: <47A8A480.3010706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 05/02/2008, Pascal Maes wrote: > >> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : >> >> >>> On 05/02/2008, Pascal Maes wrote: >>> >>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : >>>> >>>> >>>>> On 05/02/2008, Glenn Steen wrote: >>>>> >>>>>> On 05/02/2008, Pascal Maes wrote: >>>>>> >>>>> (snip) >>>>> >>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner >>>>>>> takes it and puts it back into the Postfix queue. >>>>>>> >>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>>>>>> address otherwise why is the "Is Definitely Not Spam" rule >>>>>>> working : >>>>>>> >>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message >>>>>>> E8686E9102.A7655 >>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>>>>>> ) is whitelisted >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> >>>>>> Anything happening to the message _after_ MailScaner doesn't hjave >>>>>> any >>>>>> impact on your problem... What happens before though... You have to >>>>>> make sure that your SA trust_path is OK, and all should be well. >>>>>> Why >>>>>> do you use the ClamSMTP thing at all? >>>>>> >>>>>> Cheers >>>>>> >>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle >>>>> this is >>>>> the clamsmtp thing, which might just be the problem. >>>>> Again, why do you use that? Theoretically MailScanner (through the >>>>> batching, and using either clamavmodule or clamd) should be more >>>>> efficient and less likely to be able to be DoS'd... That >>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. >>>>> >>>>> Cheers >>>>> -- >>>>> -- Glenn >>>>> email: glenn < dot > steen < at > gmail < dot > com >>>>> work: glenn < dot > steen < at > ap1 < dot > se >>>>> >>>> One advantage of using ClamSMTP is the reject of the worm at the >>>> connection time. >>>> As we receive a lot of mail per day, it's not negligible. >>>> >>> No, but then neither is the resource drain;-). >>> >>> >>>> As MailScanner is using McAffe, we have two different AV to check the >>>> messages. >>>> >>> Prudent, but did you look at processing times etc for the "all MS" >>> case? >>> Sure, the real killer is likely SA, and the ClamSMTP thing will >>> avoid that... >>> I wonder if the clamav milter would be a "nicer" solution, avoiding >>> your current problem... >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >>> -- >>> >> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see >> what happens. >> All the clientip are 127.0.0.1 :-( >> >> Whitelisting is working because the check is done on the From address >> and not on the client IP. >> The blacklisting, in that case doesn't work because it's an IP address. >> >> So, we can't use before-filter with Postifx and MailScanner and hope >> that the white or black listing will work with IP addresses even we >> use the smtpd_authorized_xforward_hosts. >> >> Is that right ? >> > > Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > loopback when determining the ip... Perhaps a bit like SA does it > (with the trust thing). > I can't do that. MailScanner directly reads the IP address of the TCP/IP connection source, it doesn't involve looking at the headers of the message at all. > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be >> posted on the postfix list also) ? >> > Good question. Perhaps one (Jules) could use that...:). > BTW, wear your asbetos underwear when telling the pf-list your > problem... they seriously dislike MS... still...:(. > Don't expect to get anything useful from the Postfix list about MailScanner. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHqKSBEfZZRxQVtlQRAtIBAKDAH66JUoxeiDrlsor/EyyXDTiRxQCgiYMT tPDr+UYiud5jntzIQsY1x9k= =wnfG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Tue Feb 5 18:11:45 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Feb 5 18:11:07 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A8A480.3010706@ecs.soton.ac.uk> References: <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be><223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Don't expect to get anything useful from the Postfix list about > MailScanner. About as likely as Manchester United winning the Superbowl, eh? ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gerard at seibercom.net Tue Feb 5 18:32:07 2008 From: gerard at seibercom.net (Gerard) Date: Tue Feb 5 18:32:45 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> Message-ID: <20080205133207.60cad375@scorpio> On Tue, 5 Feb 2008 14:18:07 +0100 Pascal Maes wrote: [snip] > If yes, what's the use of smtpd_authorized_xforward_hosts (to be > posted on the postfix list also) ? Guess I am going to have to keep up with the Postfix forum to see how this turns out. Somehow I think it is going to be futile. -- Gerard gerard@seibercom.net LOVE: Love ties in a knot in the end of the rope. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080205/87082be3/signature.bin From ka at pacific.net Tue Feb 5 19:46:31 2008 From: ka at pacific.net (Ken A) Date: Tue Feb 5 19:46:43 2008 Subject: OT: RepuScore In-Reply-To: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> References: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> Message-ID: <47A8BD17.4020600@pacific.net> --[ UxBoD ]-- wrote: > Any of you stumbled across this http://isr.uncc.edu/RepuScore/ yet ? Looks pretty interesting. > > Regards, > Hmmmm. They state that 35% of email is authenticated by DKIM, SenderID, SPF or other means. I doubt that statistic, but overall it does look promising. http://www.usenix.org/events/lisa07/tech/full_papers/singaraju/singaraju_html/index.html Ken -- Ken Anderson Pacific.Net From rmcdona2 at uwo.ca Tue Feb 5 21:20:08 2008 From: rmcdona2 at uwo.ca (Robert McDonald) Date: Tue Feb 5 21:20:18 2008 Subject: Restoring archived emails Message-ID: Hello All,I am currently archiving mail to a directory using the Archive Mail option. My question is how would I go about restoring these files? I can see the files in the directory but they are not stored in the standard text email format I am used to seeing. Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080205/825cc470/attachment.html From scud at etailengine.com Tue Feb 5 22:23:23 2008 From: scud at etailengine.com (Pete Scudamore) Date: Tue Feb 5 22:30:21 2008 Subject: MailScanner install problem References: <010d01c836de$eeed0710$f105010a@pc> Message-ID: The problem occurs during the rpmbuild process in the post-install phase during the check-buildroot command. check-buildroot is designed to ensure there are no references to the temporary installation directory in the rpm. The way that variables are defined in the SPEC files has somehow changed in the build process. The solution is to run ./install.sh from the unpackaged MailScanner directory. Let the install fail on the first build attempt. You can break out of the script using ^C. Edit the /root/.rpmmacros file Add the following line to the end of the file: %__arch_install_post %{nil} This tells rpmbuild not to run check-buildroot. All of the perl modules will now build into rpms normally. MailScanner will install correctly. Cheers, Scud From glenn.steen at gmail.com Tue Feb 5 22:42:52 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 22:43:04 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A8A480.3010706@ecs.soton.ac.uk> References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: <223f97700802051442u7b337d95rb46238372102b332@mail.gmail.com> On 05/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 05/02/2008, Pascal Maes wrote: > > > >> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > >> > >> > >>> On 05/02/2008, Pascal Maes wrote: > >>> > >>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >>>> > >>>> > >>>>> On 05/02/2008, Glenn Steen wrote: > >>>>> > >>>>>> On 05/02/2008, Pascal Maes wrote: > >>>>>> > >>>>> (snip) > >>>>> > >>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>>>> takes it and puts it back into the Postfix queue. > >>>>>>> > >>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>>>> working : > >>>>>>> > >>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>>>> E8686E9102.A7655 > >>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>>>> ) is whitelisted > >>>>>>> > >>>>>>> > >>>>>>> Regards > >>>>>>> > >>>>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>>>> any > >>>>>> impact on your problem... What happens before though... You have to > >>>>>> make sure that your SA trust_path is OK, and all should be well. > >>>>>> Why > >>>>>> do you use the ClamSMTP thing at all? > >>>>>> > >>>>>> Cheers > >>>>>> > >>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>>>> this is > >>>>> the clamsmtp thing, which might just be the problem. > >>>>> Again, why do you use that? Theoretically MailScanner (through the > >>>>> batching, and using either clamavmodule or clamd) should be more > >>>>> efficient and less likely to be able to be DoS'd... That > >>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>>>> > >>>>> Cheers > >>>>> -- > >>>>> -- Glenn > >>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>> > >>>> One advantage of using ClamSMTP is the reject of the worm at the > >>>> connection time. > >>>> As we receive a lot of mail per day, it's not negligible. > >>>> > >>> No, but then neither is the resource drain;-). > >>> > >>> > >>>> As MailScanner is using McAffe, we have two different AV to check the > >>>> messages. > >>>> > >>> Prudent, but did you look at processing times etc for the "all MS" > >>> case? > >>> Sure, the real killer is likely SA, and the ClamSMTP thing will > >>> avoid that... > >>> I wonder if the clamav milter would be a "nicer" solution, avoiding > >>> your current problem... > >>> > >>> Cheers > >>> -- > >>> -- Glenn > >>> email: glenn < dot > steen < at > gmail < dot > com > >>> work: glenn < dot > steen < at > ap1 < dot > se > >>> -- > >>> > >> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > >> what happens. > >> All the clientip are 127.0.0.1 :-( > >> > >> Whitelisting is working because the check is done on the From address > >> and not on the client IP. > >> The blacklisting, in that case doesn't work because it's an IP address. > >> > >> So, we can't use before-filter with Postifx and MailScanner and hope > >> that the white or black listing will work with IP addresses even we > >> use the smtpd_authorized_xforward_hosts. > >> > >> Is that right ? > >> > > > > Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > > loopback when determining the ip... Perhaps a bit like SA does it > > (with the trust thing). > > > I can't do that. MailScanner directly reads the IP address of the TCP/IP > connection source, it doesn't involve looking at the headers of the > message at all. True. Bummer. That completely defeats any such "smtp base pre-filters" to work (any MTA) in conjunction with IP-based rulesets. Really bad, that... since using the email to/from address for WL is so... spoofable...:(. Oh well, Pascal will have to look at the milter route then... Or let MS do all AV... > > > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be > >> posted on the postfix list also) ? > >> > > Good question. Perhaps one (Jules) could use that...:). > > BTW, wear your asbetos underwear when telling the pf-list your > > problem... they seriously dislike MS... still...:(. > > > Don't expect to get anything useful from the Postfix list about MailScanner. Hehe, we know what they'll say:-). And what other product they'll tote...:/. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 5 22:45:06 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 22:45:23 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: <223f97700802051445m599e3e64uec8ec407d4cfcbe0@mail.gmail.com> On 05/02/2008, Kevin Miller wrote: > Julian Field wrote: > > > Don't expect to get anything useful from the Postfix list about > > MailScanner. > > About as likely as Manchester United winning the Superbowl, eh? > ;-) > Probably much less likely than that...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 5 22:55:02 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 5 22:55:12 2008 Subject: Restoring archived emails In-Reply-To: References: Message-ID: <223f97700802051455o5f8a776agb2a60009d9449891@mail.gmail.com> On 05/02/2008, Robert McDonald wrote: > Hello All, > > I am currently archiving mail to a directory using the Archive Mail option. > My question is how would I go about restoring these files? I can see the > files in the directory but they are not stored in the standard text email > format I am used to seeing. > > Thanks in advance Look at the instructions to release fromquarantine specific for your MTA (example: look at postfix->howto->release_form_quarantine ... or somesuch): http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:mta .... provided your archived mail files are the actual queue files (they couldbe other things as well.... like mbox files...). If you use Postfix, you can use the postcat command to look at the content of the queue file. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edward at tdcs.com.au Tue Feb 5 23:39:19 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Feb 5 23:40:09 2008 Subject: How to get certain things through In-Reply-To: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: > Edward > > There's a 'big knob' at the top of MailScanner.conf called Scan > Messages. > > You can add ruleset here for the addresses you want NO scanning at all > to happen.....NB best to avoid FROM fred@domain.com as this is easily > spoofed. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 Well, not quite at the top of my file, but a search found it. I changed it from: Scan Messages = yes To Scan Messages = %rules-dir%/scan.messages.rules And copied my spam.whitelist.rules to scan.messages.rules My spam.whitelist.rules only had a couple of domains in it in the form: FromOrTo: *@ yes So I'm assuming the syntax is the same. I've restarted MailScanner and I'm crossing my fingers. Thanks for your help. (And Glenn too). Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From edward at tdcs.com.au Wed Feb 6 00:23:22 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Feb 6 00:24:14 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: > Well, not quite at the top of my file, but a search found it. > > I changed it from: > > Scan Messages = yes > To > Scan Messages = %rules-dir%/scan.messages.rules > > And copied my spam.whitelist.rules to scan.messages.rules > > My spam.whitelist.rules only had a couple of domains in it in the form: > > FromOrTo: *@ yes > > So I'm assuming the syntax is the same. > > I've restarted MailScanner and I'm crossing my fingers. > > Thanks for your help. (And Glenn too). > > Regards, > Ed. Sorry to continue on with this thread guys, but the attachments are still getting stripped. I've added my e-mail domain to the scan.messages.rules in the form: FromOrTo: *@ yes I've checked the permissions on the .rules files and even tried 0777 just to allow everything to read it. But to no avail (yes, I did remember to restart MailScanner too). It is either ignoring this file or something else funky is going on. In summary - I can't send a mail with an unacceptable (to MailScanner) attachment, even when I specifically allow it in my scan.messages.rules. Any way I can debug this further? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Wed Feb 6 05:00:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 05:00:37 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: <47A93ED2.10904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Dekkers wrote: |> Well, not quite at the top of my file, but a search found it. |> |> I changed it from: |> |> Scan Messages = yes |> To |> Scan Messages = %rules-dir%/scan.messages.rules |> |> And copied my spam.whitelist.rules to scan.messages.rules |> |> My spam.whitelist.rules only had a couple of domains in it in the form: |> |> FromOrTo: *@ yes |> |> So I'm assuming the syntax is the same. |> |> I've restarted MailScanner and I'm crossing my fingers. |> |> Thanks for your help. (And Glenn too). |> |> Regards, |> Ed. | | Sorry to continue on with this thread guys, but the attachments are still | getting stripped. I've added my e-mail domain to the scan.messages.rules in | the form: | | FromOrTo: *@ yes | | I've checked the permissions on the .rules files and even tried 0777 just to | allow everything to read it. But to no avail (yes, I did remember to restart | MailScanner too). | | It is either ignoring this file or something else funky is going on. | | In summary - I can't send a mail with an unacceptable (to MailScanner) | attachment, even when I specifically allow it in my scan.messages.rules. What is your file attachment config? My default rules do not allow proprietary document formats to pass and for those relatives that want to pass them along I use another (more loosely) set of rules. #H#Filename Rules = %etc-dir%/filename.rules.conf Filename Rules = %rules-dir%/filenames.rules Then take it from there to make your rules set more or less strict per user/domain/..... Do not forget to do this for your filetypes also! Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqT7QBvzDRVjxmYERAsRAAJ99A2t40WVjCZtKGFb6bRXMQpyJiQCgm7FW coAhTHPvWcVDl8aWSiVm/UQ= =6rmH -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Feb 6 05:06:32 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 05:07:00 2008 Subject: OT: RepuScore In-Reply-To: <47A8BD17.4020600@pacific.net> References: <6039536.3061202211921496.JavaMail.root@office.splatnix.net> <47A8BD17.4020600@pacific.net> Message-ID: <47A94058.6020505@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken A wrote: | --[ UxBoD ]-- wrote: |> Any of you stumbled across this http://isr.uncc.edu/RepuScore/ yet ? |> Looks pretty interesting. |> |> Regards, |> | | Hmmmm. They state that 35% of email is authenticated by DKIM, SenderID, | SPF or other means. I doubt that statistic, but overall it does look | promising. | http://www.usenix.org/events/lisa07/tech/full_papers/singaraju/singaraju_html/index.html It is 35% of all authenticated email. That is quite a distiction. I use SPF for the family domain and add GPG myself to my email as a bonus. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqUBWBvzDRVjxmYERAlMVAJsEtwHTe7i9Djk8qYNzU4NcuW9NKwCgphrW DcM+RnMwNdpj+GfMznIZUPA= =msuf -----END PGP SIGNATURE----- From edward at tdcs.com.au Wed Feb 6 05:46:45 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Feb 6 05:47:35 2008 Subject: How to get certain things through In-Reply-To: <47A93ED2.10904@vanderkooij.org> References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> <47A93ED2.10904@vanderkooij.org> Message-ID: > What is your file attachment config? My default rules do not allow > proprietary document formats to pass and for those relatives that want > to pass them along I use another (more loosely) set of rules. > > #H#Filename Rules = %etc-dir%/filename.rules.conf > Filename Rules = %rules-dir%/filenames.rules > > Then take it from there to make your rules set more or less strict per > user/domain/..... > > Do not forget to do this for your filetypes also! > > Hugo. This is where it gets confusing. There does not appear to be a global "Ignore scanning from my local network outbound" kind of thing and if there is, I cannot get it to work. I've found the filename.rules.conf and the filetype.rules.conf (in the %etc-dir%) which seem to be responsible for killing off my attachment. I've modified the MailScanner.conf to have: Allow Filenames = %rules-dir%/allow.filenames.rules Allow Filetypes = %rules-dir%/allow.filetypes.rules I ASSUME these are the sorts of files you are talking about. Well, I've added my details to both the above mentioned files (which I touched to create) From: 192.168.0. yes From: yes It's still killing off (in this case) EXE files. Surely I'm just stupid and this IS possible? When I run updatedb and then locate MailScanner.conf I only seem to have one copy of this, so it IS looking at it, just not reacting to some of the options. Or is it? Am I screwing up somewhere else? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Wed Feb 6 06:21:57 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 06:22:36 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> <47A93ED2.10904@vanderkooij.org> Message-ID: <47A95205.6030907@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Dekkers wrote: |> What is your file attachment config? My default rules do not allow |> proprietary document formats to pass and for those relatives that want |> to pass them along I use another (more loosely) set of rules. |> |> #H#Filename Rules = %etc-dir%/filename.rules.conf |> Filename Rules = %rules-dir%/filenames.rules |> |> Then take it from there to make your rules set more or less strict per |> user/domain/..... |> |> Do not forget to do this for your filetypes also! | | This is where it gets confusing. | | There does not appear to be a global "Ignore scanning from my local network | outbound" kind of thing and if there is, I cannot get it to work. | | I've found the filename.rules.conf and the filetype.rules.conf (in the | %etc-dir%) which seem to be responsible for killing off my attachment. | | I've modified the MailScanner.conf to have: | | Allow Filenames = %rules-dir%/allow.filenames.rules | Allow Filetypes = %rules-dir%/allow.filetypes.rules Leave these lines empty as they were! Or use them properly. | I ASSUME these are the sorts of files you are talking about. No. Most definitly not. | Well, I've added my details to both the above mentioned files (which I | touched to create) | | From: 192.168.0. yes | From: yes So you now allowed the file extention yes and the filetype yes in there. I have never seen that extention in use. But perhaps they have their uses in your case. If you use a rule file instead of a rule in the config file your rulefile must follow the conventions for the rule in the original config file. So let's d this again. Shall we? In %etc-dir%/MailScanner.conf: # Do not use these!!! Allow Filenames = Deny Filenames = Allow Filetypes = Deny Filetypes = # But use these Filename Rules = %rules-dir%/filenames.rules Filetype Rules = %rules-dir%/filetypes.rules Then in %rules-dir%/filenames.rules Describe which filename config file to use for each user: FromOrTo: harry@... %etc-dir%/filename-loose.rules.conf FromOrTo: hugo@... %etc-dir%/filename-strict.rules.conf .... Then copy filename.rules.conf to filename-loose.rules.conf and remove whatever you do not want to be stopped by MailScanner. And the strict file can get added whatever you do not wish to pass. The filetype thing works in a similar fashion to the filename rules. Do not forget to work out both of them to make it work. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqVICBvzDRVjxmYERAp5lAKCh5w+aObG/22nRxGgZsWtd+7ynpwCdGmo1 U5ZM4jlkebHsZCYnDenAEYU= =S+iN -----END PGP SIGNATURE----- From edward at tdcs.com.au Wed Feb 6 07:02:25 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Feb 6 07:03:11 2008 Subject: How to get certain things through In-Reply-To: <47A95205.6030907@vanderkooij.org> References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> <47A93ED2.10904@vanderkooij.org> <47A95205.6030907@vanderkooij.org> Message-ID: > So let's d this again. Shall we? I think that's a great idea. > > In %etc-dir%/MailScanner.conf: > > # Do not use these!!! > Allow Filenames = > Deny Filenames = > Allow Filetypes = > Deny Filetypes = > # But use these > Filename Rules = %rules-dir%/filenames.rules > Filetype Rules = %rules-dir%/filetypes.rules > > Then in %rules-dir%/filenames.rules > Describe which filename config file to use for each user: > > FromOrTo: harry@... %etc-dir%/filename-loose.rules.conf > FromOrTo: hugo@... %etc-dir%/filename- > strict.rules.conf > .... > > Then copy filename.rules.conf to filename-loose.rules.conf and remove > whatever you do not want to be stopped by MailScanner. > > And the strict file can get added whatever you do not wish to pass. > > The filetype thing works in a similar fashion to the filename rules. Do > not forget to work out both of them to make it work. > > Hugo. Hartstikke Bedankt Hugo. After sending my last e-mail I finally found some examples on the internet that went deeper into the file rules, so I was sort of heading there, but you got me over the line. I HAD confused the "Allow Filename" and "Allow Filetype" with the "Filename Rules" and "Filetype Rules" statements in the MailScanner.conf so without you I'd still be struggling. I now also understand the difference between a .conf and a .rules file. Appreciate it. All test messages from my account with EXE attachments now working. Any other content like jscript files are still being blocked (I left them in my loose rules file). So, all done - thank Hugo De Groeten, Ed -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alexbo at myself.com Wed Feb 6 08:39:27 2008 From: alexbo at myself.com (alexbo@myself.com) Date: Wed Feb 6 08:39:38 2008 Subject: internal ip address Message-ID: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> Hi there, my Linux server has MailScanner v4.65.3 with postfix v2.1.5 When, for example, I send a message from a pc whose internal ip address is 10.0.0.175 taking a look in the headers of outgoing mail I've seen the last header just before Message-ID to appear like that Received: from [10.0.0.175] (pc1 [10.0.0.175]) by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) Why the ip address of the sender is shown (twice) in square brackets ? My task is avoiding the outer world to know the internal ip of the sender... so googling on the internet I seen a similar case on www.securityfocus.com/archive/91/421789/30/ using "Remove These Headers" rule but after doing those modifications I've noticed that all outgoing mail is marked to be received from "Unknown". Many other searches on the net returned no results at all, so I will know if somebody could help this poor man how to hide internal ip address ot the sender avoiding last issue. -- Thank you, Alex -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com! From twiztar at gmail.com Wed Feb 6 10:12:12 2008 From: twiztar at gmail.com (Erik Weber) Date: Wed Feb 6 10:12:35 2008 Subject: Google maps blocked as .ico Message-ID: <47A987FC.3060500@gmail.com> I tried to send an (html) email with the following tag: and it gets blocked with the following message: Feb 4 09:34:10 mr1 MailScanner[10893]: Filename Checks: Windows icon file security vulnerability (EC92781E7A.38B97 mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185) Feb 4 09:34:10 mr1 MailScanner[10893]: Saved infected "mapdata%%3Fcc=no%%26.ico" to /var/spool/MailScanner/quarantine/20080204/EC92781E7A.38B97 The only reference to .ico files I have is this in filename.rules.conf: deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows Version information: This is Red Hat Enterprise Linux ES release 4 (Nahant Update 4) This is Perl version 5.008005 (5.8.5) 2.73 File::Basename 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools I've only taken the packages I believe is relevant, if anything is missing or unclear please let me know. Any tips, solutions, advices on how to solve this is highly appreciated. -- Erik Weber From telecaadmin at gmail.com Wed Feb 6 10:16:44 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Wed Feb 6 10:17:14 2008 Subject: How to get certain things through In-Reply-To: References: <35612ce66aa41f44b17ddeaa7561b680@solidstatelogic.com> Message-ID: <47A9890C.2030108@gmail.com> > Scan Messages = yes > To > Scan Messages = %rules-dir%/scan.messages.rules > > And copied my spam.whitelist.rules to scan.messages.rules > > My spam.whitelist.rules only had a couple of domains in it in the form: > > FromOrTo: *@ yes The scan.messages.rules is the opposite - if you want messages From: to be whitelisted (ie not scanned at all), you have to write "no" there. Example: From: main.internal.server no (no = do NOT scan!) BR, Ronny From glenn.steen at gmail.com Wed Feb 6 10:54:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 6 10:54:56 2008 Subject: internal ip address In-Reply-To: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> Message-ID: <223f97700802060254k7ff2dd5bq4bb8a4cb93be8071@mail.gmail.com> On 06/02/2008, alexbo@myself.com wrote: > Hi there, > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > When, for example, I send a message from a pc whose internal ip address is 10.0.0.175 taking a look in the headers of outgoing mail I've seen the last header just before Message-ID to appear like that > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > Why the ip address of the sender is shown (twice) in square brackets ? > > My task is avoiding the outer world to know the internal ip of the sender... so googling on the internet I seen a similar case on > > www.securityfocus.com/archive/91/421789/30/ > > using "Remove These Headers" rule but after doing those modifications I've noticed that all outgoing mail is marked to be received from "Unknown". > Many other searches on the net returned no results at all, so I will know if somebody could help this poor man how to hide internal ip address ot the sender avoiding last issue. > > -- > Thank you, > Alex > Actually what you intend to do is in direct violation of the RFCs governing SMTP and e-mail. The "gained security" is minor and the information leak as such is negligible. The "rules broken" are of the MUST category, so the strongest there is in the standards. Be that as it may, this is actually not a MailScanner problem, it starts and ends at your MTA. When you try use the Remove These Headers feature of MailScanner to remove the "offending" Received: line, you likey end up without any valid Received line at all. I'd suggest you rethink your strategy, or at least let Postfix handle this (IIRC there are numerous examples on the net on how to do this... google (and www.postfix.org:-) is your friend here;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Feb 6 11:00:56 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 6 11:01:06 2008 Subject: Google maps blocked as .ico In-Reply-To: <47A987FC.3060500@gmail.com> References: <47A987FC.3060500@gmail.com> Message-ID: <223f97700802060300j5394c14ah7efb96bc13b8466f@mail.gmail.com> On 06/02/2008, Erik Weber wrote: > I tried to send an (html) email with the following tag: > > src="http://mt.google.com/mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185" > > > > and it gets blocked with the following message: > Feb 4 09:34:10 mr1 MailScanner[10893]: Filename Checks: Windows icon > file security vulnerability (EC92781E7A.38B97 > mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185) > Feb 4 09:34:10 mr1 MailScanner[10893]: Saved infected > "mapdata%%3Fcc=no%%26.ico" to > /var/spool/MailScanner/quarantine/20080204/EC92781E7A.38B97 > > The only reference to .ico files I have is this in filename.rules.conf: > deny \.ico$ Windows icon file security > vulnerability Possible buffer > overflow in Windows > > Version information: > This is Red Hat Enterprise Linux ES release 4 (Nahant Update 4) > This is Perl version 5.008005 (5.8.5) > 2.73 File::Basename > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > > I've only taken the packages I believe is relevant, if anything is > missing or unclear please let me know. > Any tips, solutions, advices on how to solve this is highly appreciated. > If you want to pass attachments that are windoze icon files (or at least have that file name ending), then why don't you edit your copy of filename.rules.conf and allow that? Or is your gripe that this shouldn't have been treated as a file attachment in the first place? If so, provide a copy (preferably the message file from your quarantine) of the offending message... Put it on pastebin or somesuch...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From twiztar at gmail.com Wed Feb 6 11:15:21 2008 From: twiztar at gmail.com (Erik Weber) Date: Wed Feb 6 11:15:38 2008 Subject: Google maps blocked as .ico In-Reply-To: <223f97700802060300j5394c14ah7efb96bc13b8466f@mail.gmail.com> References: <47A987FC.3060500@gmail.com> <223f97700802060300j5394c14ah7efb96bc13b8466f@mail.gmail.com> Message-ID: <47A996C9.6070504@gmail.com> Glenn Steen wrote: > On 06/02/2008, Erik Weber wrote: > >> I tried to send an (html) email with the following tag: >> >> > src="http://mt.google.com/mapdata?cc=no&Point=b&Point.latitude_e6=52536486&Point.longitude_e6=13473255&Point.iconid=15&Point=e&zl=3&w=270&h=185" >> > >> >> > If you want to pass attachments that are windoze icon files (or at > least have that file name ending), then why don't you edit your copy > of filename.rules.conf and allow that? > Or is your gripe that this shouldn't have been treated as a file > attachment in the first place? If so, provide a copy (preferably the > message file from your quarantine) of the offending message... Put it > on pastebin or somesuch...:) > > > It's not an attachment and it doesn't have an .ico ending, actually it doesn't have an ending at all. http://rafb.net/p/VvXN4O76.html is the relevant portion of the mail. -- Erik Weber From uxbod at splatnix.net Wed Feb 6 11:20:00 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 11:20:25 2008 Subject: Google maps blocked as .ico In-Reply-To: <47A996C9.6070504@gmail.com> Message-ID: <14368770.4171202296800192.JavaMail.root@office.splatnix.net> Its something wrong with the regex parsing as it is picking out .ico from Point.iconid=15 in the URL. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Feb 6 11:34:41 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 11:35:02 2008 Subject: Google maps blocked as .ico In-Reply-To: <14368770.4171202296800192.JavaMail.root@office.splatnix.net> Message-ID: <29597293.4351202297681623.JavaMail.root@office.splatnix.net> Hmmm. Thinking about this little problem. Could you post the whole message on that paste site, obviously sanitize it first for the email addresses. Would be good to see the MIME headers, as I wonder if it is being treated as a inline image. What email client was used to send it ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > Its something wrong with the regex parsing as it is picking out .ico > from Point.iconid=15 in the URL. > > Regards, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at usherbrooke.ca Wed Feb 6 13:30:30 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Wed Feb 6 13:31:58 2008 Subject: internal ip address In-Reply-To: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> Message-ID: <47A9B676.1010705@USherbrooke.ca> alexbo@myself.com a ?crit : > Hi there, > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > When, for example, I send a message from a pc whose internal ip address is 10.0.0.175 taking a look in the headers of outgoing mail I've seen the last header just before Message-ID to appear like that > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > Why the ip address of the sender is shown (twice) in square brackets ? > > My task is avoiding the outer world to know the internal ip of the sender... Alex, The IP addresses you use are non-routable. That means nobody can access your computers from the internet because no router will allow them. So don't worry about the whole world knowing about your internal IP addresses. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From alexbo at myself.com Wed Feb 6 13:52:28 2008 From: alexbo at myself.com (alexbo@myself.com) Date: Wed Feb 6 13:52:38 2008 Subject: internal ip address Message-ID: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com> Thank you Denis for your reply. I realize what you wrote, but it appears to me that exposing internal ip addresses may lead anyone to know what is my internal network structure: the problem I am talking about is regarding an enterprise network, where various clients are involved in sending mail to the outer world. Is there a way to hide those internal ip addresses ? Regards, Alex > ----- Original Message ----- > From: "Denis Beauchemin" > To: "MailScanner discussion" > Subject: Re: internal ip address > Date: Wed, 06 Feb 2008 08:30:30 -0500 > > > alexbo@myself.com a ?crit : > > Hi there, > > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > > When, for example, I send a message from a pc whose internal ip > > address is 10.0.0.175 taking a look in the headers of outgoing > > mail I've seen the last header just before Message-ID to appear > > like that > > > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > > > Why the ip address of the sender is shown (twice) in square brackets ? > > > > My task is avoiding the outer world to know the internal ip of the sender... > > Alex, > > The IP addresses you use are non-routable. That means nobody can > access your computers from the internet because no router will > allow them. So don't worry about the whole world knowing about > your internal IP addresses. > > Denis > > -- _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com! From alexbo at myself.com Wed Feb 6 14:02:33 2008 From: alexbo at myself.com (alexbo@myself.com) Date: Wed Feb 6 14:02:42 2008 Subject: internal ip address Message-ID: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> I supposed what you wrote; is there at least a way to replace ip address (the one between square brackets) with my mail server public ip ? I asked for help in this list since seems to me that Postfix is tricked by MailScanner, i.e. header_checks is used with "hold" policy so other remedies can't apply. Forgive me if these are trivial tasks but I'm not an Administrator (with the capital A), so if there are clues for my issue I'd humbly ask for let me know them. -- Regards, Alex > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Subject: Re: internal ip address > Date: Wed, 6 Feb 2008 11:54:41 +0100 > > > On 06/02/2008, alexbo@myself.com wrote: > > Hi there, > > my Linux server has MailScanner v4.65.3 with postfix v2.1.5 > > When, for example, I send a message from a pc whose internal ip > > address is 10.0.0.175 taking a look in the headers of outgoing > > mail I've seen the last header just before Message-ID to appear > > like that > > > > Received: from [10.0.0.175] (pc1 [10.0.0.175]) > > by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 > > for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) > > > > Why the ip address of the sender is shown (twice) in square brackets ? > > > > My task is avoiding the outer world to know the internal ip of > > the sender... so googling on the internet I seen a similar case on > > > > www.securityfocus.com/archive/91/421789/30/ > > > > using "Remove These Headers" rule but after doing those > > modifications I've noticed that all outgoing mail is marked to be > > received from "Unknown". > > Many other searches on the net returned no results at all, so I > > will know if somebody could help this poor man how to hide > > internal ip address ot the sender avoiding last issue. > > > > -- > > Thank you, > > Alex > > > Actually what you intend to do is in direct violation of the RFCs > governing SMTP and e-mail. The "gained security" is minor and the > information leak as such is negligible. The "rules broken" are of the > MUST category, so the strongest there is in the standards. > > Be that as it may, this is actually not a MailScanner problem, it > starts and ends at your MTA. > When you try use the Remove These Headers feature of MailScanner to > remove the "offending" Received: line, you likey end up without any > valid Received line at all. > > I'd suggest you rethink your strategy, or at least let Postfix handle > this (IIRC there are numerous examples on the net on how to do this... > google (and www.postfix.org:-) is your friend here;-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com! From uxbod at splatnix.net Wed Feb 6 14:04:43 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 14:05:10 2008 Subject: internal ip address In-Reply-To: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com> Message-ID: <8652792.5011202306683195.JavaMail.root@office.splatnix.net> why does it matter? most enterprise networks use a private range anyway, and therefore non-routable from the outside. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- alexbo@myself.com wrote: > Thank you Denis for your reply. > I realize what you wrote, but it appears to me that exposing internal > ip addresses may lead anyone to know what is my internal network > structure: > the problem I am talking about is regarding an enterprise network, > where various clients are involved in sending mail to the outer > world. > Is there a way to hide those internal ip addresses ? > Regards, > Alex -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Feb 6 16:13:30 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 6 16:13:40 2008 Subject: internal ip address In-Reply-To: <8652792.5011202306683195.JavaMail.root@office.splatnix.net> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com> <8652792.5011202306683195.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> On 06/02/2008, --[ UxBoD ]-- wrote: > why does it matter? most enterprise networks use a private range anyway, and therefore non-routable from the outside. > > Regards, I think the reasoning is that "vital" topoligical info will "leak"... The value of such info is very limited, as a means for an attack, so one really has to try balance the "value" gained with the value lost (in breaking tracability... the thing that make Received lines sacrosanct). > ----- alexbo@myself.com wrote: > > > Thank you Denis for your reply. > > I realize what you wrote, but it appears to me that exposing internal > > ip addresses may lead anyone to know what is my internal network > > structure: > > the problem I am talking about is regarding an enterprise network, > > where various clients are involved in sending mail to the outer > > world. > > Is there a way to hide those internal ip addresses ? > > Regards, > > Alex ISTR this being discussed in the past, do a list search, it might turn up the info you need (Was it Hugo who did this...?)... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Wed Feb 6 16:29:30 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 6 16:29:47 2008 Subject: internal ip address In-Reply-To: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> References: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> Message-ID: on 2/6/2008 6:02 AM alexbo@myself.com spake the following: > I supposed what you wrote; is there at least a way to replace ip address (the one between square brackets) with my mail server public ip ? > I asked for help in this list since seems to me that Postfix is tricked by MailScanner, i.e. header_checks is used with "hold" policy so other remedies can't apply. > Forgive me if these are trivial tasks but I'm not an Administrator (with the capital A), so if there are clues for my issue I'd humbly ask for let me know them. > -- You keep trying to remove something that; 1) Has no real value to anyone in the outside world 2) Will probably break your messages. If the anonymity is that important, you can try webmail running on the mail server. Then all the headers should have localhost. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080206/63448a32/signature.bin From m.anderlini at database.it Wed Feb 6 16:36:26 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Feb 6 16:36:45 2008 Subject: [OT] sendmail max msg e queue times process In-Reply-To: <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com><8652792.5011202306683195.JavaMail.root@office.splatnix.net> <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> Message-ID: <018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> This is a bit OT but I don't know where I can get help. ON a system using just sendmail ( version sendmail-8.13.1-3.2.el4) I would like to specify the max msg to process at time and how many often the queue shoud be processed. Thanks for any help and sorry again for my worst English :-) Best regards Marcello -- Messaggio verificato dal servizio antivirus di Database Informatica From telecaadmin at gmail.com Wed Feb 6 16:51:18 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Wed Feb 6 16:51:30 2008 Subject: [OT] sendmail max msg e queue times process Message-ID: <47A9E586.3080000@gmail.com> Hi, > ON a system using just sendmail ( version sendmail-8.13.1-3.2.el4) > I would like to specify the max msg to process at time and how many > often the queue shoud be processed. please do not highjack threads to start a new one (by replying to a message and starting a new thread). Look here http://www.sendmail.org/~ca/email/man/sendmail.html Depending on your distribution and configuration you might have to adjust your startup script. Here's one option regarding "how often to process the mail": -q[time] Processed saved messages in the queue at given intervals. Then there is at http://www.sendmail.org/m4/tweaking_config.html MaxQueueRunSize "Essentially, this will stop reading each queue directory after this number of entries are reached" Cheers, Ronny From hvdkooij at vanderkooij.org Wed Feb 6 18:37:46 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 18:38:27 2008 Subject: internal ip address In-Reply-To: <47A9B676.1010705@USherbrooke.ca> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> Message-ID: <47A9FE7A.8080308@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denis Beauchemin wrote: | alexbo@myself.com a ?crit : |> Hi there, |> my Linux server has MailScanner v4.65.3 with postfix v2.1.5 |> When, for example, I send a message from a pc whose internal ip |> address is 10.0.0.175 taking a look in the headers of outgoing mail |> I've seen the last header just before Message-ID to appear like that |> |> Received: from [10.0.0.175] (pc1 [10.0.0.175]) |> by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 |> for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) |> |> Why the ip address of the sender is shown (twice) in square brackets ? |> |> My task is avoiding the outer world to know the internal ip of the |> sender... | | Alex, | | The IP addresses you use are non-routable. That means nobody can access | your computers from the internet because no router will allow them. So | don't worry about the whole world knowing about your internal IP addresses. Those were my thoughts exactly. However a lot of auditors will make remarks on this in their report and note it as information disclosures. Some of them might actually mark them as critical issues that MUST be resolved. Ain't this a funny world? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqf55BvzDRVjxmYERAtxEAJ9TYUyqQqi5rs3+Re69ltNzqSt0HACdFa2S dDltFJS3gd82ekcyKQ0DloE= =0WqL -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Feb 6 18:40:08 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 18:40:43 2008 Subject: [OT] sendmail max msg e queue times process In-Reply-To: <018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com><8652792.5011202306683195.JavaMail.root@office.splatnix.net> <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com> <018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> Message-ID: <47A9FF08.7010704@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcello Anderlini wrote: | This is a bit OT but I don't know where I can get help. Try it with a fresh message. You have now hijacked another thread. Perhaps you can try this yourself: tar --with-feathers Marcello ;-) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqf8GBvzDRVjxmYERAgeuAKCUqUWT+3JeTXaRd9AtvZniZMLW3wCfXjWg T7KGg/HHH9x5L0Wz/JBBweU= =hSI+ -----END PGP SIGNATURE----- From mkettler at evi-inc.com Wed Feb 6 19:17:10 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Feb 6 19:17:41 2008 Subject: internal ip address In-Reply-To: <47A9FE7A.8080308@vanderkooij.org> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> Message-ID: <47AA07B6.2090702@evi-inc.com> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Denis Beauchemin wrote: > | Alex, > | > | The IP addresses you use are non-routable. That means nobody can access > | your computers from the internet because no router will allow them. So > | don't worry about the whole world knowing about your internal IP > addresses. > > Those were my thoughts exactly. Being non-routable helps you from a perspective of hackers using the information to directly break in to your network. However, an attacker probably knows all of your routable IPs anyway, so really that's not the threat vector. The problem, in some situations, is the information exposed can still be used for other purposes. ie: studying the network structure so they know where to go once they get in via some other method. By googling around for postings on email list archives, you can often generate a lot of information about the network structure. Such information can also be used to aid social engineering attacks by figuring out who works with who. Of course, this isn't exactly a "hardcore" risk factor like an open dialin, but it is information that an attacker can make use of. Whether that matters to your situation or not depends on your threat model, but anyone who sees it as presenting no risk at all is clearly mistaken. (ie: just because it is a trivial risk in the network of an ad agency, does not mean it's trivial in a financial organization where social engineering attacks are more likely.) From uxbod at splatnix.net Wed Feb 6 19:28:10 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 19:28:37 2008 Subject: internal ip address In-Reply-To: <47AA07B6.2090702@evi-inc.com> Message-ID: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. I am more annoyed when companies use peoples name as the workstation identifier eg. BOBSQUAREPANTS a quick G00gle and you get Mr B Squarepants CEO A Big Piggy Bank! Makes a nice target once on the network, or as Matt said some simple social engineering. Most of it is common sense, but how often do we see not much of that in IT ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Matt Kettler" wrote: > Hugo van der Kooij wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Wed Feb 6 19:53:21 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Wed Feb 6 19:53:43 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <20080205133207.60cad375@scorpio> References: <47A304B8.30803@ecs.soton.ac.uk> <47A6FEAF.5050306@ecs.soton.ac.uk> <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <20080205133207.60cad375@scorpio> Message-ID: Le 05-f?vr.-08 ? 19:32, Gerard a ?crit : > On Tue, 5 Feb 2008 14:18:07 +0100 > Pascal Maes wrote: > > [snip] > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be >> posted on the postfix list also) ? > > Guess I am going to have to keep up with the Postfix forum to see how > this turns out. Somehow I think it is going to be futile. > You exaggerate a little bit ;-) Of course I get a remark but also the solution : > Pascal Maes wrote: >> The question is >> Even with the option, smtpd_authorized_xforward_hosts, the first >> "Received" is always the localhost. >> That's a problem as we (MailScanner) can't use black or white >> listing based on the IP address of the client. >> A solution ? > > Use a header_checks rule with IGNORE to remove the offending line > from the queue file. > > Note that MailScanner is known to not work reliably with postfix and > is therefore not recommended or supported here. The header_check is now : /^Received: .* \[127\.0\.0\.1\]/ IGNORE /^Received:/ HOLD and it works. -- Pascal From mkettler at evi-inc.com Wed Feb 6 20:00:34 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Feb 6 20:00:58 2008 Subject: internal ip address In-Reply-To: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> References: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> Message-ID: <47AA11E2.9090800@evi-inc.com> --[ UxBoD ]-- wrote: > Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. Really? Do you vlan? Do you vlan based on department, building floor, or other useful locality? Most large networks do. You find out that lead sales guy x works in a particular office, then find an email from him archived somewhere.. then look for others in the same company with similar IP ranges... you now know a list of people that work together, and where they work. Lather, rinse, repeat. It's really not that hard once you realize most networks are logically structured. You're just leveraging lots of little bits of information to create a larger picture. This isn't really much different than what your average private investigator does when digging through public records. It takes time to study this kind of thing, but again, what's your threat level? Also consider kids (ie: those in school/college) have time in abundance, and are your most common hackers. Consider your competitors, they may not break in, but studying your business may be useful to them in trying to out-compete you. From lists at sequestered.net Wed Feb 6 20:14:41 2008 From: lists at sequestered.net (Jay Chandler) Date: Wed Feb 6 20:14:54 2008 Subject: Definite Fraud? Message-ID: <47AA1531.4040205@sequestered.net> I'm sure this has been rehashed before, but... *MailScanner has detected definite fraud in the website at "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah Obviously it's detecting the 301 redirect, but that doesn't necessarily bespeak fraud. There are a lot of non-fraudulent things that it could be, ranging from shock pictures to Rick Rolls to inredibly long URLs. Has anyone discussed changing the wording here? -- Jay Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: Your mail is being routed through Germany... and they're censoring us From hvdkooij at vanderkooij.org Wed Feb 6 20:15:38 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Feb 6 20:16:24 2008 Subject: internal ip address In-Reply-To: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> References: <20080206140233.0F00416427A@ws1-4.us4.outblaze.com> Message-ID: <47AA156A.305@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 alexbo@myself.com wrote: | I supposed what you wrote; is there at least a way to replace ip address (the one between square brackets) with my mail server public ip ? | I asked for help in this list since seems to me that Postfix is tricked by MailScanner, i.e. header_checks is used with "hold" policy so other remedies can't apply. | Forgive me if these are trivial tasks but I'm not an Administrator (with the capital A), so if there are clues for my issue I'd humbly ask for let me know them. Hmmm. One wonders why someone using outblaze.com would even wonder about such questions. But you can do this in postfix if you combine the tips. See also: http://www.google.nl/search?q=postfix+strip+received If you still want to combine this with the HOLD function for outbound email then things might get a bit more tricky. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqhVnBvzDRVjxmYERAsENAKCtL6cC1oBvdJ4gHu2T2wMJHbDECQCdHS9r xpNKJLafJ2C7ZPFSG21mRmk= =WqTn -----END PGP SIGNATURE----- From uxbod at splatnix.net Wed Feb 6 20:19:11 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 6 20:20:19 2008 Subject: internal ip address In-Reply-To: <16271973.5291202329076958.JavaMail.root@office.splatnix.net> Message-ID: <13317001.5311202329151779.JavaMail.root@office.splatnix.net> Your not wrong Matt, but what concerns me more is MTAs that give away their identity with respect to what software they are running. It becomes easier to attack as potential vulnerabilities are easier to find. It also depends on what somebodies objective it aswell, do you target a individuals PC or go after the cream a nice central data store.our Understanding and appreciating your threat level is very important, especially when trying to convince SOX auditors why certain things are not being done ;) Perhaps the ability to cloak certain information is not a bad thing, and I do take on board your comments, but how far do you go ? I do not believe that it would be to hard to write a MS plugin for stripping certain information ie. the clients IP address perhaps it should be added to the SMTP RFC ? IMHO I would prefer to educate our staff on how easy social engineering can be undertaken to glean sensitive information from the company! and even stop staff from signing upto loads of different mailing lists and publishing their company email addresses all over the net. Unfortunately management do not always see it the same way ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kit at simplysites.co.uk Wed Feb 6 21:18:47 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Feb 6 21:19:04 2008 Subject: whitelist TO email addresses sent by users on the server Message-ID: Hi I am not sure whether its built into mailscanner or good practice, but is there a way of not scanning mail sent from addresses that users from the server has already sent to. A bit of a twister but eg user on server sends to a@abc.com a@abc.com then replys, surely a@abc.com should be a friend and that email should not really be scanned for spam......forever Kit -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080206/2d7f5748/attachment.html From cotharyus at gmail.com Wed Feb 6 23:17:49 2008 From: cotharyus at gmail.com (Drew) Date: Wed Feb 6 23:17:58 2008 Subject: Mailscanner segfaults on spamassassin lint test Message-ID: <715841970802061517l812694bp74db41fe7b6aa401@mail.gmail.com> Hello, I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults when running lint on spamassassin. Unfortunately, at this time the best (most informative) error I have is this, from the lint test through the mailwatch interface: /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol "PL_exit_flags" I'm posting this here on a recommendation I got from a FreeBSD list. I've taken the following steps so far: rebuilt perl and all perl modules. made double sure all the right steps were taken after the perl upgrade. rebuilt world Perl version is 5.8.8 Thanks in advance for any assistance you folks can provide. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080206/7b5a221c/attachment.html From ugob at lubik.ca Thu Feb 7 00:12:28 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 7 00:12:51 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: References: Message-ID: <47AA4CEC.5030109@lubik.ca> Kit Wong wrote: > Hi > I am not sure whether its built into mailscanner or good practice, but > is there a way of not scanning mail sent from addresses that users from > the server has already sent to. A bit of a twister but eg > > user on server sends to a@abc.com > > a@abc.com then replys, surely a@abc.com > should be a friend and that email should not really > be scanned for spam......forever Since e-mail addresses can be easily spoofed, it is not such a good idea. It is not possible to do that in MailScanner (for now). Ugo From ugob at lubik.ca Thu Feb 7 00:12:28 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 7 00:13:55 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: References: Message-ID: <47AA4CEC.5030109@lubik.ca> Kit Wong wrote: > Hi > I am not sure whether its built into mailscanner or good practice, but > is there a way of not scanning mail sent from addresses that users from > the server has already sent to. A bit of a twister but eg > > user on server sends to a@abc.com > > a@abc.com then replys, surely a@abc.com > should be a friend and that email should not really > be scanned for spam......forever Since e-mail addresses can be easily spoofed, it is not such a good idea. It is not possible to do that in MailScanner (for now). Ugo -- This message has been verified by LastSpam (http://www.lastspam.com) eMail security service, provided by Lubik Ce courriel a ete verifie par le service de securite pour courriels LastSpam (http://www.lastspam.com), fourni par Lubik (http://www.lubik.ca) www.lubik.ca From hvdkooij at vanderkooij.org Thu Feb 7 06:39:12 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Feb 7 06:40:01 2008 Subject: Definite Fraud? In-Reply-To: <47AA1531.4040205@sequestered.net> References: <47AA1531.4040205@sequestered.net> Message-ID: <47AAA790.2030908@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay Chandler wrote: | I'm sure this has been rehashed before, but... | | | *MailScanner has detected definite fraud in the website at | "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah | | | | Obviously it's detecting the 301 redirect, but that doesn't necessarily | bespeak fraud. There are a lot of non-fraudulent things that it could | be, ranging from shock pictures to Rick Rolls to inredibly long URLs. | | Has anyone discussed changing the wording here? The 301 redirect is not considered. But as /blah is not identical to /2b514w there is an issue with an URL being hidden. The wording of the message is in fact your job as an adminstrator. That is why the text is in seperate langauge files. If you use templates without a changes and accept them then that is your choice but in this case the wording is yours to change. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHqqeOBvzDRVjxmYERAibEAKCR81EoRtyyO9fZuSX4ytFAQ4mZcACfWLgN Ab3Ovs5FhJD58zhe5+9ZecU= =vEzq -----END PGP SIGNATURE----- From m.anderlini at database.it Thu Feb 7 08:53:31 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Thu Feb 7 08:53:50 2008 Subject: [OT] sendmail max msg e queue times process In-Reply-To: <47A9FF08.7010704@vanderkooij.org> References: <20080206135228.4F4D8103C3@ws1-3.us4.outblaze.com><8652792.5011202306683195.JavaMail.root@office.splatnix.net> <223f97700802060813p146d90d7y31bd960d5aa22528@mail.gmail.com><018e01c868de$6b162160$2e01a8c0@dbdomain.database.it> <47A9FF08.7010704@vanderkooij.org> Message-ID: <01b801c86966$ea3a2940$2e01a8c0@dbdomain.database.it> I beg your pardon, I was not aware of my mistake. Sorry again. Marcello Anderlini wrote: | This is a bit OT but I don't know where I can get help. Try it with a fresh message. You have now hijacked another thread. Perhaps you can try this yourself: tar --with-feathers Marcello ;-) Hugo. - -- -- Messaggio verificato dal servizio antivirus di Database Informatica From pascal.maes at elec.ucl.ac.be Thu Feb 7 09:22:00 2008 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Feb 7 09:22:21 2008 Subject: Modification of ruleset files Message-ID: Hello, I wonder if we need to restart MailScanner when a ruleset is modified ? Thanks -- Pascal From martinh at solidstatelogic.com Thu Feb 7 09:33:27 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 09:33:42 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: Message-ID: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> Kit Take a look at the watermarking feature in recent release of MailScanner, this should so the job. Whitelisting 'known' addresses can be fraught with danger. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kit Wong > Sent: 06 February 2008 21:19 > To: mailscanner@lists.mailscanner.info > Subject: whitelist TO email addresses sent by users on the server > > Hi > I am not sure whether its built into mailscanner or good practice, but is > there a way of not scanning mail sent from addresses that users from the > server has already sent to. A bit of a twister but eg > > user on server sends to a@abc.com > > a@abc.com then replys, surely a@abc.com should be a friend and that email > should not really be scanned for spam......forever > > > Kit ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Feb 7 09:39:49 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 09:39:59 2008 Subject: internal ip address In-Reply-To: <47AA07B6.2090702@evi-inc.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> Message-ID: <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> On 06/02/2008, Matt Kettler wrote: > Hugo van der Kooij wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Denis Beauchemin wrote: > > | Alex, > > | > > | The IP addresses you use are non-routable. That means nobody can access > > | your computers from the internet because no router will allow them. So > > | don't worry about the whole world knowing about your internal IP > > addresses. > > > > Those were my thoughts exactly. > > Being non-routable helps you from a perspective of hackers using the information > to directly break in to your network. However, an attacker probably knows all of > your routable IPs anyway, so really that's not the threat vector. > > The problem, in some situations, is the information exposed can still be used > for other purposes. ie: studying the network structure so they know where to go > once they get in via some other method. By googling around for postings on email > list archives, you can often generate a lot of information about the network > structure. Such information can also be used to aid social engineering attacks > by figuring out who works with who. > > Of course, this isn't exactly a "hardcore" risk factor like an open dialin, but > it is information that an attacker can make use of. Whether that matters to your > situation or not depends on your threat model, but anyone who sees it as > presenting no risk at all is clearly mistaken. (ie: just because it is a trivial > risk in the network of an ad agency, does not mean it's trivial in a financial > organization where social engineering attacks are more likely.) > Actually.... Since I do work in a .gov-ish financial organization.... I'd have to say I don't agree. Some VERY LARGE financial organizations have pretty shoddy network teams though, and in their cases... it really is relevant. You just can't make that generalization. For the vast majority of organizations, this is a very minor threat, not worth breaking RFC... I'm not saying you're wrong, just that it is ... really minor... compared to a lot of other email-related threats:-)... Yes, you can counter with "your generalization is bigger than mine"... I know I do it too...:-) On the whole, I see very little _real possibility_ of damages from this. It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Thu Feb 7 09:39:47 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 09:40:07 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802061517l812694bp74db41fe7b6aa401@mail.gmail.com> Message-ID: <60954af142962d4497dcddb3f77ca8ba@solidstatelogic.com> Drew Nice to see you here... What happen when you.. MailScanner --debug --debug-SA -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew > Sent: 06 February 2008 23:18 > To: mailscanner@lists.mailscanner.info > Subject: Mailscanner segfaults on spamassassin lint test > > Hello, > I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults when > running lint on spamassassin. Unfortunately, at this time the best (most > informative) error I have is this, from the lint test through the > mailwatch interface: > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > "PL_exit_flags" > > I'm posting this here on a recommendation I got from a FreeBSD list. I've > taken the following steps so far: > > rebuilt perl and all perl modules. > made double sure all the right steps were taken after the perl upgrade. > rebuilt world > > Perl version is 5.8.8 > > Thanks in advance for any assistance you folks can provide. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Feb 7 09:46:09 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 09:46:19 2008 Subject: internal ip address In-Reply-To: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> References: <47AA07B6.2090702@evi-inc.com> <13410930.5221202326090168.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802070146o123e1234pf99e837267bb1e90@mail.gmail.com> On 06/02/2008, --[ UxBoD ]-- wrote: > Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. I am more annoyed when companies use peoples name as the workstation identifier eg. BOBSQUAREPANTS a quick G00gle and you get Mr B Squarepants CEO A Big Piggy Bank! Makes a nice target once on the network, or as Matt said some simple social engineering. Most of it is common sense, but how often do we see not much of that in IT ;) > > Regards, > Indeed! And the abomination of naming servers from function... Ok, so oracle01.example.net does something... I wonder what....:-). Anyway, those two things... A) getting at a person/persons comp, and B) having a very clear target (due to naming conventions etc... are so much more usable than the info leaked in a Received line. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From t.d.lee at durham.ac.uk Thu Feb 7 09:48:24 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Feb 7 09:48:51 2008 Subject: MS/Solaris installation buglets Message-ID: Julian: to report a couple of Solaris MS (4.66.5) installation buglets. 1. MakeMaker requires a release of File::Spec which may be more recent than that native in the OS. You already distribute a good File::Spec. Solution: Re-order the installation to do File::Spec before MakeMaker. (Tested: it works.) 2. MakeMaker build reports "Can't locate Pod/Man.pm in @INC...". Might these need something like "Pod::Man" adding to the list of modules you distribute? There may be more waiting for later, but I'm suspending work on this attempted installation at present so we can decide the best approach. I'd be happy to try to beta-test things for you. Best wishes. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From glenn.steen at gmail.com Thu Feb 7 09:50:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 09:50:37 2008 Subject: internal ip address In-Reply-To: <47AA11E2.9090800@evi-inc.com> References: <13410930.5221202326090168.JavaMail.root@office.splatnix.net> <47AA11E2.9090800@evi-inc.com> Message-ID: <223f97700802070150y5eeb6213rdd69680971d6a953@mail.gmail.com> On 06/02/2008, Matt Kettler wrote: > --[ UxBoD ]-- wrote: > > Whether it be a 10 or 192 range I don't believe that private IP addresses give that much information away. > > Really? > > Do you vlan? Do you vlan based on department, building floor, or other useful > locality? Most large networks do. Subnetting? where did you get that mask you needed to make the base assumption? Nowhere... > You find out that lead sales guy x works in a particular office, then find an > email from him archived somewhere.. then look for others in the same company > with similar IP ranges... you now know a list of people that work together, and > where they work. Lather, rinse, repeat. > > It's really not that hard once you realize most networks are logically > structured. You're just leveraging lots of little bits of information to create > a larger picture. This isn't really much different than what your average > private investigator does when digging through public records. > > It takes time to study this kind of thing, but again, what's your threat level? > Also consider kids (ie: those in school/college) have time in abundance, and are > your most common hackers. Consider your competitors, they may not break in, but > studying your business may be useful to them in trying to out-compete you. > 'Cmon, the kids seldom know their way out of their behinds.... It's the guys and gals making a living of this that would likely make a dedicated effort like that. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Thu Feb 7 09:51:32 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Feb 7 09:51:42 2008 Subject: Modification of ruleset files In-Reply-To: References: Message-ID: <625385e30802070151y7afc7e40r579f37cb7e314cb5@mail.gmail.com> On Feb 7, 2008 10:22 AM, Pascal Maes wrote: > Hello, > > > I wonder if we need to restart MailScanner when a ruleset is modified ? No, a reload is sufficient. -- /peter From glenn.steen at gmail.com Thu Feb 7 10:21:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 10:21:42 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> References: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> Message-ID: <223f97700802070221v6147c180j7c4cb94cfce9d4e4@mail.gmail.com> On 07/02/2008, Martin.Hepworth wrote: > Kit > > Take a look at the watermarking feature in recent release of MailScanner, this should so the job. Would only work for replies though, unless one does really silly hoops in a CustomFunction. > Whitelisting 'known' addresses can be fraught with danger. > Amen! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cotharyus at gmail.com Thu Feb 7 10:35:20 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 10:35:30 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <60954af142962d4497dcddb3f77ca8ba@solidstatelogic.com> References: <715841970802061517l812694bp74db41fe7b6aa401@mail.gmail.com> <60954af142962d4497dcddb3f77ca8ba@solidstatelogic.com> Message-ID: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> On Feb 7, 2008 3:39 AM, Martin.Hepworth wrote: > Drew > > Nice to see you here... > > What happen when you.. > > MailScanner --debug --debug-SA > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 06 February 2008 23:18 > > To: mailscanner@lists.mailscanner.info > > Subject: Mailscanner segfaults on spamassassin lint test > > > > Hello, > > I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults when > > running lint on spamassassin. Unfortunately, at this time the best (most > > informative) error I have is this, from the lint test through the > > mailwatch interface: > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > > "PL_exit_flags" > > > > I'm posting this here on a recommendation I got from a FreeBSD list. > I've > > taken the following steps so far: > > > > rebuilt perl and all perl modules. > > made double sure all the right steps were taken after the perl upgrade. > > rebuilt world > > > > Perl version is 5.8.8 > > > > Thanks in advance for any assistance you folks can provide. > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Hi Martin, root@colossus(/usr)# mailscanner --debug --debug-SA In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp zsh: segmentation fault mailscanner --debug --debug-SA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/edf10333/attachment.html From ja at conviator.com Thu Feb 7 10:49:12 2008 From: ja at conviator.com (Jan Agermose) Date: Thu Feb 7 10:49:31 2008 Subject: whitelist / sbl-xbl.spamhaus.org Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> Hi Im running Mailscanner and using sbl-xbl.spamhaus.org as part of the sendmail setup. Is it somehow possible to whitelist an IP listed in the spamhouse database - until the issue is resolved? Im sure they are listed for a reason :-) my problem is that the mails they are sending to us are important and non-spam. Best regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/7cbf6d88/attachment.html From prandal at herefordshire.gov.uk Thu Feb 7 11:18:43 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Feb 7 11:19:00 2008 Subject: whitelist / sbl-xbl.spamhaus.org In-Reply-To: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> References: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA02EED968@HC-MBX02.herefordshire.gov.uk> It's easy. In sendmail's /etc/mail/access put Connect:a.b.c.d OK where a.b.c.d is the IP address you wish to allow. And then do a make -C /etc/mail to rebuild /etc/mail/access.db Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: 07 February 2008 10:49 To: mailscanner@lists.mailscanner.info Subject: whitelist / sbl-xbl.spamhaus.org Hi Im running Mailscanner and using sbl-xbl.spamhaus.org as part of the sendmail setup. Is it somehow possible to whitelist an IP listed in the spamhouse database - until the issue is resolved? Im sure they are listed for a reason :-) my problem is that the mails they are sending to us are important and non-spam. Best regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/81249d49/attachment.html From cde at alunys.com Thu Feb 7 15:39:26 2008 From: cde at alunys.com (Cedric Devillers) Date: Thu Feb 7 15:40:27 2008 Subject: Mailscanner generated duplicate message Message-ID: <47AB262E.6070808@alunys.com> Hello, I'm trying to revive this thread from the last month because we are observing the exact same behavior on one of our servers. So to remember the facts : - We are using mailscanner with postfix, and duplicated messages are generated by mailscanner. - This system is the only one where we are observing this behavior. It have a little particularity : it mainly act as a mail relay, but sometimes many mails are generated by the server itself (a script) and injected in postfix queues via sendmail command. We can always reproduce some duplicated messages with this script. - MailScanner is configured (by ruleset) to bypass scanning for thoses messages, but they are still entering the mailscanner logic (postix -> hold queue -> mailscanner (no scan) -> active queue). - Mailwatch is running on this server, and for each duplicates we see entries with null size body (2, 3, 4, sometimes 5) then at last a final entry with the full body. Note that the recipient see the full body on every duplicate. It looks like a locking problem, because all duplicates are with the same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to lock some queue file when message is marked not to be scanned by mailscanner ? I will not be very helpfull to debug perl code, but i can provide any needed logs to help finding the origin of the problem. This is really a serious problem in this particular installation. But i must say that we have dozens of other servers that are running mailscanner/postfix, and we are very happy about thems :) -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From rcastilloramos at yahoo.es Thu Feb 7 15:53:03 2008 From: rcastilloramos at yahoo.es (roberto martin castillo ramos) Date: Thu Feb 7 15:53:13 2008 Subject: installation Mailscanner into Centos5 Message-ID: <629494.89189.qm@web36402.mail.mud.yahoo.com> Hello, I am from Lima,Peru and i need your help please, i have installed a mail server into Centos5 and i can not install Mailscanner, from http://www.mailscanner.info/downloads.html#stable i used several installers and i execute the version 4.67.3(./ install.sh) and into /opt i saw the folder Mailscanner4.67.3 and i made the configuration to my Mailscanner.conf But when i execute chkconfig Mailscanner on i see a error messages: Mailscanner is not installed Please could you help me, i can not install Mailscanner into Centos 5 is there a packages for mailscanner to install into Centos5??? thanks --------------------------------- ?Con Mascota por primera vez? - S? un mejor Amigo Entra en Yahoo! Respuestas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/03c8f485/attachment.html From mkettler at evi-inc.com Thu Feb 7 15:53:18 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 15:53:39 2008 Subject: whitelist / sbl-xbl.spamhaus.org In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA02EED968@HC-MBX02.herefordshire.gov.uk> References: <6B59FCF2EFD0334A8147A1BB463F111E034E36A1@mail-17ps.atlarge.net> <7EF0EE5CB3B263488C8C18823239BEBA02EED968@HC-MBX02.herefordshire.gov.uk> Message-ID: <47AB296E.5080703@evi-inc.com> Randal, Phil wrote: > It's easy. > > In sendmail's /etc/mail/access put > > Connect:a.b.c.d OK > > where a.b.c.d is the IP address you wish to allow. > > And then do a > > make -C /etc/mail > > to rebuild /etc/mail/access.db > > Cheers, That will work, if they're using spamhaus at the MTA layer. But it won't help if it's in MailScanner or SpamAssassin. Jan, where in your mailsystem are you applying spamhaus that it's causing a problem? If it's being rejected by sendmail, the above should work great. If it's at the spamassassin level, you can "hack fix" it by adding this to your trusted_networks. However, beware that if you don't have any trusted_networks set, declaring one will disable the auto-guesser and you'll have to set this completely. If it's at the MailScanner level, you can probably use the spam.whitelist.rules. (this would also prevent SA from causing it to be tagged) From bpirie at rma.edu Thu Feb 7 15:59:40 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Feb 7 15:59:57 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <629494.89189.qm@web36402.mail.mud.yahoo.com> References: <629494.89189.qm@web36402.mail.mud.yahoo.com> Message-ID: <47AB2AEC.5040607@rma.edu> You have installed the wrong package. If you're running CentOS and want the stable release, you should have used # Version 4.66.5-3 for RedHat, Fedora and Mandrake Linux (and other RPM-based Linux Distributions) CentOS is built from RedHat sources, so this is the correct package for your system. If you want the beta release, you should have used # Version 4.67.3-1 for RedHat, Fedora and Mandrake Linux (and other RPM-based Linux distributions) Neither of these packages will install anything in /opt You may also want to install ClamAV 0.92 and SpamAssassin 3.2.4 easy installation package (incl. SA patch 5589) Brendan roberto martin castillo ramos wrote: > Hello, > > I am from Lima,Peru and i need your help please, i have installed a mail > server into Centos5 and i can not install Mailscanner, from > http://www.mailscanner.info/downloads.html#stable i used several > installers and i execute the version 4.67.3(./ install.sh) and into /opt > i saw the folder Mailscanner4.67.3 and i made the configuration to my > Mailscanner.conf > > But when i execute chkconfig Mailscanner on i see a error messages: > Mailscanner is not installed > > Please could you help me, i can not install Mailscanner into Centos 5 > is there a packages for mailscanner to install into Centos5??? > > thanks > > ------------------------------------------------------------------------ > > ?Con Mascota por primera vez? - S? un mejor Amigo > Entra en Yahoo! Respuestas > . > From martinh at solidstatelogic.com Thu Feb 7 16:01:31 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 16:02:10 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <629494.89189.qm@web36402.mail.mud.yahoo.com> Message-ID: <10e6b0980c4a914c96e96452661d14dd@solidstatelogic.com> Roberto Use the RPM based installer for Centos. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of roberto martin castillo ramos > Sent: 07 February 2008 15:53 > To: mailscanner@lists.mailscanner.info > Subject: installation Mailscanner into Centos5 > > Hello, > > I am from Lima,Peru and i need your help please, i have installed a mail > server into Centos5 and i can not install Mailscanner, from > http://www.mailscanner.info/downloads.html#stable i used several > installers and i execute the version 4.67.3(./ install.sh) and into /opt i > saw the folder Mailscanner4.67.3 and i made the configuration to my > Mailscanner.conf > > But when i execute chkconfig Mailscanner on i see a error messages: > Mailscanner is not installed > > Please could you help me, i can not install Mailscanner into Centos 5 > is there a packages for mailscanner to install into Centos5??? > > thanks > > ________________________________ > > > ?Con Mascota por primera vez? - S? un mejor Amigo > Entra en Yahoo! Respuestas > ylc=X3oDMTE4ZWhyZjU0BF9TAzIxMTQ3MTQzMjIEc2VjA0Jhbm5lcgRzbGsDQWNxdWlzaXRpb2 > 4-?link=over&sid=XXXXXXXX> . ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Thu Feb 7 16:05:49 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 16:06:05 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> Message-ID: <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> Drew How did you install SA etc, I can't remember what you said on the freebsd list. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew > Sent: 07 February 2008 10:35 > To: MailScanner discussion > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > wrote: > > > Drew > > Nice to see you here... > > What happen when you.. > > MailScanner --debug --debug-SA > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 06 February 2008 23:18 > > To: mailscanner@lists.mailscanner.info > > Subject: Mailscanner segfaults on spamassassin lint test > > > > Hello, > > I'm trying to set up mailscanner on FreeBSD 6.2, and it segfaults > when > > running lint on spamassassin. Unfortunately, at this time the best > (most > > informative) error I have is this, from the lint test through the > > mailwatch interface: > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > > "PL_exit_flags" > > > > I'm posting this here on a recommendation I got from a FreeBSD > list. I've > > taken the following steps so far: > > > > rebuilt perl and all perl modules. > > made double sure all the right steps were taken after the perl > upgrade. > > rebuilt world > > > > Perl version is 5.8.8 > > > > Thanks in advance for any assistance you folks can provide. > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Hi Martin, > > root@colossus(/usr)# mailscanner --debug --debug-SA > In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > zsh: segmentation fault mailscanner --debug --debug-SA > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From v at vladville.com Thu Feb 7 16:10:22 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 16:10:33 2008 Subject: Skipping SpamAssassin if sender is on an RBL Message-ID: Is there any way to skip/bypass the SA check (and the resources it takes up) and store spam in the quarantine automatically if the sender is on an RBL? I'm looking over my stats over the past few days and can't help but see that SA resources are wasted on the senders that are on RBLs but we still have to keep them for that one out of a million SPAMs that someone will eventually consider critical :( -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/dd1ad237/attachment.html From mkettler at evi-inc.com Thu Feb 7 16:09:39 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 16:10:35 2008 Subject: [ot] internal ip address In-Reply-To: <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> Message-ID: <47AB2D43.9020700@evi-inc.com> Glenn Steen wrote: > For the > vast majority of organizations, this is a very minor threat, not worth > breaking RFC... Like.. gmail? Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a Received: header, but I don't see anything in 2821/2822/1123 requiring you to add a from clause. > I'm not saying you're wrong, just that it is ... really minor... > compared to a lot of other email-related threats:-)... Yes, you can > counter with "your generalization is bigger than mine"... I know I do > it too...:-) > > On the whole, I see very little _real possibility_ of damages from this. > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). I would agree in most cases it is very minor or negligible. I never said this applied to most, or even very many people. My only point was the "if it's unroutable, you can't hack it" argument isn't a very complete view of network security. From cotharyus at gmail.com Thu Feb 7 16:11:42 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 16:11:57 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> Message-ID: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Everything was installed from ports except for MailWatch, which really doesn't play into this except that the lint test from Mailwatch is where the only informative error seems to be coming from. On Feb 7, 2008 10:05 AM, Martin.Hepworth wrote: > Drew > > How did you install SA etc, I can't remember what you said on the freebsd > list. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 07 February 2008 10:35 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > wrote: > > > > > > Drew > > > > Nice to see you here... > > > > What happen when you.. > > > > MailScanner --debug --debug-SA > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > Sent: 06 February 2008 23:18 > > > To: mailscanner@lists.mailscanner.info > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > Hello, > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > segfaults > > when > > > running lint on spamassassin. Unfortunately, at this time the > best > > (most > > > informative) error I have is this, from the lint test through > the > > > mailwatch interface: > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > > > "PL_exit_flags" > > > > > > I'm posting this here on a recommendation I got from a FreeBSD > > list. I've > > > taken the following steps so far: > > > > > > rebuilt perl and all perl modules. > > > made double sure all the right steps were taken after the perl > > upgrade. > > > rebuilt world > > > > > > Perl version is 5.8.8 > > > > > > Thanks in advance for any assistance you folks can provide. > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are intended for > > the > > addressee only and may be confidential. If they come to you in > error > > you must take no action based on them, nor must you copy or show > > them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those > > of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > Hi Martin, > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > In Debugging mode, not forking... > > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/83b0b288/attachment.html From Denis.Beauchemin at usherbrooke.ca Thu Feb 7 16:21:26 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Thu Feb 7 16:22:14 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: Message-ID: <47AB3006.2010303@USherbrooke.ca> Vlad Mazek a ?crit : > Is there any way to skip/bypass the SA check (and the resources it > takes up) and store spam in the quarantine automatically if the sender > is on an RBL? > > I'm looking over my stats over the past few days and can't help but > see that SA resources are wasted on the senders that are on RBLs but > we still have to keep them for that one out of a million SPAMs that > someone will eventually consider critical :( > > -Vlad Vlad, Personnally, I do RBL checks at the MTA level and in SA but none in MS. I also run a caching-nameserver. That way I don't waste many resources. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From v at vladville.com Thu Feb 7 16:33:48 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 16:33:59 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB3006.2010303@USherbrooke.ca> References: <47AB3006.2010303@USherbrooke.ca> Message-ID: RBL check at the MTA wouldn't store the messages in the MailScanner quarantines... -Vlad On 2/7/08, Denis Beauchemin wrote: > > Vlad Mazek a ?crit : > > Is there any way to skip/bypass the SA check (and the resources it > > takes up) and store spam in the quarantine automatically if the sender > > is on an RBL? > > > > I'm looking over my stats over the past few days and can't help but > > see that SA resources are wasted on the senders that are on RBLs but > > we still have to keep them for that one out of a million SPAMs that > > someone will eventually consider critical :( > > > > -Vlad > Vlad, > > Personnally, I do RBL checks at the MTA level and in SA but none in MS. > I also run a caching-nameserver. That way I don't waste many resources. > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/4338e3b8/attachment.html From richard.frovarp at sendit.nodak.edu Thu Feb 7 16:39:45 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Feb 7 16:39:55 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> Message-ID: <47AB3451.2060500@sendit.nodak.edu> Vlad Mazek wrote: > RBL check at the MTA wouldn't store the messages in the MailScanner > quarantines... > > -Vlad No, it would bounce back to sender so they know they have a problem. Check out Spam Lists To Be Spam. Or Spam Lists To Reach High Score depending on how your actions are. That should do the trick. From v at vladville.com Thu Feb 7 16:59:57 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 17:00:07 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB3451.2060500@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> Message-ID: So how does a message that gets hit by Spam Lists To Be Spam bypass spamassassin checks in MailScanner? -Vlad** On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > RBL check at the MTA wouldn't store the messages in the MailScanner > > quarantines... > > > > -Vlad > No, it would bounce back to sender so they know they have a problem. > > Check out Spam Lists To Be Spam. Or Spam Lists To Reach High Score > depending on how your actions are. That should do the trick. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/1317f362/attachment.html From martinh at solidstatelogic.com Thu Feb 7 17:08:07 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Feb 7 17:08:25 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: Drew Hmmmm What does "MailScanner -v" give ya??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew > Sent: 07 February 2008 16:12 > To: MailScanner discussion > Subject: Re: Mailscanner segfaults on spamassassin lint test > > Everything was installed from ports except for MailWatch, which really > doesn't play into this except that the lint test from Mailwatch is where > the only informative error seems to be coming from. > > > On Feb 7, 2008 10:05 AM, Martin.Hepworth > wrote: > > > Drew > > How did you install SA etc, I can't remember what you said on the > freebsd list. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > Sent: 07 February 2008 10:35 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > > wrote: > > > > > > Drew > > > > Nice to see you here... > > > > What happen when you.. > > > > MailScanner --debug --debug-SA > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > Sent: 06 February 2008 23:18 > > > To: mailscanner@lists.mailscanner.info > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > Hello, > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > segfaults > > when > > > running lint on spamassassin. Unfortunately, at this time > the best > > (most > > > informative) error I have is this, from the lint test > through the > > > mailwatch interface: > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined > symbol > > > "PL_exit_flags" > > > > > > I'm posting this here on a recommendation I got from a > FreeBSD > > list. I've > > > taken the following steps so far: > > > > > > rebuilt perl and all perl modules. > > > made double sure all the right steps were taken after the > perl > > upgrade. > > > rebuilt world > > > > > > Perl version is 5.8.8 > > > > > > Thanks in advance for any assistance you folks can > provide. > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are > intended for > > the > > addressee only and may be confidential. If they come to you > in error > > you must take no action based on them, nor must you copy or > show > > them > > to anyone. Please advise the sender by replying to this e- > mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely > those > > of > > the author and unless specifically stated to the contrary, > are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a > secure > > communications medium and can be subject to data corruption. > We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and > any > > attachments are free from known viruses but in keeping with > good > > computing practice, you should ensure that they are virus > free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 > 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the > website! > > > > > > Hi Martin, > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > In Debugging mode, not forking... > > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From dyioulos at firstbhph.com Thu Feb 7 17:23:36 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Thu Feb 7 17:23:53 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <629494.89189.qm@web36402.mail.mud.yahoo.com> References: <629494.89189.qm@web36402.mail.mud.yahoo.com> Message-ID: <200802071223.37072.dyioulos@firstbhph.com> On Thursday 07 February 2008 10:53 am, roberto martin castillo ramos wrote: > Hello, > > I am from Lima,Peru and i need your help please, i have installed a mail > server into Centos5 and i can not install Mailscanner, from > http://www.mailscanner.info/downloads.html#stable i used several installers > and i execute the version 4.67.3(./ install.sh) and into /opt i saw the > folder Mailscanner4.67.3 and i made the configuration to my > Mailscanner.conf > > But when i execute chkconfig Mailscanner on i see a error messages: > Mailscanner is not installed > > Please could you help me, i can not install Mailscanner into Centos 5 > is there a packages for mailscanner to install into Centos5??? > > thanks > > > --------------------------------- > > ?Con Mascota por primera vez? - S? un mejor Amigo > Entra en Yahoo! Respuestas. Assuming you installed with the RPM version of MailScanner, try "rpm -q mailscanner" (N.B. not Mailscanner with a capital M. That will return a "not installed) to see if your installation was successful. Then, perhaps try and start MailScanner with "service MailScanner start" (again, not that M in Mail and S in Scanner are capitalized). Finally, I think you'd do a "checkconfig --level 345 MailScanner on" (once again, watch the capitalization of MailScanner. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dyioulos at firstbhph.com Thu Feb 7 17:43:17 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Thu Feb 7 17:43:38 2008 Subject: installation Mailscanner into Centos5 In-Reply-To: <200802071223.37072.dyioulos@firstbhph.com> References: <629494.89189.qm@web36402.mail.mud.yahoo.com> <200802071223.37072.dyioulos@firstbhph.com> Message-ID: <200802071243.18054.dyioulos@firstbhph.com> On Thursday 07 February 2008 12:23 pm, Dimitri Yioulos wrote: > On Thursday 07 February 2008 10:53 am, roberto martin castillo ramos wrote: > > Hello, > > > > I am from Lima,Peru and i need your help please, i have installed a > > mail server into Centos5 and i can not install Mailscanner, from > > http://www.mailscanner.info/downloads.html#stable i used several > > installers and i execute the version 4.67.3(./ install.sh) and into /opt > > i saw the folder Mailscanner4.67.3 and i made the configuration to my > > Mailscanner.conf > > > > But when i execute chkconfig Mailscanner on i see a error messages: > > Mailscanner is not installed > > > > Please could you help me, i can not install Mailscanner into Centos 5 > > is there a packages for mailscanner to install into Centos5??? > > > > thanks > > > > > > --------------------------------- > > > > ?Con Mascota por primera vez? - S? un mejor Amigo > > Entra en Yahoo! Respuestas. > Oops, a couple of corrections are in order (see in-line): > Assuming you installed with the RPM version of MailScanner, try "rpm -q > mailscanner" (N.B. not Mailscanner with a capital M. That will return a > "not installed) to see if your installation was successful. Then, perhaps > try and start MailScanner with "service MailScanner start" (again, not that > M in Mail and S in Scanner are capitalized). Note that M in Mail and S in Scanner are capitalized. > Finally, I think you'd do a "checkconfig --level 345 MailScanner on" (once again, watch the capitalization of MailScanner. "chkconfig --level 345 MailScanner on" Sorry about that. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.frovarp at sendit.nodak.edu Thu Feb 7 17:46:29 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Feb 7 17:46:39 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> Message-ID: <47AB43F5.9030004@sendit.nodak.edu> Vlad Mazek wrote: > So how does a message that gets hit by Spam Lists To Be Spam bypass > spamassassin checks in MailScanner? > > -Vlad** *If spam and high scoring spam have the same actions, I think it will bypass. Or if you just set it to be high scoring spam, it will take that action.* From gerard at seibercom.net Thu Feb 7 18:20:37 2008 From: gerard at seibercom.net (Gerard) Date: Thu Feb 7 18:21:06 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: <20080207132037.6e0f17ae@scorpio> On Thu, 7 Feb 2008 10:11:42 -0600 Drew wrote: > Everything was installed from ports except for MailWatch, which really > doesn't play into this except that the lint test from Mailwatch is > where the only informative error seems to be coming from. And what would lead you to that conclusion? -- Gerard gerard@seibercom.net We'll cross that bridge when we come back to it later. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/a2990843/signature.bin From cotharyus at gmail.com Thu Feb 7 18:45:10 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 19:10:09 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <20080207132037.6e0f17ae@scorpio> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> Message-ID: <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> On Feb 7, 2008 12:20 PM, Gerard wrote: > On Thu, 7 Feb 2008 10:11:42 -0600 > Drew wrote: > > > Everything was installed from ports except for MailWatch, which really > > doesn't play into this except that the lint test from Mailwatch is > > where the only informative error seems to be coming from. > > And what would lead you to that conclusion? > > Mostly that this seems related to SA specifically, and as far as I know, other than some logging preferences in the mailscanner config, mailwatch doesn't have any real bearing on SA. Or have I deceived myself? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/4930d6c0/attachment.html From cotharyus at gmail.com Thu Feb 7 18:43:09 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 19:13:53 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: References: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: <715841970802071043r4943c4dbmba6c4dbfbaeb46d8@mail.gmail.com> On Feb 7, 2008 11:08 AM, Martin.Hepworth wrote: > Drew > > Hmmmm > > What does "MailScanner -v" give ya??? > > > root@colossus(~)# mailscanner -v Running on FreeBSD colossus.cotharyus.net 6.3-STABLE FreeBSD 6.3-STABLE #3: Sun Feb 3 14:31:40 CST 2008 lauasanf@colossus.cotharyus.net:/usr/obj/usr/src/sys/Colossus i386 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.64.3 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.87 Math::BigInt 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.17 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.601 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17009 Error 0.21 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS missing Inline 1.08 IO::String 1.07 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.15 Math::BigRat 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.007 NetAddr::IP missing Parse::RecDescent missing SAVI 3.07 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI 0.74 version 0.66 YAML > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 07 February 2008 16:12 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > Everything was installed from ports except for MailWatch, which really > > doesn't play into this except that the lint test from Mailwatch is where > > the only informative error seems to be coming from. > > > > > > On Feb 7, 2008 10:05 AM, Martin.Hepworth > > wrote: > > > > > > Drew > > > > How did you install SA etc, I can't remember what you said on the > > freebsd list. > > > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > > Sent: 07 February 2008 10:35 > > > To: MailScanner discussion > > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > > > > wrote: > > > > > > > > > Drew > > > > > > Nice to see you here... > > > > > > What happen when you.. > > > > > > MailScanner --debug --debug-SA > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner- > > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > Sent: 06 February 2008 23:18 > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > > > Hello, > > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > > segfaults > > > when > > > > running lint on spamassassin. Unfortunately, at this > time > > the best > > > (most > > > > informative) error I have is this, from the lint test > > through the > > > > mailwatch interface: > > > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: > Undefined > > symbol > > > > "PL_exit_flags" > > > > > > > > I'm posting this here on a recommendation I got from a > > FreeBSD > > > list. I've > > > > taken the following steps so far: > > > > > > > > rebuilt perl and all perl modules. > > > > made double sure all the right steps were taken after > the > > perl > > > upgrade. > > > > rebuilt world > > > > > > > > Perl version is 5.8.8 > > > > > > > > Thanks in advance for any assistance you folks can > > provide. > > > > > > > > > > > > > > > > > > > > > > > ******************************************************************** > > > ** > > > Confidentiality : This e-mail and any attachments are > > intended for > > > the > > > addressee only and may be confidential. If they come to > you > > in error > > > you must take no action based on them, nor must you copy > or > > show > > > them > > > to anyone. Please advise the sender by replying to this e- > > mail > > > immediately and then delete the original from your > computer. > > > Opinion : Any opinions expressed in this e-mail are > entirely > > those > > > of > > > the author and unless specifically stated to the contrary, > > are not > > > necessarily those of the author's employer. > > > Security Warning : Internet e-mail is not necessarily a > > secure > > > communications medium and can be subject to data > corruption. > > We > > > advise > > > that you consider this fact when e-mailing us. > > > Viruses : We have taken steps to ensure that this e-mail > and > > any > > > attachments are free from known viruses but in keeping > with > > good > > > computing practice, you should ensure that they are virus > > free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 > > 1RU, > > > United Kingdom > > > > > ******************************************************************** > > > ** > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the > > website! > > > > > > > > > Hi Martin, > > > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > > In Debugging mode, not forking... > > > SpamAssassin temp dir = > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are intended for > > the > > addressee only and may be confidential. If they come to you in > error > > you must take no action based on them, nor must you copy or show > > them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those > > of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/b5f28fb9/attachment-0001.html From cotharyus at gmail.com Thu Feb 7 18:43:09 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 19:26:26 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: References: <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> Message-ID: <715841970802071043r4943c4dbmba6c4dbfbaeb46d8@mail.gmail.com> On Feb 7, 2008 11:08 AM, Martin.Hepworth wrote: > Drew > > Hmmmm > > What does "MailScanner -v" give ya??? > > > root@colossus(~)# mailscanner -v Running on FreeBSD colossus.cotharyus.net 6.3-STABLE FreeBSD 6.3-STABLE #3: Sun Feb 3 14:31:40 CST 2008 lauasanf@colossus.cotharyus.net:/usr/obj/usr/src/sys/Colossus i386 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.64.3 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.87 Math::BigInt 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.17 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.601 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17009 Error 0.21 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS missing Inline 1.08 IO::String 1.07 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.15 Math::BigRat 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.007 NetAddr::IP missing Parse::RecDescent missing SAVI 3.07 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI 0.74 version 0.66 YAML > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Drew > > Sent: 07 February 2008 16:12 > > To: MailScanner discussion > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > Everything was installed from ports except for MailWatch, which really > > doesn't play into this except that the lint test from Mailwatch is where > > the only informative error seems to be coming from. > > > > > > On Feb 7, 2008 10:05 AM, Martin.Hepworth > > wrote: > > > > > > Drew > > > > How did you install SA etc, I can't remember what you said on the > > freebsd list. > > > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > > Sent: 07 February 2008 10:35 > > > To: MailScanner discussion > > > Subject: Re: Mailscanner segfaults on spamassassin lint test > > > > > > > > > > > > On Feb 7, 2008 3:39 AM, Martin.Hepworth > > > > > wrote: > > > > > > > > > Drew > > > > > > Nice to see you here... > > > > > > What happen when you.. > > > > > > MailScanner --debug --debug-SA > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner- > > > > bounces@lists.mailscanner.info] On Behalf Of Drew > > > > Sent: 06 February 2008 23:18 > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Mailscanner segfaults on spamassassin lint test > > > > > > > > Hello, > > > > I'm trying to set up mailscanner on FreeBSD 6.2, and it > > segfaults > > > when > > > > running lint on spamassassin. Unfortunately, at this > time > > the best > > > (most > > > > informative) error I have is this, from the lint test > > through the > > > > mailwatch interface: > > > > > > > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: > Undefined > > symbol > > > > "PL_exit_flags" > > > > > > > > I'm posting this here on a recommendation I got from a > > FreeBSD > > > list. I've > > > > taken the following steps so far: > > > > > > > > rebuilt perl and all perl modules. > > > > made double sure all the right steps were taken after > the > > perl > > > upgrade. > > > > rebuilt world > > > > > > > > Perl version is 5.8.8 > > > > > > > > Thanks in advance for any assistance you folks can > > provide. > > > > > > > > > > > > > > > > > > > > > > > ******************************************************************** > > > ** > > > Confidentiality : This e-mail and any attachments are > > intended for > > > the > > > addressee only and may be confidential. If they come to > you > > in error > > > you must take no action based on them, nor must you copy > or > > show > > > them > > > to anyone. Please advise the sender by replying to this e- > > mail > > > immediately and then delete the original from your > computer. > > > Opinion : Any opinions expressed in this e-mail are > entirely > > those > > > of > > > the author and unless specifically stated to the contrary, > > are not > > > necessarily those of the author's employer. > > > Security Warning : Internet e-mail is not necessarily a > > secure > > > communications medium and can be subject to data > corruption. > > We > > > advise > > > that you consider this fact when e-mailing us. > > > Viruses : We have taken steps to ensure that this e-mail > and > > any > > > attachments are free from known viruses but in keeping > with > > good > > > computing practice, you should ensure that they are virus > > free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 > > 1RU, > > > United Kingdom > > > > > ******************************************************************** > > > ** > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the > > website! > > > > > > > > > Hi Martin, > > > > > > root@colossus(/usr)# mailscanner --debug --debug-SA > > > In Debugging mode, not forking... > > > SpamAssassin temp dir = > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > > zsh: segmentation fault mailscanner --debug --debug-SA > > > > > > > > > > > > > > > > > > > ******************************************************************** > > ** > > Confidentiality : This e-mail and any attachments are intended for > > the > > addressee only and may be confidential. If they come to you in > error > > you must take no action based on them, nor must you copy or show > > them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those > > of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We > > advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > > ******************************************************************** > > ** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/b5f28fb9/attachment-0002.html From gerard at seibercom.net Thu Feb 7 19:55:20 2008 From: gerard at seibercom.net (Gerard) Date: Thu Feb 7 19:55:47 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> Message-ID: <20080207145520.712df002@scorpio> On Thu, 7 Feb 2008 12:45:10 -0600 Drew wrote: > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > Drew wrote: > > > > > Everything was installed from ports except for MailWatch, which > > > really doesn't play into this except that the lint test from > > > Mailwatch is where the only informative error seems to be coming > > > from. > > > > And what would lead you to that conclusion? > > > > > Mostly that this seems related to SA specifically, and as far as I > know, other than some logging preferences in the mailscanner config, > mailwatch doesn't have any real bearing on SA. Or have I deceived > myself? I don't use the program myself; however, I did find some information regarding it and FreeBSD. http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:startup_script http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:minor_fixes Whether any of that will be of any help to you. I have no idea. -- Gerard gerard@seibercom.net The Wright Bothers weren't the first to fly. They were just the first not to crash. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/3c86ddc6/signature.bin From glenn.steen at gmail.com Thu Feb 7 20:52:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 20:52:21 2008 Subject: [ot] internal ip address In-Reply-To: <47AB2D43.9020700@evi-inc.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> Message-ID: <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> On 07/02/2008, Matt Kettler wrote: > Glenn Steen wrote: > > For the > > vast majority of organizations, this is a very minor threat, not worth > > breaking RFC... > > Like.. gmail? :-) > Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 > > Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a > Received: header, but I don't see anything in 2821/2822/1123 requiring you to > add a from clause. Ah, but the "breakage" is in _removing_ a Received line added by another SMTP server, be that internal or not... Hm, maybe I'm an idiot, and the original question was just about the Received line added by the MS gw... Sigh. Just goes to show one shouldn't try to do more than three things simultaneously (I got my new DB servers today, or rather the storage and racks... as a surprise "here we are, four workdays early.... Where should we put them?" kind of thing, on a busy day...). Sorry, might've be me typing without much afterthought. > > I'm not saying you're wrong, just that it is ... really minor... > > compared to a lot of other email-related threats:-)... Yes, you can > > counter with "your generalization is bigger than mine"... I know I do > > it too...:-) > > > > On the whole, I see very little _real possibility_ of damages from this. > > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). > > I would agree in most cases it is very minor or negligible. I never said this > applied to most, or even very many people. See above, me reading too fast:-). I tend to react to "security by obscurity" or "the auditor said this is bad for everyone" kind of arguments, where one hasn't done any form of risk assessment... so that was probably what got me going:-). > My only point was the "if it's unroutable, you can't hack it" argument isn't a > very complete view of network security. Quite true. As usual,I find we're in violent agreement (of a sorts:-). I truly value your comments. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cotharyus at gmail.com Thu Feb 7 21:03:01 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 21:03:10 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <20080207145520.712df002@scorpio> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <20080207145520.712df002@scorpio> Message-ID: <715841970802071303t2df0cd65h16d270f4ab225857@mail.gmail.com> Gerard, I've read all of that. For what it's worth, I've had MailScanner/Postfix/Mailwatch running on FreeBSD previously, and not had problems. I've gone through and double checked a few config options, and installed all the missing perl modules from the mailscanner -v that it was requested I run - the only one that I didn't install was SAVI because that's directly related to Sophos which I don't have, and don't intend to use. On Feb 7, 2008 1:55 PM, Gerard wrote: > On Thu, 7 Feb 2008 12:45:10 -0600 > Drew wrote: > > > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > > Drew wrote: > > > > > > > Everything was installed from ports except for MailWatch, which > > > > really doesn't play into this except that the lint test from > > > > Mailwatch is where the only informative error seems to be coming > > > > from. > > > > > > And what would lead you to that conclusion? > > > > > > > > Mostly that this seems related to SA specifically, and as far as I > > know, other than some logging preferences in the mailscanner config, > > mailwatch doesn't have any real bearing on SA. Or have I deceived > > myself? > > I don't use the program myself; however, I did find some information > regarding it and FreeBSD. > > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes > > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:startup_script > > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:freebsd_notes:minor_fixes > > Whether any of that will be of any help to you. I have no idea. > > -- > > Gerard > gerard@seibercom.net > > The Wright Bothers weren't the first to fly. > They were just the first not to crash. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/9337d35f/attachment.html From mkettler at evi-inc.com Thu Feb 7 21:13:17 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 21:13:46 2008 Subject: [ot] internal ip address In-Reply-To: <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> Message-ID: <47AB746D.1030504@evi-inc.com> Glenn Steen wrote: > On 07/02/2008, Matt Kettler wrote: >> Glenn Steen wrote: >>> For the >>> vast majority of organizations, this is a very minor threat, not worth >>> breaking RFC... >> Like.. gmail? > :-) > >> Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 >> >> Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a >> Received: header, but I don't see anything in 2821/2822/1123 requiring you to >> add a from clause. > Ah, but the "breakage" is in _removing_ a Received line added by > another SMTP server, be that internal or not... True, but to achieve the goal of the origination of this thread, you don't need to remove a Received line.. You just need to generate one without a "from" clause. > Hm, maybe I'm an > idiot, and the original question was just about the Received line > added by the MS gw... You're not an idiot, just lost in the noise of the thread. The header from the original post is: _______________________________________ Received: from [10.0.0.175] (pc1 [10.0.0.175]) by smtp.vvv.net (Postfix) with ESMTP id 6EBF7A75C7 for ; Tue, 5 Feb 2008 14:16:09 +0100 (CET) _______________________________________ Which you could, in theory, sanitize by not generating a from clause at smtp.vvv.net. From glenn.steen at gmail.com Thu Feb 7 22:20:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 7 22:21:00 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> Message-ID: <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> On 07/02/2008, Drew wrote: > > > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > Drew wrote: > > > > > Everything was installed from ports except for MailWatch, which really > > > doesn't play into this except that the lint test from Mailwatch is > > > where the only informative error seems to be coming from. > > > > And what would lead you to that conclusion? > > > > > > Mostly that this seems related to SA specifically, and as far as I know, > other than some logging preferences in the mailscanner config, mailwatch > doesn't have any real bearing on SA. Or have I deceived myself? > Apart from you running SA as your apache userwhen you see the error.... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From v at vladville.com Thu Feb 7 22:21:59 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 22:22:09 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB43F5.9030004@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: Nope, still gets processed by MailScanner: Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in SBL+XBL Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for message m17M9lxS016045 Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from 75.63.44.11( ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, URIBL_WS_SURBL 2.10) Notice that it still passes it through SpamAssassin. I have the the following in my MailScanner.conf: Spam List = SBL+XBL Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 1 -Vlad On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > So how does a message that gets hit by Spam Lists To Be Spam bypass > > spamassassin checks in MailScanner? > > > > -Vlad** > *If spam and high scoring spam have the same actions, I think it will > bypass. Or if you just set it to be high scoring spam, it will take that > action.* > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/5453c23c/attachment.html From cotharyus at gmail.com Thu Feb 7 22:33:20 2008 From: cotharyus at gmail.com (Drew) Date: Thu Feb 7 22:33:31 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> Message-ID: <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> Glen, Point taken. However it's worked for me before. Does this help any? root@colossus()# spamassassin -D --lint [10051] dbg: logger: adding facilities: all [10051] dbg: logger: logging level is DBG [10051] dbg: generic: SpamAssassin version 3.2.4 [10051] dbg: config: score set 0 chosen. [10051] dbg: util: running in taint mode? yes [10051] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [10051] dbg: util: PATH included '/opt/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/sbin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/java/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/sbin', which doesn't exist, dropping [10051] dbg: util: PATH included '/opt/java/bin', which doesn't exist, dropping [10051] dbg: util: PATH included '/sbin', keeping [10051] dbg: util: PATH included '/bin', keeping [10051] dbg: util: PATH included '/usr/sbin', keeping [10051] dbg: util: PATH included '/usr/bin', keeping [10051] dbg: util: PATH included '/usr/games', keeping [10051] dbg: util: PATH included '/usr/local/sbin', keeping [10051] dbg: util: PATH included '/usr/local/bin', keeping [10051] dbg: util: PATH included '/usr/X11R6/bin', keeping [10051] dbg: util: PATH included '/home/lauasanf/bin', keeping [10051] dbg: util: final PATH set to: /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/home/lauasanf/bin [10051] dbg: dns: is Net::DNS::Resolver available? yes [10051] dbg: dns: Net::DNS version: 0.62 [10051] dbg: diag: perl platform: 5.008008 freebsd [10051] dbg: diag: module installed: Digest::SHA1, version 2.11 [10051] dbg: diag: module installed: HTML::Parser, version 3.56 [10051] dbg: diag: module installed: Net::DNS, version 0.62 [10051] dbg: diag: module installed: MIME::Base64, version 3.07 [10051] dbg: diag: module installed: DB_File, version 1.814 [10051] dbg: diag: module installed: Net::SMTP, version 2.31 [10051] dbg: diag: module installed: Mail::SPF, version v2.004 [10051] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [10051] dbg: diag: module installed: IP::Country::Fast, version 604.001 [10051] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [10051] dbg: diag: module installed: Net::Ident, version 1.20 [10051] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [10051] dbg: diag: module installed: IO::Socket::SSL, version 1.12 [10051] dbg: diag: module installed: Compress::Zlib, version 2.008 [10051] dbg: diag: module installed: Time::HiRes, version 1.9711 [10051] dbg: diag: module installed: Mail::DomainKeys, version 1.0 [10051] dbg: diag: module installed: Mail::DKIM, version 0.30 [10051] dbg: diag: module installed: DBI, version 1.601 [10051] dbg: diag: module installed: Getopt::Long, version 2.37 [10051] dbg: diag: module installed: LWP::UserAgent, version 2.033 [10051] dbg: diag: module installed: HTTP::Date, version 1.47 [10051] dbg: diag: module installed: Archive::Tar, version 1.38 [10051] dbg: diag: module installed: IO::Zlib, version 1.07 [10051] dbg: diag: module installed: Encode::Detect, version 1.00 [10051] dbg: ignore: using a test message to lint rules [10051] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules pre files [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/v312.pre [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/v320.pre [10051] dbg: config: using "/var/db/spamassassin/3.002004" for sys rules pre files [10051] dbg: config: using "/var/db/spamassassin/3.002004" for default rules dir [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org.cf [10051] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules dir [10051] dbg: config: read file /usr/local/etc/mail/spamassassin/mailscanner.cf [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [10051] dbg: pyzor: local tests only, disabling Pyzor [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [10051] dbg: razor2: local tests only, skipping Razor [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [10051] dbg: reporter: local tests only, disabling SpamCop [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::DKIM from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [10051] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dkim.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dkim.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dkim.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_subject.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_subject.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_subject.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/72_active.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [10051] dbg: config: fixed relative path: /var/db/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [10051] dbg: config: using "/var/db/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf" for included file [10051] dbg: config: read file /var/db/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [10051] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [10051] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [10051] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [10051] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [10051] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [10051] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [10051] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [10051] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [10051] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [10051] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [10051] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [10051] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [10051] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [10051] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [10051] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [10051] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI [10051] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B [10051] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING [10051] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [10051] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 [10051] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [10051] dbg: conf: finish parsing [10051] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x92aefe4) implements 'finish_parsing_end', priority 0 [10051] dbg: replacetags: replacing tags [10051] dbg: replacetags: done replacing tags [10051] dbg: bayes: no dbs present, cannot tie DB R/O: /usr/local/etc/MailScanner/bayes/bayes_toks [10051] dbg: config: score set 0 chosen. [10051] dbg: message: main message type: text/plain [10051] dbg: message: ---- MIME PARSER START ---- [10051] dbg: message: parsing normal part [10051] dbg: message: ---- MIME PARSER END ---- [10051] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x9432ea4) implements 'check_start', priority 0 [10051] dbg: bayes: no dbs present, cannot tie DB R/O: /usr/local/etc/MailScanner/bayes/bayes_toks [10051] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x93feb8c) implements 'check_main', priority 0 [10051] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [10051] dbg: metadata: X-Spam-Relays-Trusted: [10051] dbg: metadata: X-Spam-Relays-Untrusted: [10051] dbg: metadata: X-Spam-Relays-Internal: [10051] dbg: metadata: X-Spam-Relays-External: [10051] dbg: message: no encoding detected [10051] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x91feaa4) implements 'parsed_metadata', priority 0 [10051] dbg: dns: is DNS available? 0 [10051] dbg: rules: local tests only, ignoring RBL eval [10051] dbg: check: running tests for priority: -1000 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [10051] dbg: eval: all '*To' addrs: [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: -950 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: -900 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: -400 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=0 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=0 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=0 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=0 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=0 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: 0 [10051] dbg: rules: running head tests; score so far=0 [10051] dbg: rules: compiled head tests [10051] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" [10051] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got hit: " [10051] dbg: rules: Message-Id: " [10051] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" [10051] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [10051] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1202423398" [10051] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [10051] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "< 1202423398@lint_rules> [10051] dbg: rules: " [10051] dbg: spf: checking to see if the message has a Received-SPF header that we can use [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: cannot get Envelope-From, cannot use SPF [10051] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [10051] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) [10051] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) [10051] dbg: spf: spf_whitelist_from: could not find useable envelope sender [10051] dbg: rules: running body tests; score so far=1.899 [10051] dbg: rules: compiled body tests [10051] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [10051] dbg: rules: running uri tests; score so far=1.899 [10051] dbg: rules: compiled uri tests [10051] dbg: eval: stock info total: 0 [10051] dbg: rules: running rawbody tests; score so far=1.899 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" [10051] dbg: rules: running full tests; score so far=1.899 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=1.899 [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: 500 [10051] dbg: dns: harvest_dnsbl_queries [10051] dbg: rules: running head tests; score so far=1.899 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=1.899 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=1.899 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=1.899 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=1.899 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=1.899 [10051] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [10051] dbg: rules: compiled meta tests [10051] dbg: check: running tests for priority: 1000 [10051] dbg: rules: running head tests; score so far=4.205 [10051] dbg: rules: compiled head tests [10051] dbg: rules: running body tests; score so far=4.205 [10051] dbg: rules: compiled body tests [10051] dbg: rules: running uri tests; score so far=4.205 [10051] dbg: rules: compiled uri tests [10051] dbg: rules: running rawbody tests; score so far=4.205 [10051] dbg: rules: compiled rawbody tests [10051] dbg: rules: running full tests; score so far=4.205 [10051] dbg: rules: compiled full tests [10051] dbg: rules: running meta tests; score so far=4.205 [10051] dbg: rules: compiled meta tests [10051] dbg: check: is spam? score=4.205 required=5 [10051] dbg: check: tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS [10051] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__TVD_BODY,__UNUSABLE_MSGID On Feb 7, 2008 4:20 PM, Glenn Steen wrote: > On 07/02/2008, Drew wrote: > > > > > > On Feb 7, 2008 12:20 PM, Gerard wrote: > > > > > > On Thu, 7 Feb 2008 10:11:42 -0600 > > > Drew wrote: > > > > > > > Everything was installed from ports except for MailWatch, which > really > > > > doesn't play into this except that the lint test from Mailwatch is > > > > where the only informative error seems to be coming from. > > > > > > And what would lead you to that conclusion? > > > > > > > > > > Mostly that this seems related to SA specifically, and as far as I know, > > other than some logging preferences in the mailscanner config, mailwatch > > doesn't have any real bearing on SA. Or have I deceived myself? > > > Apart from you running SA as your apache userwhen you see the error.... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/14a26ec1/attachment-0001.html From Jeff.Mills at versacold.com.au Thu Feb 7 22:34:23 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Thu Feb 7 22:35:12 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca><47AB3451.2060500@sendit.nodak.edu><47AB43F5.9030004@sendit.nodak.edu> Message-ID: ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vlad Mazek Sent: Friday, 8 February 2008 9:22 AM To: MailScanner discussion Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL Nope, still gets processed by MailScanner: Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in SBL+XBL Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for message m17M9lxS016045 Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from MailScanner warning: numerical links are often malicious: 75.63.44.11 (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, URIBL_WS_SURBL 2.10) Notice that it still passes it through SpamAssassin. I have the the following in my MailScanner.conf: Spam List = SBL+XBL Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 1 -Vlad Can you not put the RBLs at MTA level? From v at vladville.com Thu Feb 7 22:39:08 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 22:39:17 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: My bad, that should have read "still gets processed by SpamAssassin" I'm basically searching for a way to eliminate additional lookups and overhead of processing the message through SpamAssassin if MailScanner already locates it on an RBL. I still have a requirement to keep the message in case someone needs to retrieve it, but I don't want to pay for the SpamAssassin overhead of processing that message if it's already on an RBL. -Vlad On 2/7/08, Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > 75.63.44.11 (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, > SpamAssassin (cached, score=23.378, required 5, autolearn=disabled, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL > 2.52, URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad > > On 2/7/08, Richard Frovarp wrote: > > > > Vlad Mazek wrote: > > > So how does a message that gets hit by Spam Lists To Be Spam bypass > > > spamassassin checks in MailScanner? > > > > > > -Vlad** > > *If spam and high scoring spam have the same actions, I think it will > > bypass. Or if you just set it to be high scoring spam, it will take that > > action.* > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -Vlad -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/0c34b321/attachment.html From mkettler at evi-inc.com Thu Feb 7 22:44:16 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Feb 7 22:44:49 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <47AB89C0.2000804@evi-inc.com> Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > 75.63.44.11 (ka@creativeholidays.com.au > ) to rmel.org is > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad > Do you have: Always Include SpamAssassin Report = yes There's always been a bit of a double-edged sword on this setting. IIRC, this setting forces MailScanner to *ALWAYS* scan with SA, so it can always include a report. Of course, most folks that turn this on do so because they want the SA report to always be included whenever its generated, and not left off of nonspam. But MailScanner takes this option pretty literally from what I remember. Makes me wish there was two separate options: "Always scan with SpamAssassin" "Include SpamAssassin Report In NonSpam". From shuttlebox at gmail.com Thu Feb 7 22:46:55 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Feb 7 22:47:05 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> On Feb 7, 2008 11:21 PM, Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from 75.63.44.11 > (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin > (cached, score=23.378, required 5, autolearn=disabled, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL > 2.52, URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. What do have on? Log Spam Detailed Spam Report Always Include SpamAssassin Report Those options may force SA to be run. Test with different settings on them. -- /peter From ssilva at sgvwater.com Thu Feb 7 23:21:16 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 7 23:21:25 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AB89C0.2000804@evi-inc.com> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47AB89C0.2000804@evi-inc.com> Message-ID: on 2/7/2008 2:44 PM Matt Kettler spake the following: > Vlad Mazek wrote: >> Nope, still gets processed by MailScanner: >> >> Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found >> in SBL+XBL >> Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit >> for message m17M9lxS016045 >> Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from >> 75.63.44.11 (ka@creativeholidays.com.au >> ) to rmel.org is >> spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, >> autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, >> RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, >> RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, >> STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, >> URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, >> URIBL_WS_SURBL 2.10) >> >> Notice that it still passes it through SpamAssassin. >> >> I have the the following in my MailScanner.conf: >> >> Spam List = SBL+XBL >> Spam Lists To Be Spam = 1 >> Spam Lists To Reach High Score = 1 >> >> -Vlad >> > > Do you have: > Always Include SpamAssassin Report = yes > > There's always been a bit of a double-edged sword on this setting. IIRC, > this setting forces MailScanner to *ALWAYS* scan with SA, so it can > always include a report. > > Of course, most folks that turn this on do so because they want the SA > report to always be included whenever its generated, and not left off of > nonspam. But MailScanner takes this option pretty literally from what I > remember. > > > Makes me wish there was two separate options: > > "Always scan with SpamAssassin" > "Include SpamAssassin Report In NonSpam". > Or at least "Never hide spamassasssin report" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/056b4f95/signature.bin From v at vladville.com Thu Feb 7 23:51:44 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 23:51:54 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: Someone already recommend that; No, putting the RBLs at the MTA would reject the message, I still need to be able to store it in case someone wants to retrieve false positive. Also, putting RBL's on the MTA eliminates any whitelisting that would be provided by MailScanner. -Vlad On 2/7/08, Jeff Mills wrote: > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vlad > Mazek > Sent: Friday, 8 February 2008 9:22 AM > To: MailScanner discussion > Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an > RBL > > > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 > found in SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache > hit for message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > MailScanner warning: numerical links are often malicious: 75.63.44.11 > (ka@creativeholidays.com.au) to rmel.org is spam, > SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad > > > Can you not put the RBLs at MTA level? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/90874acd/attachment.html From v at vladville.com Thu Feb 7 23:56:19 2008 From: v at vladville.com (Vlad Mazek) Date: Thu Feb 7 23:56:29 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> Message-ID: Always Include SpamAssassin Report = no Log Spam = yes Detailed Spam Report = yes I'll flip the "Log Spam" to off and see if it makes a difference. The Always Include SpamAssassin Report is set to no though, I remember a discussion on here about it Matt. I have now flipped all three to no, let's see what it does... -Vlad On 2/7/08, shuttlebox wrote: > > On Feb 7, 2008 11:21 PM, Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found in > > SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit for > > message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > 75.63.44.11 > > (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, SpamAssassin > > (cached, score=23.378, required 5, autolearn=disabled, > > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, > RCVD_IN_BL_SPAMCOP_NET > > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, > URIBL_SC_SURBL > > 2.52, URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > What do have on? > > Log Spam > Detailed Spam Report > Always Include SpamAssassin Report > > Those options may force SA to be run. Test with different settings on > them. > > -- > /peter > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/d72ba98b/attachment.html From v at vladville.com Fri Feb 8 00:08:26 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 00:08:36 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <625385e30802071446h1e843b96v87a3974a8766aadd@mail.gmail.com> Message-ID: Ok, with the following: Always Include SpamAssassin Report = no Detailed Spam Report = no Log Spam = yes .. MailScanner still passes it to SA. With Log Spam set to yes I can't tell if its running SA on every message or not but with debug on it sure seems like its passing it through SA.. -Vlad On 2/7/08, Vlad Mazek wrote: > > Always Include SpamAssassin Report = no > Log Spam = yes > Detailed Spam Report = yes > > I'll flip the "Log Spam" to off and see if it makes a difference. > > The Always Include SpamAssassin Report is set to no though, I remember a > discussion on here about it Matt. > > I have now flipped all three to no, let's see what it does... > > -Vlad > > > On 2/7/08, shuttlebox wrote: > > > > On Feb 7, 2008 11:21 PM, Vlad Mazek wrote: > > > Nope, still gets processed by MailScanner: > > > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in > > > SBL+XBL > > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for > > > message m17M9lxS016045 > > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > 75.63.44.11 > > > (ka@creativeholidays.com.au) to rmel.org is spam, SBL+XBL, > > SpamAssassin > > > (cached, score=23.378, required 5, autolearn=disabled, > > > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > > > RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, > > RCVD_IN_BL_SPAMCOP_NET > > > 2.19, RCVD_IN_XBL 2.90, STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, > > > URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, > > URIBL_SC_SURBL > > > 2.52, URIBL_WS_SURBL 2.10) > > > > > > Notice that it still passes it through SpamAssassin. > > > > What do have on? > > > > Log Spam > > Detailed Spam Report > > Always Include SpamAssassin Report > > > > Those options may force SA to be run. Test with different settings on > > them. > > > > -- > > /peter > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -Vlad -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/af5cc809/attachment.html From ssilva at sgvwater.com Fri Feb 8 00:14:30 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 8 00:14:34 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: on 2/7/2008 3:51 PM Vlad Mazek spake the following: > Someone already recommend that; No, putting the RBLs at the MTA would > reject the message, I still need to be able to store it in case someone > wants to retrieve false positive. > > Also, putting RBL's on the MTA eliminates any whitelisting that would be > provided by MailScanner. > True. But nothing gets a mail administrator off his a$$ to fix his systems better than all his mail getting rejected during the initial smtp phase! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/a5610baa/signature.bin From v at vladville.com Fri Feb 8 01:40:37 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 01:40:46 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: Doesn't work like that in the business world... Remote Sender: I sent you the email. Internal Recipient: We didn't get the email. Five minutes later, IT is getting chewed out for blocking customers emails that almost always involve a $10 million dollar transaction for a company that doesn't have any extra room in the budget to beef up the security........ -Vlad On 2/7/08, Scott Silva wrote: > > True. But nothing gets a mail administrator off his a$$ to fix his systems > better than all his mail getting rejected during the initial smtp phase! > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/88bb3856/attachment.html From gmane at tippingmar.com Fri Feb 8 02:18:53 2008 From: gmane at tippingmar.com (Mark Nienberg) Date: Fri Feb 8 02:19:10 2008 Subject: Definite Fraud? In-Reply-To: <47AA1531.4040205@sequestered.net> References: <47AA1531.4040205@sequestered.net> Message-ID: Jay Chandler wrote: > I'm sure this has been rehashed before, but... > > > *MailScanner has detected definite fraud in the website at > "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah > > > > Obviously it's detecting the 301 redirect, but that doesn't necessarily > bespeak fraud. There are a lot of non-fraudulent things that it could > be, ranging from shock pictures to Rick Rolls to inredibly long URLs. > > Has anyone discussed changing the wording here? > The wording is correct. This is the message that is displayed when a url is found in the list /etc/MailScanner/phishing.bad.sites.conf. These are known phishing sites. This is different from the case where a link target and text do not match, which is described as a "possible" fraud. That said, it is a little strange that tinyurl.com is listed in phishing.bad.sites.conf, but it is. Mark From Richard.Frovarp at sendit.nodak.edu Fri Feb 8 03:07:58 2008 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Feb 8 03:08:21 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <47ABC78E.90503@sendit.nodak.edu> Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > in SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > for message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > *MailScanner warning: numerical links are often malicious:* > 75.63.44.11 (ka@creativeholidays.com.au > ) to rmel.org is > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad Actually, that one didn't get passed through SpamAssassin. It hit the cache. Not sure how that is handled differently. What version of MailScanner? What are your High Scoring Spam Actions? From Richard.Frovarp at sendit.nodak.edu Fri Feb 8 03:09:01 2008 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Feb 8 03:09:18 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: <47ABC7CD.5000505@sendit.nodak.edu> Vlad Mazek wrote: > Nope, still gets processed by MailScanner: > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > in SBL+XBL > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > for message m17M9lxS016045 > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > *MailScanner warning: numerical links are often malicious:* > 75.63.44.11 (ka@creativeholidays.com.au > ) to rmel.org is > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > URIBL_WS_SURBL 2.10) > > Notice that it still passes it through SpamAssassin. > > I have the the following in my MailScanner.conf: > > Spam List = SBL+XBL > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 1 > > -Vlad Try: Spam Lists To Be Spam = 0 From v at vladville.com Fri Feb 8 04:09:13 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 04:15:58 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47ABC7CD.5000505@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC7CD.5000505@sendit.nodak.edu> Message-ID: Tried that earlier today, no difference in behavior. MailScanner finds it on SBL+XBL but proceeds to put it through SA anyhow. -Vlad On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > *MailScanner warning: numerical links are often malicious:* > > 75.63.44.11 (ka@creativeholidays.com.au > > ) to rmel.org is > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > > > I have the the following in my MailScanner.conf: > > > > Spam List = SBL+XBL > > Spam Lists To Be Spam = 1 > > Spam Lists To Reach High Score = 1 > > > > -Vlad > > Try: > Spam Lists To Be Spam = 0 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080207/228df152/attachment.html From ugob at lubik.ca Fri Feb 8 04:04:56 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Feb 8 05:05:22 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> Message-ID: Drew wrote: > Glen, > Point taken. However it's worked for me before. Does this help any? > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > /usr/local/etc/MailScanner/bayes/bayes_toks > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > /usr/local/etc/MailScanner/bayes/bayes_toks Looks like there is a problem bayes. Permissions? From hvdkooij at vanderkooij.org Fri Feb 8 05:48:21 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Feb 8 05:49:02 2008 Subject: Definite Fraud? In-Reply-To: References: <47AA1531.4040205@sequestered.net> Message-ID: <47ABED25.1060704@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Nienberg wrote: | Jay Chandler wrote: |> I'm sure this has been rehashed before, but... |> |> *MailScanner has detected definite fraud in the website at |> "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah |> |> |> Obviously it's detecting the 301 redirect, but that doesn't |> necessarily bespeak fraud. There are a lot of non-fraudulent things |> that it could be, ranging from shock pictures to Rick Rolls to |> inredibly long URLs. |> |> Has anyone discussed changing the wording here? | | The wording is correct. This is the message that is displayed when a | url is found in the list /etc/MailScanner/phishing.bad.sites.conf. | | These are known phishing sites. This is different from the case where a | link target and text do not match, which is described as a "possible" | fraud. | | That said, it is a little strange that tinyurl.com is listed in | phishing.bad.sites.conf, but it is. These things can point everywhere. So they should be approached with caution. But the classification should be greyish instead of pitch black. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHq+0jBvzDRVjxmYERAuuKAJ4rgwhzlyLtZDUMGkUB/BFTgN3oJQCeMJA8 uLEE8e3BbPi68iE0feIKp98= =2nOb -----END PGP SIGNATURE----- From glenn.steen at gmail.com Fri Feb 8 11:27:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 11:28:07 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> Message-ID: <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> On 08/02/2008, Ugo Bellavance wrote: > Drew wrote: > > Glen, > > Point taken. However it's worked for me before. Does this help any? > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > /usr/local/etc/MailScanner/bayes/bayes_toks > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > /usr/local/etc/MailScanner/bayes/bayes_toks > > Looks like there is a problem bayes. Permissions? > Yes, and it tells us that when run like that (what user?) it doesn't bomb... So, could you redo the debug run as your postfix user and as your apache user? I'm thinking perm problems here:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 11:38:29 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 11:38:41 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47AB262E.6070808@alunys.com> References: <47AB262E.6070808@alunys.com> Message-ID: <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> On 07/02/2008, Cedric Devillers wrote: > Hello, > > I'm trying to revive this thread from the last month because we are > observing the exact same behavior on one of our servers. Thanks for doing that, and for providing some more info. > So to remember the facts : > > - We are using mailscanner with postfix, and duplicated messages are > generated by mailscanner. > > - This system is the only one where we are observing this behavior. It > have a little particularity : it mainly act as a mail relay, but > sometimes many mails are generated by the server itself (a script) and > injected in postfix queues via sendmail command. We can always reproduce > some duplicated messages with this script. > > - MailScanner is configured (by ruleset) to bypass scanning for thoses > messages, but they are still entering the mailscanner logic (postix -> > hold queue -> mailscanner (no scan) -> active queue). What does the ruleset look like? I'm sure it doesn't matter, but ... just out of curiosity:-)... > - Mailwatch is running on this server, and for each duplicates we see > entries with null size body (2, 3, 4, sometimes 5) then at last a final > entry with the full body. Note that the recipient see the full body on > every duplicate. > > It looks like a locking problem, because all duplicates are with the > same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > lock some queue file when message is marked not to be scanned by > mailscanner ? Yes, this seems plausible... Could you provide some log examples? Just to see that it really is separate children reading the same queue file... > I will not be very helpfull to debug perl code, but i can provide any > needed logs to help finding the origin of the problem. I'll see what I can do, but... I think this isn't "my" code snippets, but a thing that might have been present for a while... And I have a serious lack of time to spend on this ATM (worse than last time, before Xmas)... So no promises:-). > This is really a serious problem in this particular installation. But i > must say that we have dozens of other servers that are running > mailscanner/postfix, and we are very happy about thems :) Does it help if you DO scan with MS, but skip things at the next level, for example: Scan Messages = yes Use SpamAssassin = no Dangerous Content Scanning = no ... and possibly a few more (do them with a ruleset, of course:-)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gugafer51 at gmail.com Fri Feb 8 12:04:13 2008 From: gugafer51 at gmail.com (Gustavo FC) Date: Fri Feb 8 12:04:24 2008 Subject: User's notifications. In-Reply-To: <47A1DA7E.1060905@ecs.soton.ac.uk> References: <73e0f9580801310558q458594b1p1f3c74bb7c8d6b96@mail.gmail.com> <47A1DA7E.1060905@ecs.soton.ac.uk> Message-ID: <73e0f9580802080404n7e1c6f15md9ac059ce17cbdc7@mail.gmail.com> They receive the content written in MAILSCANNER_HOME/reports/en/stored.content.message.txt. 2008/1/31, Julian Field : > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > But are they receiving notifications about spam or something else? What > does a sample notification say? > > Gustavo FC wrote: > > In my Mailscanner.conf, the "Spam Actions" attribute has only the > > "store" option, but the users receive the notification's emails. > > > > Spam Actions = store > > > > There are any other configuration that I can do? > > > > Gustavo FC > > > > > > Gustavo FC wrote: > > > Hi > > > > > > How can I disable the notifications send to users when theirs email is > > > deleted, stored, etc? > > > > > > > > > Gustavo F.C. > > In your MailScanner.conf you will have this setting with similar > actions. > > # What to do with spam > > # -------------------- > > # notify - Send the recipients a short > > notification that > > # spam addressed to them was not delivered. > > They > > # can then take action to request > > retrieval of > > # the original message if they think it > > was not > > # spam. > > Spam Actions = store deliver notify > > > > Take out the notify. > > Update the same for the other "Actions" sections. > > > > Restart MailScanner > > > > Done! > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.7.0 (Build 1012) > Comment: Use Thunderbird's Enigmail add-on to verify this message > Charset: ISO-8859-1 > > wj8DBQFHodqAEfZZRxQVtlQRAvikAJsElI3er4w2pa+YNGhy9Osx6WQsYQCfdUSb > SsWW++8t8/K23YG0mXA7v74= > =H3fL > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/f6f4a014/attachment.html From cotharyus at gmail.com Fri Feb 8 12:20:18 2008 From: cotharyus at gmail.com (Drew) Date: Fri Feb 8 12:20:27 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> Message-ID: <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> Actually, the reason the bayes stuff shows up is because the system hasn't processed any mail, and I haven't put any start dbs there. All permissions should be fine, it was one of the first things I checked. Unfortunately, at this time, I've basically ripped this system (which was originally 5.0, and has been upgraded over time to 6.3) down to essentially nothing but a bare install, and reinstalled everything. In the process a few things broke, which I should have fixed soon, in which case if things _still_ don't work, I'll be more than happy to run all tests as postfix and www. Of course, if this doesn't work, I may just nuke this install altogether and go with a fresh install, where I've set all of this software up and gotten it working twice without having to do as much as scratch my head over it. On Feb 8, 2008 5:27 AM, Glenn Steen wrote: > On 08/02/2008, Ugo Bellavance wrote: > > Drew wrote: > > > Glen, > > > Point taken. However it's worked for me before. Does this help any? > > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > > /usr/local/etc/MailScanner/bayes/bayes_toks > > > [10051] dbg: bayes: no dbs present, cannot tie DB R/O: > > > /usr/local/etc/MailScanner/bayes/bayes_toks > > > > Looks like there is a problem bayes. Permissions? > > > Yes, and it tells us that when run like that (what user?) it doesn't > bomb... So, could you redo the debug run as your postfix user and as > your apache user? > I'm thinking perm problems here:-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/02b24088/attachment.html From glenn.steen at gmail.com Fri Feb 8 12:28:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 12:28:37 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> Message-ID: <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> On 08/02/2008, Glenn Steen wrote: > On 07/02/2008, Cedric Devillers wrote: > > Hello, > > > > I'm trying to revive this thread from the last month because we are > > observing the exact same behavior on one of our servers. > Thanks for doing that, and for providing some more info. > > > So to remember the facts : > > > > - We are using mailscanner with postfix, and duplicated messages are > > generated by mailscanner. > > > > - This system is the only one where we are observing this behavior. It > > have a little particularity : it mainly act as a mail relay, but > > sometimes many mails are generated by the server itself (a script) and > > injected in postfix queues via sendmail command. We can always reproduce > > some duplicated messages with this script. > > > > - MailScanner is configured (by ruleset) to bypass scanning for thoses > > messages, but they are still entering the mailscanner logic (postix -> > > hold queue -> mailscanner (no scan) -> active queue). > What does the ruleset look like? I'm sure it doesn't matter, but ... > just out of curiosity:-)... > > > - Mailwatch is running on this server, and for each duplicates we see > > entries with null size body (2, 3, 4, sometimes 5) then at last a final > > entry with the full body. Note that the recipient see the full body on > > every duplicate. > > > > It looks like a locking problem, because all duplicates are with the > > same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > > ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > > lock some queue file when message is marked not to be scanned by > > mailscanner ? > Yes, this seems plausible... Could you provide some log examples? Just > to see that it really is separate children reading the same queue > file... > > > > I will not be very helpfull to debug perl code, but i can provide any > > needed logs to help finding the origin of the problem. > I'll see what I can do, but... I think this isn't "my" code snippets, > but a thing that might have been present for a while... And I have a > serious lack of time to spend on this ATM (worse than last time, > before Xmas)... So no promises:-). > > > This is really a serious problem in this particular installation. But i > > must say that we have dozens of other servers that are running > > mailscanner/postfix, and we are very happy about thems :) > Does it help if you DO scan with MS, but skip things at the next > level, for example: > Scan Messages = yes > Use SpamAssassin = no > Dangerous Content Scanning = no > ... and possibly a few more (do them with a ruleset, of course:-)? > BTW, do you have any milters enabled in Postfix? What version of Postfix? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 12:31:00 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 12:31:12 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <3b1e5736b979d547acf7fd89d111ce97@solidstatelogic.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> Message-ID: <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> On 08/02/2008, Drew wrote: > Actually, the reason the bayes stuff shows up is because the system hasn't > processed any mail, and I haven't put any start dbs there. All permissions > should be fine, it was one of the first things I checked. Unfortunately, at > this time, I've basically ripped this system (which was originally 5.0, and > has been upgraded over time to 6.3) down to essentially nothing but a bare > install, and reinstalled everything. In the process a few things broke, > which I should have fixed soon, in which case if things _still_ don't work, > I'll be more than happy to run all tests as postfix and www. Of course, if > this doesn't work, I may just nuke this install altogether and go with a > fresh install, where I've set all of this software up and gotten it working > twice without having to do as much as scratch my head over it. > :-) We'll be here, if you need us. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From v at vladville.com Fri Feb 8 12:32:55 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 12:33:05 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47ABC78E.90503@sendit.nodak.edu> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC78E.90503@sendit.nodak.edu> Message-ID: Richard, You're right - it did hit the cache! I totally missed that. Spam actions are to store, both spam and high scoring spam. But still, it passes it through SA: RBL checks: m18CFjRV010282 found in SBL+XBL Feb 8 07:31:56 MailScanner[16681]: Message m18CFjRV010282 from 220.70.102.23 (volunteereda6@tahitiantreasure.com) to severnsidefabrics.co.uk is spam, SBL+XBL, SpamAssassin (not cached, score= 27.932, required 5, autolearn=disabled, OUTLOOK_3416 1.70, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, RDNS_NONE 0.10, TVD_SPACE_RATIO 2.90, URIBL_AB_SURBL 1.61, URIBL_BLACK 1.96, URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SBL 2.47, URIBL_SC_SURBL 2.52, URIBL_WS_SURBL 2.10) That one was not cached, same result... -Vlad On 2/7/08, Richard Frovarp wrote: > > Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > *MailScanner warning: numerical links are often malicious:* > > 75.63.44.11 (ka@creativeholidays.com.au > > ) to rmel.org is > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > > > I have the the following in my MailScanner.conf: > > > > Spam List = SBL+XBL > > Spam Lists To Be Spam = 1 > > Spam Lists To Reach High Score = 1 > > > > -Vlad > > Actually, that one didn't get passed through SpamAssassin. It hit the > cache. Not sure how that is handled differently. What version of > MailScanner? What are your High Scoring Spam Actions? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/fe774a40/attachment.html From v at vladville.com Fri Feb 8 12:33:25 2008 From: v at vladville.com (Vlad Mazek) Date: Fri Feb 8 12:33:28 2008 Subject: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC78E.90503@sendit.nodak.edu> Message-ID: Running MailScanner 4.62.9 -Vlad On 2/8/08, Vlad Mazek wrote: > > Richard, > > You're right - it did hit the cache! I totally missed that. Spam actions > are to store, both spam and high scoring spam. > > But still, it passes it through SA: > > RBL checks: m18CFjRV010282 found in SBL+XBL > Feb 8 07:31:56 MailScanner[16681]: Message m18CFjRV010282 from > 220.70.102.23 (volunteereda6@tahitiantreasure.com) to > severnsidefabrics.co.uk is spam, SBL+XBL, SpamAssassin (not cached, score= > 27.932, required 5, autolearn=disabled, OUTLOOK_3416 1.70, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK > 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, RDNS_NONE 0.10, > TVD_SPACE_RATIO 2.90, URIBL_AB_SURBL 1.61, URIBL_BLACK 1.96, > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SBL 2.47, URIBL_SC_SURBL > 2.52, URIBL_WS_SURBL 2.10) > > That one was not cached, same result... > > -Vlad > > On 2/7/08, Richard Frovarp wrote: > > > > Vlad Mazek wrote: > > > Nope, still gets processed by MailScanner: > > > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > > in SBL+XBL > > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > > for message m17M9lxS016045 > > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > > *MailScanner warning: numerical links are often malicious:* > > > 75.63.44.11 (ka@creativeholidays.com.au > > > ) to rmel.org is > > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > > URIBL_WS_SURBL 2.10) > > > > > > Notice that it still passes it through SpamAssassin. > > > > > > I have the the following in my MailScanner.conf: > > > > > > Spam List = SBL+XBL > > > Spam Lists To Be Spam = 1 > > > Spam Lists To Reach High Score = 1 > > > > > > -Vlad > > > > Actually, that one didn't get passed through SpamAssassin. It hit the > > cache. Not sure how that is handled differently. What version of > > MailScanner? What are your High Scoring Spam Actions? > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > > -Vlad -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/73fffe2c/attachment.html From Kit at simplysites.co.uk Fri Feb 8 12:46:09 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Fri Feb 8 12:46:26 2008 Subject: whitelist TO email addresses sent by users on the server In-Reply-To: <223f97700802070221v6147c180j7c4cb94cfce9d4e4@mail.gmail.com> References: <451c82e38abf4a43b0b038cc758004bd@solidstatelogic.com> <223f97700802070221v6147c180j7c4cb94cfce9d4e4@mail.gmail.com> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 07 February 2008 10:22 To: MailScanner discussion Subject: Re: whitelist TO email addresses sent by users on the server On 07/02/2008, Martin.Hepworth wrote: > Kit > > Take a look at the watermarking feature in recent release of MailScanner, this should so the job. Would only work for replies though, unless one does really silly hoops in a CustomFunction. > Whitelisting 'known' addresses can be fraught with danger. > Amen! ------------------------------------- I currently have MailScanner 4.50.15, silly question, what is the easiest way to upgrade to the latest version 4.66. Its on bluequartz centos running sendmail and spamassassin 3.1.9. Is there a guide on using watermarking? Thanks From glenn.steen at gmail.com Fri Feb 8 12:52:38 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 12:52:49 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47A8A480.3010706@ecs.soton.ac.uk> References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> Message-ID: <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> On 05/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 05/02/2008, Pascal Maes wrote: > > > >> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > >> > >> > >>> On 05/02/2008, Pascal Maes wrote: > >>> > >>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >>>> > >>>> > >>>>> On 05/02/2008, Glenn Steen wrote: > >>>>> > >>>>>> On 05/02/2008, Pascal Maes wrote: > >>>>>> > >>>>> (snip) > >>>>> > >>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>>>> takes it and puts it back into the Postfix queue. > >>>>>>> > >>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>>>> working : > >>>>>>> > >>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>>>> E8686E9102.A7655 > >>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>>>> ) is whitelisted > >>>>>>> > >>>>>>> > >>>>>>> Regards > >>>>>>> > >>>>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>>>> any > >>>>>> impact on your problem... What happens before though... You have to > >>>>>> make sure that your SA trust_path is OK, and all should be well. > >>>>>> Why > >>>>>> do you use the ClamSMTP thing at all? > >>>>>> > >>>>>> Cheers > >>>>>> > >>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>>>> this is > >>>>> the clamsmtp thing, which might just be the problem. > >>>>> Again, why do you use that? Theoretically MailScanner (through the > >>>>> batching, and using either clamavmodule or clamd) should be more > >>>>> efficient and less likely to be able to be DoS'd... That > >>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>>>> > >>>>> Cheers > >>>>> -- > >>>>> -- Glenn > >>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>> > >>>> One advantage of using ClamSMTP is the reject of the worm at the > >>>> connection time. > >>>> As we receive a lot of mail per day, it's not negligible. > >>>> > >>> No, but then neither is the resource drain;-). > >>> > >>> > >>>> As MailScanner is using McAffe, we have two different AV to check the > >>>> messages. > >>>> > >>> Prudent, but did you look at processing times etc for the "all MS" > >>> case? > >>> Sure, the real killer is likely SA, and the ClamSMTP thing will > >>> avoid that... > >>> I wonder if the clamav milter would be a "nicer" solution, avoiding > >>> your current problem... > >>> > >>> Cheers > >>> -- > >>> -- Glenn > >>> email: glenn < dot > steen < at > gmail < dot > com > >>> work: glenn < dot > steen < at > ap1 < dot > se > >>> -- > >>> > >> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > >> what happens. > >> All the clientip are 127.0.0.1 :-( > >> > >> Whitelisting is working because the check is done on the From address > >> and not on the client IP. > >> The blacklisting, in that case doesn't work because it's an IP address. > >> > >> So, we can't use before-filter with Postifx and MailScanner and hope > >> that the white or black listing will work with IP addresses even we > >> use the smtpd_authorized_xforward_hosts. > >> > >> Is that right ? > >> > > > > Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > > loopback when determining the ip... Perhaps a bit like SA does it > > (with the trust thing). > > > I can't do that. MailScanner directly reads the IP address of the TCP/IP > connection source, it doesn't involve looking at the headers of the > message at all. > > > >> If yes, what's the use of smtpd_authorized_xforward_hosts (to be > >> posted on the postfix list also) ? > >> > > Good question. Perhaps one (Jules) could use that...:). > > BTW, wear your asbetos underwear when telling the pf-list your > > problem... they seriously dislike MS... still...:(. > > > Don't expect to get anything useful from the Postfix list about MailScanner. > > Jules > Um, Jules... What about the clientip read from Received line in Postfix.pm (ReadQf, the third loop... If I counted things right...:-)? Isn't that what you use, and where one could possibly ... munge it? A bit like the BarricadeMX fixup, to get at the real sending server IP? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 13:15:42 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 13:18:10 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> Message-ID: <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> On 08/02/2008, Glenn Steen wrote: > On 08/02/2008, Glenn Steen wrote: > > On 07/02/2008, Cedric Devillers wrote: > > > Hello, > > > > > > I'm trying to revive this thread from the last month because we are > > > observing the exact same behavior on one of our servers. > > Thanks for doing that, and for providing some more info. > > > > > So to remember the facts : > > > > > > - We are using mailscanner with postfix, and duplicated messages are > > > generated by mailscanner. > > > > > > - This system is the only one where we are observing this behavior. It > > > have a little particularity : it mainly act as a mail relay, but > > > sometimes many mails are generated by the server itself (a script) and > > > injected in postfix queues via sendmail command. We can always reproduce > > > some duplicated messages with this script. > > > > > > - MailScanner is configured (by ruleset) to bypass scanning for thoses > > > messages, but they are still entering the mailscanner logic (postix -> > > > hold queue -> mailscanner (no scan) -> active queue). > > What does the ruleset look like? I'm sure it doesn't matter, but ... > > just out of curiosity:-)... > > > > > - Mailwatch is running on this server, and for each duplicates we see > > > entries with null size body (2, 3, 4, sometimes 5) then at last a final > > > entry with the full body. Note that the recipient see the full body on > > > every duplicate. > > > > > > It looks like a locking problem, because all duplicates are with the > > > same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > > > ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > > > lock some queue file when message is marked not to be scanned by > > > mailscanner ? > > Yes, this seems plausible... Could you provide some log examples? Just > > to see that it really is separate children reading the same queue > > file... > > > > > > > I will not be very helpfull to debug perl code, but i can provide any > > > needed logs to help finding the origin of the problem. > > I'll see what I can do, but... I think this isn't "my" code snippets, > > but a thing that might have been present for a while... And I have a > > serious lack of time to spend on this ATM (worse than last time, > > before Xmas)... So no promises:-). > > > > > This is really a serious problem in this particular installation. But i > > > must say that we have dozens of other servers that are running > > > mailscanner/postfix, and we are very happy about thems :) > > Does it help if you DO scan with MS, but skip things at the next > > level, for example: > > Scan Messages = yes > > Use SpamAssassin = no > > Dangerous Content Scanning = no > > ... and possibly a few more (do them with a ruleset, of course:-)? > > > > BTW, do you have any milters enabled in Postfix? What version of Postfix? > > Cheers I think we need Jules on this one, not only feeble lil' me:-). AFAICS, the locking/unlocking is handled _exactly_ the same regardless of the scanmail setting... But then, this is a rather complex bit of code, where the "execution path" isn't always as straightforward as it seems... Jules, could you spare a moment or two? Just to look at what could possibly be wrong with the message->scanmail = 0 scenario? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:23:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:23:57 2008 Subject: MS/Solaris installation buglets In-Reply-To: References: Message-ID: <47AC8204.2070206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Lee wrote: > Julian: to report a couple of Solaris MS (4.66.5) installation buglets. > > 1. MakeMaker requires a release of File::Spec which may be more recent > than that native in the OS. You already distribute a good File::Spec. > > Solution: Re-order the installation to do File::Spec before MakeMaker. > (Tested: it works.) > Done. Will be in the next release. > 2. MakeMaker build reports "Can't locate Pod/Man.pm in @INC...". Might > these need something like "Pod::Man" adding to the list of modules you > distribute? > This is a bigger problem. They don't distribute Pod::Man as a standalone module unfortunately. Is it vital? > > There may be more waiting for later, but I'm suspending work on this > attempted installation at present so we can decide the best approach. > > I'd be happy to try to beta-test things for you. > > > Best wishes. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIIFEfZZRxQVtlQRApJjAKCaJcg8MIU9ctlE/PyS6YlY6pxnjgCeO7HX XUvTVTggGV+O9pdg+fcQU5s= =Odyj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:46:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:46:54 2008 Subject: Definite Fraud? In-Reply-To: References: <47AA1531.4040205@sequestered.net> Message-ID: <47AC875A.2080700@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Nienberg wrote: > Jay Chandler wrote: >> I'm sure this has been rehashed before, but... >> >> >> *MailScanner has detected definite fraud in the website at >> "tinyurl.com". Do /not/ trust this website:* http://tinyurl.com/blah >> >> >> >> Obviously it's detecting the 301 redirect, but that doesn't >> necessarily bespeak fraud. There are a lot of non-fraudulent things >> that it could be, ranging from shock pictures to Rick Rolls to >> inredibly long URLs. >> >> Has anyone discussed changing the wording here? >> > > The wording is correct. This is the message that is displayed when a > url is found in the list /etc/MailScanner/phishing.bad.sites.conf. > > These are known phishing sites. This is different from the case where > a link target and text do not match, which is described as a > "possible" fraud. > > That said, it is a little strange that tinyurl.com is listed in > phishing.bad.sites.conf, but it is. It was on there as the url tinyurl.com/2n8vml was reported. To avoid URL obfuscation working, it blacklists the entire site. The report should have been for the target of that redirector, not the innocent redirector itself. I have removed tinyurl.com from the blacklist. Your site should update in the next hour or so. > > Mark > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIdbEfZZRxQVtlQRApTiAJsHrBW2ir22q29wo/I9xcruPxu7PACeL8pn Q6+LW/YBqynf9GmiQvoHDq8= =6X/W -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:47:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:48:16 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC7CD.5000505@sendit.nodak.edu> Message-ID: <47AC87AE.6010608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 But if you set Check SpamAssassin If On Spam List = no then it won't. Vlad Mazek wrote: > Tried that earlier today, no difference in behavior. MailScanner finds > it on SBL+XBL but proceeds to put it through SA anyhow. > > -Vlad > > On 2/7/08, *Richard Frovarp* > wrote: > > Vlad Mazek wrote: > > Nope, still gets processed by MailScanner: > > > > Feb 7 17:18:45 MailScanner[18224]: RBL checks: m17M9lxS016045 found > > in SBL+XBL > > Feb 7 17:18:46 inbound42 MailScanner[18224]: SpamAssassin cache hit > > for message m17M9lxS016045 > > Feb 7 17:18:46 MailScanner[18224]: Message m17M9lxS016045 from > > *MailScanner warning: numerical links are often malicious:* > > *MailScanner warning: numerical links are often malicious:* > 75.63.44.11 <*MailScanner warning: numerical > links are often malicious:* http://75.63.44.11> > (ka@creativeholidays.com.au > > >) to rmel.org > is > > spam, SBL+XBL, SpamAssassin (cached, score=23.378, required 5, > > autolearn=disabled, RAZOR2_CF_RANGE_51_100 0.50, > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_XBL 2.90, > > STOX_REPLY_TYPE 0.00, TVD_FINGER_02 2.72, URIBL_BLACK 1.96, > > URIBL_JP_SURBL 2.86, URIBL_OB_SURBL 2.13, URIBL_SC_SURBL 2.52, > > URIBL_WS_SURBL 2.10) > > > > Notice that it still passes it through SpamAssassin. > > > > I have the the following in my MailScanner.conf: > > > > Spam List = SBL+XBL > > Spam Lists To Be Spam = 1 > > Spam Lists To Reach High Score = 1 > > > > -Vlad > > Try: > Spam Lists To Be Spam = 0 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIevEfZZRxQVtlQRAkGAAKCwtIDJuD1qHBvOlsb0D3/TXrGS6wCg71HZ gELMIsocgaML5GkIpJQSOpo= =A8af -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:54:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:54:59 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> References: <6D8CB3D6-F8F5-4151-AAAE-E01EF898DFA0@elec.ucl.ac.be> <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> Message-ID: <47AC8945.3070803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 05/02/2008, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> >>> On 05/02/2008, Pascal Maes wrote: >>> >>> >>>> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : >>>> >>>> >>>> >>>>> On 05/02/2008, Pascal Maes wrote: >>>>> >>>>> >>>>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : >>>>>> >>>>>> >>>>>> >>>>>>> On 05/02/2008, Glenn Steen wrote: >>>>>>> >>>>>>> >>>>>>>> On 05/02/2008, Pascal Maes wrote: >>>>>>>> >>>>>>>> >>>>>>> (snip) >>>>>>> >>>>>>> >>>>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner >>>>>>>>> takes it and puts it back into the Postfix queue. >>>>>>>>> >>>>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP >>>>>>>>> address otherwise why is the "Is Definitely Not Spam" rule >>>>>>>>> working : >>>>>>>>> >>>>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message >>>>>>>>> E8686E9102.A7655 >>>>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org >>>>>>>>> ) is whitelisted >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> >>>>>>>>> >>>>>>>> Anything happening to the message _after_ MailScaner doesn't hjave >>>>>>>> any >>>>>>>> impact on your problem... What happens before though... You have to >>>>>>>> make sure that your SA trust_path is OK, and all should be well. >>>>>>>> Why >>>>>>>> do you use the ClamSMTP thing at all? >>>>>>>> >>>>>>>> Cheers >>>>>>>> >>>>>>>> >>>>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle >>>>>>> this is >>>>>>> the clamsmtp thing, which might just be the problem. >>>>>>> Again, why do you use that? Theoretically MailScanner (through the >>>>>>> batching, and using either clamavmodule or clamd) should be more >>>>>>> efficient and less likely to be able to be DoS'd... That >>>>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. >>>>>>> >>>>>>> Cheers >>>>>>> -- >>>>>>> -- Glenn >>>>>>> email: glenn < dot > steen < at > gmail < dot > com >>>>>>> work: glenn < dot > steen < at > ap1 < dot > se >>>>>>> >>>>>>> >>>>>> One advantage of using ClamSMTP is the reject of the worm at the >>>>>> connection time. >>>>>> As we receive a lot of mail per day, it's not negligible. >>>>>> >>>>>> >>>>> No, but then neither is the resource drain;-). >>>>> >>>>> >>>>> >>>>>> As MailScanner is using McAffe, we have two different AV to check the >>>>>> messages. >>>>>> >>>>>> >>>>> Prudent, but did you look at processing times etc for the "all MS" >>>>> case? >>>>> Sure, the real killer is likely SA, and the ClamSMTP thing will >>>>> avoid that... >>>>> I wonder if the clamav milter would be a "nicer" solution, avoiding >>>>> your current problem... >>>>> >>>>> Cheers >>>>> -- >>>>> -- Glenn >>>>> email: glenn < dot > steen < at > gmail < dot > com >>>>> work: glenn < dot > steen < at > ap1 < dot > se >>>>> -- >>>>> >>>>> >>>> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see >>>> what happens. >>>> All the clientip are 127.0.0.1 :-( >>>> >>>> Whitelisting is working because the check is done on the From address >>>> and not on the client IP. >>>> The blacklisting, in that case doesn't work because it's an IP address. >>>> >>>> So, we can't use before-filter with Postifx and MailScanner and hope >>>> that the white or black listing will work with IP addresses even we >>>> use the smtpd_authorized_xforward_hosts. >>>> >>>> Is that right ? >>>> >>>> >>> Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" >>> loopback when determining the ip... Perhaps a bit like SA does it >>> (with the trust thing). >>> >>> >> I can't do that. MailScanner directly reads the IP address of the TCP/IP >> connection source, it doesn't involve looking at the headers of the >> message at all. >> >>>> If yes, what's the use of smtpd_authorized_xforward_hosts (to be >>>> posted on the postfix list also) ? >>>> >>>> >>> Good question. Perhaps one (Jules) could use that...:). >>> BTW, wear your asbetos underwear when telling the pf-list your >>> problem... they seriously dislike MS... still...:(. >>> >>> >> Don't expect to get anything useful from the Postfix list about MailScanner. >> >> Jules >> >> > Um, Jules... What about the clientip read from Received line in > Postfix.pm (ReadQf, the third loop... If I counted things right...:-)? > Isn't that what you use, and where one could possibly ... munge it? A > bit like the BarricadeMX fixup, to get at the real sending server IP? > Are you talking about this bit of code? If it's 127.0.0.1 then I could choose to ignore it and pick up the next one. What's the IPv6 equivalent address that I'll see in the header? if (!$IPFound && $recdata =~ /^Received: .+\[(\d+\.\d+\.\d+\.\d+)\]/i) { $message->{clientip} = $1; $IPFound = 1; } elsif (!$IPFound && $recdata =~ /^Received: .+\[([\dabcdef.:]+)\]/i) { # It is an IPv6 address $message->{clientip} = $1; $IPFound = 1; } elsif (!$IPFound && $recdata =~ /^Received: .+\(Postfix/i) { $message->{clientip} = '127.0.0.1'; #spoof local sender from localhost $IPFound = 1; } Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrIlGEfZZRxQVtlQRAqXiAJ9Hwn7x7WVfAkB/7TWQVRXJr5Fm8ACgjpfO /YYfdNJQNewkuRMVjJNrP7c= =g/Ew -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 8 16:56:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 8 16:56:47 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> Message-ID: <47AC89B2.80906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 08/02/2008, Glenn Steen wrote: > >> On 08/02/2008, Glenn Steen wrote: >> >>> On 07/02/2008, Cedric Devillers wrote: >>> >>>> Hello, >>>> >>>> I'm trying to revive this thread from the last month because we are >>>> observing the exact same behavior on one of our servers. >>>> >>> Thanks for doing that, and for providing some more info. >>> >>> >>>> So to remember the facts : >>>> >>>> - We are using mailscanner with postfix, and duplicated messages are >>>> generated by mailscanner. >>>> >>>> - This system is the only one where we are observing this behavior. It >>>> have a little particularity : it mainly act as a mail relay, but >>>> sometimes many mails are generated by the server itself (a script) and >>>> injected in postfix queues via sendmail command. We can always reproduce >>>> some duplicated messages with this script. >>>> >>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>> messages, but they are still entering the mailscanner logic (postix -> >>>> hold queue -> mailscanner (no scan) -> active queue). >>>> >>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>> just out of curiosity:-)... >>> >>> >>>> - Mailwatch is running on this server, and for each duplicates we see >>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>> entry with the full body. Note that the recipient see the full body on >>>> every duplicate. >>>> >>>> It looks like a locking problem, because all duplicates are with the >>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>> lock some queue file when message is marked not to be scanned by >>>> mailscanner ? >>>> >>> Yes, this seems plausible... Could you provide some log examples? Just >>> to see that it really is separate children reading the same queue >>> file... >>> >>> >>> >>>> I will not be very helpfull to debug perl code, but i can provide any >>>> needed logs to help finding the origin of the problem. >>>> >>> I'll see what I can do, but... I think this isn't "my" code snippets, >>> but a thing that might have been present for a while... And I have a >>> serious lack of time to spend on this ATM (worse than last time, >>> before Xmas)... So no promises:-). >>> >>> >>>> This is really a serious problem in this particular installation. But i >>>> must say that we have dozens of other servers that are running >>>> mailscanner/postfix, and we are very happy about thems :) >>>> >>> Does it help if you DO scan with MS, but skip things at the next >>> level, for example: >>> Scan Messages = yes >>> Use SpamAssassin = no >>> Dangerous Content Scanning = no >>> ... and possibly a few more (do them with a ruleset, of course:-)? >>> >>> >> BTW, do you have any milters enabled in Postfix? What version of Postfix? >> >> Cheers >> > > I think we need Jules on this one, not only feeble lil' me:-). > AFAICS, the locking/unlocking is handled _exactly_ the same regardless > of the scanmail setting... But then, this is a rather complex bit of > code, where the "execution path" isn't always as straightforward as it > seems... Jules, could you spare a moment or two? Just to look at what > could possibly be wrong with the message->scanmail = 0 scenario? > > Can you *briefly* explain what the problem is, what the symptoms are and where you think the problem might lie? This is a very long thread.... :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHrImyEfZZRxQVtlQRAiZ2AJ9q5KAwE91I2yfRQ0UjyKDfw2GTEACfXOYi z0HxqLc10ndHSJQqhWFZ6cI= =VQKY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 8 18:51:09 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 18:51:21 2008 Subject: "Is Definitely Spam" rule not working ? In-Reply-To: <47AC8945.3070803@ecs.soton.ac.uk> References: <223f97700802050040l3d9a1488we47a6bd4b3a01474@mail.gmail.com> <223f97700802050045i4e2f2412i40cd9612eb4f57df@mail.gmail.com> <30D3C8A4-F407-4BF9-8D28-A8379EB04B44@elec.ucl.ac.be> <223f97700802050331g3b4236d4kcc09064ac2823838@mail.gmail.com> <350469B4-78FB-4786-BD8C-F7F0A2B6F5C5@elec.ucl.ac.be> <223f97700802050535h25e690aeq3d87ceb1b0e3716c@mail.gmail.com> <47A8A480.3010706@ecs.soton.ac.uk> <223f97700802080452w3cbc59dfkc6b48ecdc3c1ee98@mail.gmail.com> <47AC8945.3070803@ecs.soton.ac.uk> Message-ID: <223f97700802081051o201bcff3teeda59c815221842@mail.gmail.com> On 08/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 05/02/2008, Julian Field wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> > >> Glenn Steen wrote: > >> > >>> On 05/02/2008, Pascal Maes wrote: > >>> > >>> > >>>> Le 05-f?vr.-08 ? 12:31, Glenn Steen a ?crit : > >>>> > >>>> > >>>> > >>>>> On 05/02/2008, Pascal Maes wrote: > >>>>> > >>>>> > >>>>>> Le 05-f?vr.-08 ? 09:45, Glenn Steen a ?crit : > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On 05/02/2008, Glenn Steen wrote: > >>>>>>> > >>>>>>> > >>>>>>>> On 05/02/2008, Pascal Maes wrote: > >>>>>>>> > >>>>>>>> > >>>>>>> (snip) > >>>>>>> > >>>>>>> > >>>>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner > >>>>>>>>> takes it and puts it back into the Postfix queue. > >>>>>>>>> > >>>>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP > >>>>>>>>> address otherwise why is the "Is Definitely Not Spam" rule > >>>>>>>>> working : > >>>>>>>>> > >>>>>>>>> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message > >>>>>>>>> E8686E9102.A7655 > >>>>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be@spamassassin.apache.org > >>>>>>>>> ) is whitelisted > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Regards > >>>>>>>>> > >>>>>>>>> > >>>>>>>> Anything happening to the message _after_ MailScaner doesn't hjave > >>>>>>>> any > >>>>>>>> impact on your problem... What happens before though... You have to > >>>>>>>> make sure that your SA trust_path is OK, and all should be well. > >>>>>>>> Why > >>>>>>>> do you use the ClamSMTP thing at all? > >>>>>>>> > >>>>>>>> Cheers > >>>>>>>> > >>>>>>>> > >>>>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle > >>>>>>> this is > >>>>>>> the clamsmtp thing, which might just be the problem. > >>>>>>> Again, why do you use that? Theoretically MailScanner (through the > >>>>>>> batching, and using either clamavmodule or clamd) should be more > >>>>>>> efficient and less likely to be able to be DoS'd... That > >>>>>>> "not-really-part-of-SMTP-flow insulation" is ... golden. > >>>>>>> > >>>>>>> Cheers > >>>>>>> -- > >>>>>>> -- Glenn > >>>>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>>>> > >>>>>>> > >>>>>> One advantage of using ClamSMTP is the reject of the worm at the > >>>>>> connection time. > >>>>>> As we receive a lot of mail per day, it's not negligible. > >>>>>> > >>>>>> > >>>>> No, but then neither is the resource drain;-). > >>>>> > >>>>> > >>>>> > >>>>>> As MailScanner is using McAffe, we have two different AV to check the > >>>>>> messages. > >>>>>> > >>>>>> > >>>>> Prudent, but did you look at processing times etc for the "all MS" > >>>>> case? > >>>>> Sure, the real killer is likely SA, and the ClamSMTP thing will > >>>>> avoid that... > >>>>> I wonder if the clamav milter would be a "nicer" solution, avoiding > >>>>> your current problem... > >>>>> > >>>>> Cheers > >>>>> -- > >>>>> -- Glenn > >>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>>> work: glenn < dot > steen < at > ap1 < dot > se > >>>>> -- > >>>>> > >>>>> > >>>> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see > >>>> what happens. > >>>> All the clientip are 127.0.0.1 :-( > >>>> > >>>> Whitelisting is working because the check is done on the From address > >>>> and not on the client IP. > >>>> The blacklisting, in that case doesn't work because it's an IP address. > >>>> > >>>> So, we can't use before-filter with Postifx and MailScanner and hope > >>>> that the white or black listing will work with IP addresses even we > >>>> use the smtpd_authorized_xforward_hosts. > >>>> > >>>> Is that right ? > >>>> > >>>> > >>> Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding" > >>> loopback when determining the ip... Perhaps a bit like SA does it > >>> (with the trust thing). > >>> > >>> > >> I can't do that. MailScanner directly reads the IP address of the TCP/IP > >> connection source, it doesn't involve looking at the headers of the > >> message at all. > >> > >>>> If yes, what's the use of smtpd_authorized_xforward_hosts (to be > >>>> posted on the postfix list also) ? > >>>> > >>>> > >>> Good question. Perhaps one (Jules) could use that...:). > >>> BTW, wear your asbetos underwear when telling the pf-list your > >>> problem... they seriously dislike MS... still...:(. > >>> > >>> > >> Don't expect to get anything useful from the Postfix list about MailScanner. > >> > >> Jules > >> > >> > > Um, Jules... What about the clientip read from Received line in > > Postfix.pm (ReadQf, the third loop... If I counted things right...:-)? > > Isn't that what you use, and where one could possibly ... munge it? A > > bit like the BarricadeMX fixup, to get at the real sending server IP? > > > Are you talking about this bit of code? > If it's 127.0.0.1 then I could choose to ignore it and pick up the next > one. What's the IPv6 equivalent address that I'll see in the header? > > if (!$IPFound && $recdata =~ /^Received: > .+\[(\d+\.\d+\.\d+\.\d+)\]/i) { > $message->{clientip} = $1; > $IPFound = 1; > } elsif (!$IPFound && $recdata =~ /^Received: > .+\[([\dabcdef.:]+)\]/i) { > # It is an IPv6 address > $message->{clientip} = $1; > $IPFound = 1; > } elsif (!$IPFound && > $recdata =~ /^Received: .+\(Postfix/i) { > $message->{clientip} = '127.0.0.1'; #spoof local sender from > localhost > $IPFound = 1; > } Yep, that it is.... IPv6 would be something like :::FFF.... wouldn't it:-). Sorry, I'm slightly tipsy (Champagne, no less!) after a hellish week. Head not screwed on rightly:-) I'd think this'd best be a settable thing (remove or not), since we can' do the same type of blanket assumptions as you can with BarricadeMX (that it is a "SMTP pre.filer" adding the line... or can we?)... > Jules > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 19:02:23 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 19:02:37 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47AC89B2.80906@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> Message-ID: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> On 08/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 08/02/2008, Glenn Steen wrote: > > > >> On 08/02/2008, Glenn Steen wrote: > >> > >>> On 07/02/2008, Cedric Devillers wrote: > >>> > >>>> Hello, > >>>> > >>>> I'm trying to revive this thread from the last month because we are > >>>> observing the exact same behavior on one of our servers. > >>>> > >>> Thanks for doing that, and for providing some more info. > >>> > >>> > >>>> So to remember the facts : > >>>> > >>>> - We are using mailscanner with postfix, and duplicated messages are > >>>> generated by mailscanner. > >>>> > >>>> - This system is the only one where we are observing this behavior. It > >>>> have a little particularity : it mainly act as a mail relay, but > >>>> sometimes many mails are generated by the server itself (a script) and > >>>> injected in postfix queues via sendmail command. We can always reproduce > >>>> some duplicated messages with this script. > >>>> > >>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses > >>>> messages, but they are still entering the mailscanner logic (postix -> > >>>> hold queue -> mailscanner (no scan) -> active queue). > >>>> > >>> What does the ruleset look like? I'm sure it doesn't matter, but ... > >>> just out of curiosity:-)... > >>> > >>> > >>>> - Mailwatch is running on this server, and for each duplicates we see > >>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final > >>>> entry with the full body. Note that the recipient see the full body on > >>>> every duplicate. > >>>> > >>>> It looks like a locking problem, because all duplicates are with the > >>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > >>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > >>>> lock some queue file when message is marked not to be scanned by > >>>> mailscanner ? > >>>> > >>> Yes, this seems plausible... Could you provide some log examples? Just > >>> to see that it really is separate children reading the same queue > >>> file... > >>> > >>> > >>> > >>>> I will not be very helpfull to debug perl code, but i can provide any > >>>> needed logs to help finding the origin of the problem. > >>>> > >>> I'll see what I can do, but... I think this isn't "my" code snippets, > >>> but a thing that might have been present for a while... And I have a > >>> serious lack of time to spend on this ATM (worse than last time, > >>> before Xmas)... So no promises:-). > >>> > >>> > >>>> This is really a serious problem in this particular installation. But i > >>>> must say that we have dozens of other servers that are running > >>>> mailscanner/postfix, and we are very happy about thems :) > >>>> > >>> Does it help if you DO scan with MS, but skip things at the next > >>> level, for example: > >>> Scan Messages = yes > >>> Use SpamAssassin = no > >>> Dangerous Content Scanning = no > >>> ... and possibly a few more (do them with a ruleset, of course:-)? > >>> > >>> > >> BTW, do you have any milters enabled in Postfix? What version of Postfix? > >> > >> Cheers > >> > > > > I think we need Jules on this one, not only feeble lil' me:-). > > AFAICS, the locking/unlocking is handled _exactly_ the same regardless > > of the scanmail setting... But then, this is a rather complex bit of > > code, where the "execution path" isn't always as straightforward as it > > seems... Jules, could you spare a moment or two? Just to look at what > > could possibly be wrong with the message->scanmail = 0 scenario? > > > > > Can you *briefly* explain what the problem is, what the symptoms are and > where you think the problem might lie? This is a very long thread.... :-) > > Jules > In short: When using Postfix and setting Scan Messages = no (with a rulset, for some....), duplicates are "generated" by several MailScanner children picking up and delivering the same message. It seems to be something to do with timing, since not all generate this behavior, but rather under heavy load (as in situations where some form of mailing list or bulk mailer (presumably a legit newsletter) send large amounts of messages at once). Indications (so far) that it really is several children is that the log entries (the few we've seen) have been during the same few seconds, the "base queue ID" is the same, the entropy bits have differed, as has the PIDs. So far we've only seen reports of this for Postfix, which is why I've looked through my changes for p record handling (again)... AFAICS, those couldn't possibly have anything to do with this, since they behave exactly the same regardless of whether scanmail is set to 1 or 0... Which would lead to duplicates in the normal case too, if that was at the heart of it. Hope that was short enough...:-) Cheers (yeah, still tipsy...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Feb 8 19:07:04 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 8 19:08:33 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <22654565.7331202497624061.JavaMail.root@office.splatnix.net> No looking at code Glenn while drinking ;) You will end up seeing duplicate messages. If I have chance over the weekend will take a look at the code aswell. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 08/02/2008, Julian Field wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Fri Feb 8 19:37:51 2008 From: alex at nkpanama.com (Alex Neuman) Date: Fri Feb 8 19:38:30 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > When using Postfix and setting Scan Messages = no (with a rulset, for > some....), duplicates are "generated" by several MailScanner children > picking up and delivering the same message. It seems to be something > to do with timing, since not all generate this behavior, but rather > under heavy load (as in situations where some form of mailing list or > bulk mailer (presumably a legit newsletter) send large amounts of > messages at once). Could you reproduce the opposite of this behaviour by using "max children = 0"? From cde at alunys.com Fri Feb 8 19:40:53 2008 From: cde at alunys.com (Cedric Devillers) Date: Fri Feb 8 19:42:06 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47AC89B2.80906@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> Message-ID: <47ACB045.4090504@alunys.com> Julian Field wrote: > > > Glenn Steen wrote: >> On 08/02/2008, Glenn Steen wrote: > >>> On 08/02/2008, Glenn Steen wrote: >>> >>>> On 07/02/2008, Cedric Devillers wrote: >>>> >>>>> Hello, >>>>> >>>>> I'm trying to revive this thread from the last month because we are >>>>> observing the exact same behavior on one of our servers. >>>>> >>>> Thanks for doing that, and for providing some more info. >>>> >>>> >>>>> So to remember the facts : >>>>> >>>>> - We are using mailscanner with postfix, and duplicated messages are >>>>> generated by mailscanner. >>>>> >>>>> - This system is the only one where we are observing this behavior. It >>>>> have a little particularity : it mainly act as a mail relay, but >>>>> sometimes many mails are generated by the server itself (a script) and >>>>> injected in postfix queues via sendmail command. We can always reproduce >>>>> some duplicated messages with this script. >>>>> >>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>>> messages, but they are still entering the mailscanner logic (postix -> >>>>> hold queue -> mailscanner (no scan) -> active queue). >>>>> >>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>>> just out of curiosity:-)... >>>> >>>> >>>>> - Mailwatch is running on this server, and for each duplicates we see >>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>>> entry with the full body. Note that the recipient see the full body on >>>>> every duplicate. >>>>> >>>>> It looks like a locking problem, because all duplicates are with the >>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>>> lock some queue file when message is marked not to be scanned by >>>>> mailscanner ? >>>>> >>>> Yes, this seems plausible... Could you provide some log examples? Just >>>> to see that it really is separate children reading the same queue >>>> file... >>>> >>>> >>>> >>>>> I will not be very helpfull to debug perl code, but i can provide any >>>>> needed logs to help finding the origin of the problem. >>>>> >>>> I'll see what I can do, but... I think this isn't "my" code snippets, >>>> but a thing that might have been present for a while... And I have a >>>> serious lack of time to spend on this ATM (worse than last time, >>>> before Xmas)... So no promises:-). >>>> >>>> >>>>> This is really a serious problem in this particular installation. But i >>>>> must say that we have dozens of other servers that are running >>>>> mailscanner/postfix, and we are very happy about thems :) >>>>> >>>> Does it help if you DO scan with MS, but skip things at the next >>>> level, for example: >>>> Scan Messages = yes >>>> Use SpamAssassin = no >>>> Dangerous Content Scanning = no >>>> ... and possibly a few more (do them with a ruleset, of course:-)? >>>> >>>> >>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >>> >>> Cheers >>> >> I think we need Jules on this one, not only feeble lil' me:-). >> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >> of the scanmail setting... But then, this is a rather complex bit of >> code, where the "execution path" isn't always as straightforward as it >> seems... Jules, could you spare a moment or two? Just to look at what >> could possibly be wrong with the message->scanmail = 0 scenario? > > > Can you *briefly* explain what the problem is, what the symptoms are and > where you think the problem might lie? This is a very long thread.... :-) > > Jules > Hi Julian The problem is that when sending many messages from the mailscanner host (here via the sendmail command) and that this host is marked not to be scanned by mailscanner (via a ruleset for "Scan Messages"), some mails are duplicated by mailscanner. The ruleset in question is : From: 127.0.0.1 no It seems that when the server is under high load and/or the message sent is bigger, then the probability to have duplicates (sometimes 4 or 5 by messages) is higher. Note that this is only based on my impressions while trying to reproduce the problem :) I think the problem may be that in this particular case (locally sent messages, not to be scanned by mailscanner), the file locking is defective and multiple childs are reading the same postfix queue file. Note that i was not able to reproduce the problem with "Scan Messages = yes". You can have a look at this log extract that show duplicates for the ID 11D67CE47AC : Feb 8 19:44:21 mail postfix/pickup[20676]: 11D67CE47AC: uid=48 from= Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: hold: header Received: by mail.inforum.be (Postfix, from userid 48)??id 11D67CE47AC; Fri, 8 Feb 2008 19:44:20 +0100 (CET) from local; from= Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: message-id=<20080208184421.11D67CE47AC@mail.inforum.be> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 5B8AECE47A2.4FC7C to 08006CE47AB Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 342ACCE47B0.545F4 to E8253CE47A2 Feb 8 19:44:21 mail postfix/qmgr[19269]: 8382ECE473F: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail postfix/qmgr[19269]: E8253CE47A2: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail postfix/qmgr[19269]: 08006CE47AB: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail postfix/qmgr[19269]: 995D8CE47A5: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 5 messages Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: Starting Feb 8 19:44:21 mail MailScanner[16229]: Logging message 8F1BFCE47AC.62C1B to SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message C4702CE473F.14646 to SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 05006CE47AB.74D14 to SQL Feb 8 19:44:21 mail MailScanner[16596]: 8F1BFCE47AC.62C1B: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 5B8AECE47A2.4FC7C to SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 342ACCE47B0.545F4 to SQL Feb 8 19:44:21 mail MailScanner[16596]: C4702CE473F.14646: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16596]: 05006CE47AB.74D14: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16596]: 5B8AECE47A2.4FC7C: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16596]: 342ACCE47B0.545F4: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16264]: New Batch: Forwarding 1 unscanned messages, 23120 bytes Feb 8 19:44:21 mail postfix/pickup[20676]: 5B439CE47AF: uid=48 from= Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: hold: header Received: by mail.inforum.be (Postfix, from userid 48)??id 5B439CE47AF; Fri, 8 Feb 2008 19:44:21 +0100 (CET) from local; from= Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: message-id=<20080208184421.5B439CE47AF@mail.inforum.be> Feb 8 19:44:21 mail MailScanner[16264]: Requeue: 11D67CE47AC.DC14A to B0A22CE47B7 Feb 8 19:44:21 mail MailScanner[16264]: Unscanned: Delivered 1 messages Feb 8 19:44:21 mail MailScanner[16264]: Virus and Content Scanning: Starting Feb 8 19:44:21 mail MailScanner[16229]: New Batch: Forwarding 1 unscanned messages, 0 bytes Feb 8 19:44:21 mail postfix/qmgr[19269]: B0A22CE47B7: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 11D67CE47AC.3898C to 084DCCE47BA Feb 8 19:44:21 mail postfix/qmgr[19269]: 084DCCE47BA: from=, size=22977, nrcpt=1 (queue active) Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 1 messages Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: Starting Feb 8 19:44:21 mail MailScanner[16264]: Logging message 11D67CE47AC.DC14A to SQL Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.DC14A: Logged to MailWatch SQL Feb 8 19:44:21 mail MailScanner[16229]: Logging message 11D67CE47AC.3898C to SQL Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.3898C: Logged to MailWatch SQL Feb 8 19:44:21 mail postfix/smtp[20778]: 9EDC5CE47B2: to=, relay=mail.alunys.com[212.35.119.247], delay=2, status=sent (250 O -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From cde at alunys.com Fri Feb 8 20:08:10 2008 From: cde at alunys.com (Cedric Devillers) Date: Fri Feb 8 20:09:17 2008 Subject: Mailscanner generated duplicate message In-Reply-To: References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <47ACB6AA.50804@alunys.com> Alex Neuman wrote: > > On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > >> When using Postfix and setting Scan Messages = no (with a rulset, for >> some....), duplicates are "generated" by several MailScanner children >> picking up and delivering the same message. It seems to be something >> to do with timing, since not all generate this behavior, but rather >> under heavy load (as in situations where some form of mailing list or >> bulk mailer (presumably a legit newsletter) send large amounts of >> messages at once). > > Could you reproduce the opposite of this behaviour by using "max > children = 0"? > With this parameter, i cannot reproduce any duplicates so far... So the childs really seems to matter. Note that the queue scan interval is pretty low on this server too (set to 2). But that should not cause any duplicates under normal circonstances i suppose. -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From ugob at lubik.ca Fri Feb 8 20:54:23 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Feb 8 20:54:48 2008 Subject: Anyone wrote a SpamAssassin rule for this one Message-ID: I got plenty of them, I was just wondering if someone had a rule before writing one: ================================== Just as we predicted! PERMANENT TECH ***PERT*** Recent: $0.53 90 days ago .03 52 W Range: $0.02- $0.58 What may make this the BEST INVESTMENT OPPORTUNITY OF 2008 is that [* PERT *] went public very quietly late last year. Hardly anyone knows about [* PERT *] yet or the AMAZINGLY HUGE POTENTIAL this company has for MONSTER REVENUE or a POTENTIAL Billi0n DOLLAR BUYOUT. With Yesterdays News we think this may Double in a very short time. The last time we featured a company in this position it went from .26 to 2.87 in just 2 weeks afert tests ended and contract was signed. The Goverment is a BIG Buyer. *************READ BELOW*************** United States Navy Tests Permanent Technologies' TineLok Fastening System Monday February 4, 8:00 am ET TineLok Vibration-Proof Fastening System is Currently Installed for Testing on the U.S. Navy's Newest Advanced Hovercraft HAUPPAUGE, N.Y., Feb. 4 /PRNewswire-FirstCall/ -- Permanent Technologies, Inc. (Pink Sheets: PERT - News) announced that the United States Navy is currently testing their TineLok Vibration-Proof Fastening System in their newest Hovercraft, the Landing Craft, Air Cushion (LCAC). The LCAC is a high-speed, over-the-beach, fully amphibious landing craft, used to transport heavy payloads of equipment (up to 75 tons), cargo and personnel from ship to shore for the Marine Air-Ground Task Force. The TineLok fasteners have been installed on the Hovercraft for almost a year and according to feedback from the Navy the fasteners have worked flawlessly to date. "We are confident that the TineLok will perform to the U.S. Navy's exacting high-vibration requirements for this strategic project," stated Loren Ball, President and CEO of Permanent Technologies, Inc. "In addition to the performance requirements, we believe TineLok also gives the Navy the ability to make repairs, adjustments and service the components in the field without any special tools -- a major feature of the TineLok System." About Permanent Technologies, Inc. Permanent Technologies is the inventor and manufacturer of the award winning TineLok Fastening System -- a family of fasteners that are designed to hold tight in the most demanding, extreme and harshest conditions, environments and applications. The TineLok Fastening System's vibration-proof, self-locking technology is an affordable alternative to traditional fasteners when increased safety, reliability, operating life and reduced maintenance is desired or required. The Company has been granted numerous patents both in the U.S. and internationally for the TineLok technology. ================================================== Regards, Ugo From glenn.steen at gmail.com Fri Feb 8 21:33:32 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 21:38:09 2008 Subject: Mailscanner generated duplicate message In-Reply-To: References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <223f97700802081333j54395f4ey3cc5a54bb331e975@mail.gmail.com> On 08/02/2008, Alex Neuman wrote: > > On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > > > When using Postfix and setting Scan Messages = no (with a rulset, for > > some....), duplicates are "generated" by several MailScanner children > > picking up and delivering the same message. It seems to be something > > to do with timing, since not all generate this behavior, but rather > > under heavy load (as in situations where some form of mailing list or > > bulk mailer (presumably a legit newsletter) send large amounts of > > messages at once). > > Could you reproduce the opposite of this behaviour by using "max > children = 0"? > The reports we had before Xmas indicate this, yes. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 21:32:21 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 21:39:20 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <22654565.7331202497624061.JavaMail.root@office.splatnix.net> References: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> <22654565.7331202497624061.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802081332m619069fk52117488ec5690e6@mail.gmail.com> On 08/02/2008, --[ UxBoD ]-- wrote: > No looking at code Glenn while drinking ;) You will end up seeing duplicate messages. If I have chance over the weekend will take a look at the code aswell. > > Regards, > Thanks... Any help appreciated! ... with code scrutiny that is....:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 8 21:39:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 8 21:39:24 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47ACB045.4090504@alunys.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> Message-ID: <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> On 08/02/2008, Cedric Devillers wrote: > Julian Field wrote: > > > > > > Glenn Steen wrote: > >> On 08/02/2008, Glenn Steen wrote: > > > >>> On 08/02/2008, Glenn Steen wrote: > >>> > >>>> On 07/02/2008, Cedric Devillers wrote: > >>>> > >>>>> Hello, > >>>>> > >>>>> I'm trying to revive this thread from the last month because we are > >>>>> observing the exact same behavior on one of our servers. > >>>>> > >>>> Thanks for doing that, and for providing some more info. > >>>> > >>>> > >>>>> So to remember the facts : > >>>>> > >>>>> - We are using mailscanner with postfix, and duplicated messages are > >>>>> generated by mailscanner. > >>>>> > >>>>> - This system is the only one where we are observing this behavior. It > >>>>> have a little particularity : it mainly act as a mail relay, but > >>>>> sometimes many mails are generated by the server itself (a script) and > >>>>> injected in postfix queues via sendmail command. We can always reproduce > >>>>> some duplicated messages with this script. > >>>>> > >>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses > >>>>> messages, but they are still entering the mailscanner logic (postix -> > >>>>> hold queue -> mailscanner (no scan) -> active queue). > >>>>> > >>>> What does the ruleset look like? I'm sure it doesn't matter, but ... > >>>> just out of curiosity:-)... > >>>> > >>>> > >>>>> - Mailwatch is running on this server, and for each duplicates we see > >>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final > >>>>> entry with the full body. Note that the recipient see the full body on > >>>>> every duplicate. > >>>>> > >>>>> It looks like a locking problem, because all duplicates are with the > >>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > >>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > >>>>> lock some queue file when message is marked not to be scanned by > >>>>> mailscanner ? > >>>>> > >>>> Yes, this seems plausible... Could you provide some log examples? Just > >>>> to see that it really is separate children reading the same queue > >>>> file... > >>>> > >>>> > >>>> > >>>>> I will not be very helpfull to debug perl code, but i can provide any > >>>>> needed logs to help finding the origin of the problem. > >>>>> > >>>> I'll see what I can do, but... I think this isn't "my" code snippets, > >>>> but a thing that might have been present for a while... And I have a > >>>> serious lack of time to spend on this ATM (worse than last time, > >>>> before Xmas)... So no promises:-). > >>>> > >>>> > >>>>> This is really a serious problem in this particular installation. But i > >>>>> must say that we have dozens of other servers that are running > >>>>> mailscanner/postfix, and we are very happy about thems :) > >>>>> > >>>> Does it help if you DO scan with MS, but skip things at the next > >>>> level, for example: > >>>> Scan Messages = yes > >>>> Use SpamAssassin = no > >>>> Dangerous Content Scanning = no > >>>> ... and possibly a few more (do them with a ruleset, of course:-)? > >>>> > >>>> > >>> BTW, do you have any milters enabled in Postfix? What version of Postfix? > >>> > >>> Cheers > >>> > >> I think we need Jules on this one, not only feeble lil' me:-). > >> AFAICS, the locking/unlocking is handled _exactly_ the same regardless > >> of the scanmail setting... But then, this is a rather complex bit of > >> code, where the "execution path" isn't always as straightforward as it > >> seems... Jules, could you spare a moment or two? Just to look at what > >> could possibly be wrong with the message->scanmail = 0 scenario? > > > > > > Can you *briefly* explain what the problem is, what the symptoms are and > > where you think the problem might lie? This is a very long thread.... :-) > > > > Jules > > > > Hi Julian > > The problem is that when sending many messages from the mailscanner host > (here via the sendmail command) and that this host is marked not to be > scanned by mailscanner (via a ruleset for "Scan Messages"), some mails > are duplicated by mailscanner. > > The ruleset in question is : > From: 127.0.0.1 no > > It seems that when the server is under high load and/or the message sent > is bigger, then the probability to have duplicates (sometimes 4 or 5 by > messages) is higher. Note that this is only based on my impressions > while trying to reproduce the problem :) > > I think the problem may be that in this particular case (locally sent > messages, not to be scanned by mailscanner), the file locking is > defective and multiple childs are reading the same postfix queue file. > Note that i was not able to reproduce the problem with "Scan Messages = > yes". > > You can have a look at this log extract that show duplicates for the ID > 11D67CE47AC : > > Feb 8 19:44:21 mail postfix/pickup[20676]: 11D67CE47AC: uid=48 > from= > Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: hold: header > Received: by mail.inforum.be (Postfix, from userid 48)??id 11D67CE47AC; > Fri, 8 Feb 2008 19:44:20 +0100 (CET) from local; from= > Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: > message-id=<20080208184421.11D67CE47AC@mail.inforum.be> > Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 5B8AECE47A2.4FC7C to > 08006CE47AB > Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 342ACCE47B0.545F4 to > E8253CE47A2 > Feb 8 19:44:21 mail postfix/qmgr[19269]: 8382ECE473F: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail postfix/qmgr[19269]: E8253CE47A2: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail postfix/qmgr[19269]: 08006CE47AB: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail postfix/qmgr[19269]: 995D8CE47A5: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 5 messages > Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: > Starting > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 8F1BFCE47AC.62C1B to SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > C4702CE473F.14646 to SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 05006CE47AB.74D14 to SQL > Feb 8 19:44:21 mail MailScanner[16596]: 8F1BFCE47AC.62C1B: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 5B8AECE47A2.4FC7C to SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 342ACCE47B0.545F4 to SQL > Feb 8 19:44:21 mail MailScanner[16596]: C4702CE473F.14646: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16596]: 05006CE47AB.74D14: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16596]: 5B8AECE47A2.4FC7C: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16596]: 342ACCE47B0.545F4: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16264]: New Batch: Forwarding 1 > unscanned messages, 23120 bytes > Feb 8 19:44:21 mail postfix/pickup[20676]: 5B439CE47AF: uid=48 > from= > Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: hold: header > Received: by mail.inforum.be (Postfix, from userid 48)??id 5B439CE47AF; > Fri, 8 Feb 2008 19:44:21 +0100 (CET) from local; from= > Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: > message-id=<20080208184421.5B439CE47AF@mail.inforum.be> > Feb 8 19:44:21 mail MailScanner[16264]: Requeue: 11D67CE47AC.DC14A to > B0A22CE47B7 > Feb 8 19:44:21 mail MailScanner[16264]: Unscanned: Delivered 1 messages > Feb 8 19:44:21 mail MailScanner[16264]: Virus and Content Scanning: > Starting > Feb 8 19:44:21 mail MailScanner[16229]: New Batch: Forwarding 1 > unscanned messages, 0 bytes > Feb 8 19:44:21 mail postfix/qmgr[19269]: B0A22CE47B7: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 11D67CE47AC.3898C to > 084DCCE47BA > Feb 8 19:44:21 mail postfix/qmgr[19269]: 084DCCE47BA: > from=, size=22977, nrcpt=1 (queue active) > Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 1 messages > Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: > Starting > Feb 8 19:44:21 mail MailScanner[16264]: Logging message > 11D67CE47AC.DC14A to SQL > Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.DC14A: Logged to > MailWatch SQL > Feb 8 19:44:21 mail MailScanner[16229]: Logging message > 11D67CE47AC.3898C to SQL > Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.3898C: Logged to > MailWatch SQL > Feb 8 19:44:21 mail postfix/smtp[20778]: 9EDC5CE47B2: > to=, relay=mail.alunys.com[212.35.119.247], delay=2, > status=sent (250 O > Thanks Cedric, this, and the child thing suggested by alex, corroborate the theory of what is going bad, limiting what need be scrutinized.... which is a good thing:-). Still,I've been looking and can't for the life of me see where it goes haywire....:-/ Hopefully Jules (or Phil... or me a bit more sober...:-) will find something. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Fri Feb 8 21:49:40 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Feb 8 21:50:14 2008 Subject: Anyone wrote a SpamAssassin rule for this one In-Reply-To: References: Message-ID: <47ACCE74.5040406@evi-inc.com> Ugo Bellavance wrote: > I got plenty of them, I was just wondering if someone had a rule before > writing one: > Your post matched these rules on my system: X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.082, required 5, FUZZY_BILLION 1.93, LOCAL_INVEST_OP 0.50, SARE_LWPINK 1.66, SPF_PASS -0.00) That's not enough to tag it, but it's a good start. LOCAL_INVEST_OP is one of my custom rules. It is potentially false positive prone on things like the motley fool newsletters, but I keep the score low.: body LOCAL_INVEST_OP /\binvestment opportunit(?:y|ies)\b/i score LOCAL_INVEST_OP 0.5 SARE_LWPINK is from 70_sare_stocks.cf. FUZZY_BILLION is from the default SA ruleset, although 3.2.x scores it at 0 due to low hit count in the test corpus. You could re-enable it by giving it a nonzero score. The 3.1.x defaults were: score FUZZY_BILLION 2.400 0.914 2.727 1.925 From cotharyus at gmail.com Sat Feb 9 03:02:14 2008 From: cotharyus at gmail.com (Drew) Date: Sat Feb 9 03:02:23 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <715841970802070811n3b4dff31h995e844c23fba0b5@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> Message-ID: <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> Glenn, Thanks. Reading back over this, my last response probably sounded bad, I don't want you guys to think I don't appreciate the suggestions so far - it usually is the silly little things we overlook. That said, after deinstalling _all_ ports, cvsup'ing everything to a sycn'd state, and building back in the ports I need to make all this stuff run (indicated by previous experience), I'm still getting the same error on the mailwatch interface: /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol "PL_exit_flags" As postfix, I get this: root@colossus(/var/db/pkg)# whoami postfix root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: Undefined symbol "Perl_Tstack_sp_ptr" next, www: root@colossus(/var/db/pkg)# whoami www root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: Undefined symbol "Perl_Tstack_sp_ptr" And just for consistancy's sake: root@colossus(/var/db/pkg)# whoami root root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA /libexec/ld-elf.so.1: /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: Undefined symbol "Perl_Tstack_sp_ptr" So it's safe to say we can rule out the output we're getting from mailwatch, and assume we're getting different errors at this point. I may try to sort out this perl issue before I nuke this box and start over. Anyone got any off the cuff suggestions? On Feb 8, 2008 6:31 AM, Glenn Steen wrote: > On 08/02/2008, Drew wrote: > > Actually, the reason the bayes stuff shows up is because the system > hasn't > > processed any mail, and I haven't put any start dbs there. All > permissions > > should be fine, it was one of the first things I checked. Unfortunately, > at > > this time, I've basically ripped this system (which was originally 5.0, > and > > has been upgraded over time to 6.3) down to essentially nothing but a > bare > > install, and reinstalled everything. In the process a few things broke, > > which I should have fixed soon, in which case if things _still_ don't > work, > > I'll be more than happy to run all tests as postfix and www. Of course, > if > > this doesn't work, I may just nuke this install altogether and go with a > > fresh install, where I've set all of this software up and gotten it > working > > twice without having to do as much as scratch my head over it. > > > :-) > We'll be here, if you need us. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080208/d0ec7b50/attachment.html From mikea at mikea.ath.cx Sat Feb 9 03:53:03 2008 From: mikea at mikea.ath.cx (mikea) Date: Sat Feb 9 03:53:15 2008 Subject: [ot] internal ip address In-Reply-To: <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> Message-ID: <20080209035303.GB33694@mikea.ath.cx> On Thu, Feb 07, 2008 at 09:52:10PM +0100, Glenn Steen wrote: > On 07/02/2008, Matt Kettler wrote: > > Glenn Steen wrote: > > > For the > > > vast majority of organizations, this is a very minor threat, not worth > > > breaking RFC... > > > > Like.. gmail? > :-) > > > Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 > > > > Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a > > Received: header, but I don't see anything in 2821/2822/1123 requiring you to > > add a from clause. > Ah, but the "breakage" is in _removing_ a Received line added by > another SMTP server, be that internal or not... Hm, maybe I'm an > idiot, and the original question was just about the Received line > added by the MS gw... Sigh. Just goes to show one shouldn't try to do > more than three things simultaneously (I got my new DB servers today, > or rather the storage and racks... as a surprise "here we are, four > workdays early.... Where should we put them?" kind of thing, on a busy > day...). Sorry, might've be me typing without much afterthought. > > > > I'm not saying you're wrong, just that it is ... really minor... > > > compared to a lot of other email-related threats:-)... Yes, you can > > > counter with "your generalization is bigger than mine"... I know I do > > > it too...:-) > > > > > > On the whole, I see very little _real possibility_ of damages from this. > > > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). If it is _Vital_ to keep the shape of the internal network hidden, then the leakage is a problem. Otherwise, it's just another piece of the puzzle to be tacked up on the wall. Intelligence organizations make their livings by putting together such puzzles. You have to make a decision about how much of the puzzle you're comfortable having on the wall. It almost always is more than you know is on the wall. > > I would agree in most cases it is very minor or negligible. I never said this > > applied to most, or even very many people. > See above, me reading too fast:-). > I tend to react to "security by obscurity" or "the auditor said this > is bad for everyone" kind of arguments, where one hasn't done any form > of risk assessment... so that was probably what got me going:-). I lost absolutely all respect for the external auditors hired by our internal auditing group for an IT audit when one of them: o handed me a CDROM and told me to "boot" our very large IBM mainframe computer from it; and then o refused to believe that I couldn't "open" the NETBEUI port on the mainframe for him. The IBM mainframe doesn't "boot" from CDROM, but from very large disk. There is not an IBM-supplied listener for NETBEUI, and we don't run one. These, unfortunately, are the sorts of things that one gets from the run-of-the-mill auditors, who download a checklist and run down it, one question at a time, one size fits all. > > My only point was the "if it's unroutable, you can't hack it" argument isn't a > > very complete view of network security. > Quite true. As usual,I find we're in violent agreement (of a > sorts:-). I truly value your comments. OTOH, if you don't route it, they can't get to it directly, which may satisfy your needs. Preventing information leaks, whether direct or indirect, overt or covert, is a *much* knottier problem, and one that is in the general case insoluble. An air-gap firewall and TEMPEST shielding to NACSIM 5100A or better is -- or so the government hopes -- at least a good start. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From glenn.steen at gmail.com Sat Feb 9 09:32:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 9 09:32:54 2008 Subject: [ot] internal ip address In-Reply-To: <20080209035303.GB33694@mikea.ath.cx> References: <20080206083927.A325516427A@ws1-4.us4.outblaze.com> <47A9B676.1010705@USherbrooke.ca> <47A9FE7A.8080308@vanderkooij.org> <47AA07B6.2090702@evi-inc.com> <223f97700802070139q247fe1b7s97237054d9d20782@mail.gmail.com> <47AB2D43.9020700@evi-inc.com> <223f97700802071252q5f06c02dkd91592028985dd31@mail.gmail.com> <20080209035303.GB33694@mikea.ath.cx> Message-ID: <223f97700802090132g5580ed20le73bf68310bf3c42@mail.gmail.com> On 09/02/2008, mikea wrote: > On Thu, Feb 07, 2008 at 09:52:10PM +0100, Glenn Steen wrote: > > On 07/02/2008, Matt Kettler wrote: > > > Glenn Steen wrote: > > > > For the > > > > vast majority of organizations, this is a very minor threat, not worth > > > > breaking RFC... > > > > > > Like.. gmail? > > :-) > > > > > Received: by wa-out-1112.google.com with SMTP id m16so1283782waf.14 > > > > > > Actually, AFAIK, that doesn't actually violate the RFCs.. you MUST add a > > > Received: header, but I don't see anything in 2821/2822/1123 requiring you to > > > add a from clause. > > Ah, but the "breakage" is in _removing_ a Received line added by > > another SMTP server, be that internal or not... Hm, maybe I'm an > > idiot, and the original question was just about the Received line > > added by the MS gw... Sigh. Just goes to show one shouldn't try to do > > more than three things simultaneously (I got my new DB servers today, > > or rather the storage and racks... as a surprise "here we are, four > > workdays early.... Where should we put them?" kind of thing, on a busy > > day...). Sorry, might've be me typing without much afterthought. > > > > > > I'm not saying you're wrong, just that it is ... really minor... > > > > compared to a lot of other email-related threats:-)... Yes, you can > > > > counter with "your generalization is bigger than mine"... I know I do > > > > it too...:-) > > > > > > > > On the whole, I see very little _real possibility_ of damages from this. > > > > It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-). > > If it is _Vital_ to keep the shape of the internal network hidden, > then the leakage is a problem. Otherwise, it's just another piece of > the puzzle to be tacked up on the wall. Intelligence organizations > make their livings by putting together such puzzles. You have to make > a decision about how much of the puzzle you're comfortable having on > the wall. It almost always is more than you know is on the wall. True, but most of us do not contend with ... organizations that have a LOT of money to spend on things like these:-). But as the scout says..... :-) > > > I would agree in most cases it is very minor or negligible. I never said this > > > applied to most, or even very many people. > > See above, me reading too fast:-). > > I tend to react to "security by obscurity" or "the auditor said this > > is bad for everyone" kind of arguments, where one hasn't done any form > > of risk assessment... so that was probably what got me going:-). > > I lost absolutely all respect for the external auditors hired by our > internal auditing group for an IT audit when one of them: > o handed me a CDROM and told me to "boot" our very large IBM > mainframe computer from it; and then > o refused to believe that I couldn't "open" the NETBEUI port on the > mainframe for him. > The IBM mainframe doesn't "boot" from CDROM, but from very large disk. > There is not an IBM-supplied listener for NETBEUI, and we don't run > one. Been there, done that too. > These, unfortunately, are the sorts of things that one gets from > the run-of-the-mill auditors, who download a checklist and run down > it, one question at a time, one size fits all. Yeah, but OTOH some auditors actually know what they're about. It's just a bit frustrating that one cannot choose which auditor you get:-):-). We do internal audits about once a year, were we choose a trusted firm, with really good auditors. And once a year we get the other kind foisted on us "from above". Sigh. > > > My only point was the "if it's unroutable, you can't hack it" argument isn't a > > > very complete view of network security. > > Quite true. As usual,I find we're in violent agreement (of a > > sorts:-). I truly value your comments. > > OTOH, if you don't route it, they can't get to it directly, which may > satisfy your needs. Preventing information leaks, whether direct or > indirect, overt or covert, is a *much* knottier problem, and one that > is in the general case insoluble. An air-gap firewall and TEMPEST > shielding to NACSIM 5100A or better is -- or so the government hopes > -- at least a good start. Yeah, but still.... an insider with some knowledge (or equally bad, without....:-) will defeat most things...:-( Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Feb 9 10:27:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 9 10:27:41 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> Message-ID: <223f97700802090227q36e0cdb7rcf61cee86c71c691@mail.gmail.com> On 09/02/2008, Drew wrote: > Glenn, > Thanks. Reading back over this, my last response probably sounded bad, I > don't want you guys to think I don't appreciate the suggestions so far - it > usually is the silly little things we overlook. That said, after > deinstalling _all_ ports, cvsup'ing everything to a sycn'd state, and > building back in the ports I need to make all this stuff run (indicated by > previous experience), I'm still getting the same error on the mailwatch > interface: > > /libexec/ld-elf.so.1: /usr/local/bin/perl5.8.8: Undefined symbol > "PL_exit_flags" > > As postfix, I get this: > > root@colossus(/var/db/pkg)# whoami > postfix > root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA > /libexec/ld-elf.so.1: > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: > Undefined symbol "Perl_Tstack_sp_ptr" > > next, www: > > root@colossus(/var/db/pkg)# whoami > www > root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA > /libexec/ld-elf.so.1: > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: > Undefined symbol "Perl_Tstack_sp_ptr" > > And just for consistancy's sake: > > root@colossus(/var/db/pkg)# whoami > root > root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA > /libexec/ld-elf.so.1: > /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: > Undefined symbol "Perl_Tstack_sp_ptr" > > > So it's safe to say we can rule out the output we're getting from > mailwatch, and assume we're getting different errors at this point. I may > try to sort out this perl issue before I nuke this box and start over. > Anyone got any off the cuff suggestions? > Splendid, now we know that this is solely a perl (build) problem, and not really a problem with MS or MW. Good. Googling for similar problems, one can see that this is indicative.... Hm, start by rebuilding the base perl package, then every little pm...... Sounds fun? No. Perhaps faster/easier to just call it quits and start from scratch;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From drew.marshall at technologytiger.net Sat Feb 9 15:39:11 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sat Feb 9 15:39:23 2008 Subject: Mailscanner segfaults on spamassassin lint test In-Reply-To: <223f97700802090227q36e0cdb7rcf61cee86c71c691@mail.gmail.com> References: <715841970802070235r449c5dddt4672c09820fb3dbc@mail.gmail.com> <20080207132037.6e0f17ae@scorpio> <715841970802071045q58f092d1qb5e133eb828bb455@mail.gmail.com> <223f97700802071420h977cffdw5974794d1625d886@mail.gmail.com> <715841970802071433n13748356v7a6e6b82f97ac8c2@mail.gmail.com> <223f97700802080327i5c9eab52n6fcaaabca4c39e86@mail.gmail.com> <715841970802080420i4f724db8h4b501e76098351bd@mail.gmail.com> <223f97700802080431j44e89b87y4f4ae1fa2a89c510@mail.gmail.com> <715841970802081902h55b7f2d0iba4bff689b99ec0@mail.gmail.com> <223f97700802090227q36e0cdb7rcf61cee86c71c691@mail.gmail.com> Message-ID: <33191D2B-B183-4ABB-AE23-2389D07140FC@technologytiger.net> On 9 Feb 2008, at 10:27, Glenn Steen wrote: > On 09/02/2008, Drew wrote: >> root@colossus(/var/db/pkg)# whoami >> root >> root@colossus(/var/db/pkg)# mailscanner --debug --debug-SA >> /libexec/ld-elf.so.1: >> /usr/local/lib/perl5/site_perl/5.8.8/mach/auto/MIME/Base64/Base64.so: >> Undefined symbol "Perl_Tstack_sp_ptr" >> >> >> So it's safe to say we can rule out the output we're getting from >> mailwatch, and assume we're getting different errors at this point. >> I may >> try to sort out this perl issue before I nuke this box and start >> over. >> Anyone got any off the cuff suggestions? >> > Splendid, now we know that this is solely a perl (build) problem, and > not really a problem with MS or MW. Good. > Googling for similar problems, one can see that this is indicative.... > Hm, start by rebuilding the base perl package, then every little > pm...... Sounds fun? No. > Perhaps faster/easier to just call it quits and start from scratch;-). From one Drew to another (There aren't that many of us, certainly that I have come across) How did you build Perl? If it was from ports, did you make sure that you are building all your perl modules etc against the right perl (i.e. port not base) and that /usr/bin/perl points to the right version. This article might be of use http://freebsd.munk.me.uk/archives/160-Upgrading-Perl-On-FreeBSD.html (or be good fodder for /dev/null depending ;-) ) Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Tiger Mail www.technologytiger.net/tigermail from Technology Tiger. Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From v at vladville.com Sat Feb 9 20:14:11 2008 From: v at vladville.com (Vlad Mazek) Date: Sat Feb 9 20:14:20 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: <47AC87AE.6010608@ecs.soton.ac.uk> References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> <47ABC7CD.5000505@sendit.nodak.edu> <47AC87AE.6010608@ecs.soton.ac.uk> Message-ID: Ok, that is so embarrassing. I am not sure how I didn't see that, particularly because it was 5 lines below the spam lists rule. :( Followup question - do the whitelist and blacklist rules still apply (mailscanner b/w list) if Spamassassin is skipped? -Vlad On 2/8/08, Julian Field wrote: > > But if you set > Check SpamAssassin If On Spam List = no > then it won't. > > Vlad Mazek wrote: > > Tried that earlier today, no difference in behavior. MailScanner finds > > it on SBL+XBL but proceeds to put it through SA anyhow. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080209/2a617a2e/attachment.html From ssilva at sgvwater.com Sat Feb 9 22:33:04 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 9 22:33:24 2008 Subject: {Disarmed} Re: Skipping SpamAssassin if sender is on an RBL In-Reply-To: References: <47AB3006.2010303@USherbrooke.ca> <47AB3451.2060500@sendit.nodak.edu> <47AB43F5.9030004@sendit.nodak.edu> Message-ID: on 2/7/2008 5:40 PM Vlad Mazek spake the following: > Doesn't work like that in the business world... > > Remote Sender: I sent you the email. > Internal Recipient: We didn't get the email. > > Five minutes later, IT is getting chewed out for blocking customers > emails that almost always involve a $10 million dollar transaction for a > company that doesn't have any extra room in the budget to beef up the > security........ > I have had to show logs to exec's showing that we actually didn't see any activity from some senders. And then the next day the mail will show up with headers showing it sat in an exchange queue for 24 hours. But I know what you are talking about. Fortunately, I work for a water utility, so our customers can't "go somewhere else" without selling their property and moving. Nothing like a captive audience! 8-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080209/c7a3f162/signature.bin From cotharyus at gmail.com Sun Feb 10 02:46:15 2008 From: cotharyus at gmail.com (Drew) Date: Sun Feb 10 02:46:25 2008 Subject: perl clamav module - what does it do? Message-ID: <715841970802091846j2c7cc8c0k9cec764ee39ac321@mail.gmail.com> What does mailscanner use the perl clamav module for? I see it come up as missing when I do a mailscanner -v but everything seems to be working without it. I'll hazard a guess that this is specifically for the clamav module (which I'm not using), and so it won't affect me. Anyone care to confirm this or point out any errors in my assumption? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080209/9aef3171/attachment.html From shuttlebox at gmail.com Sun Feb 10 10:48:46 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sun Feb 10 10:48:55 2008 Subject: perl clamav module - what does it do? In-Reply-To: <715841970802091846j2c7cc8c0k9cec764ee39ac321@mail.gmail.com> References: <715841970802091846j2c7cc8c0k9cec764ee39ac321@mail.gmail.com> Message-ID: <625385e30802100248q1477b9c9necffed77d70c46b9@mail.gmail.com> On Feb 10, 2008 3:46 AM, Drew wrote: > What does mailscanner use the perl clamav module for? I see it come up as > missing when I do a mailscanner -v but everything seems to be working > without it. I'll hazard a guess that this is specifically for the clamav > module (which I'm not using), and so it won't affect me. Anyone care to > confirm this or point out any errors in my assumption? It's one of three ways to use Clam AV. Either you use clamscan, clamd or the clam perl module. It's listed under optional modules. -- /peter From kate at rheel.co.nz Sun Feb 10 20:57:07 2008 From: kate at rheel.co.nz (Kathryn Allan) Date: Sun Feb 10 20:56:55 2008 Subject: can you strip attachments to a folder Message-ID: <47AF6523.7080803@rheel.co.nz> Hi all, Have had a request to do this and was wondering if it is even possible. Can I set mailscanner up so that any emails from a specific address - if they have an attachment, the attachment gets stripped and dumped in a specific folder? Thanks Kate From MailScanner at ecs.soton.ac.uk Sun Feb 10 22:29:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 10 22:29:43 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF6523.7080803@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> Message-ID: <47AF7ABC.60805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MailScanner doesn't get involved in message delivery at all (that's your MTA's job) and so this isn't easily possible, no. Sorry. Kathryn Allan wrote: > Hi all, > > Have had a request to do this and was wondering if it is even possible. > > Can I set mailscanner up so that any emails from a specific address - > if they have an attachment, the attachment gets stripped and dumped in > a specific folder? > > Thanks > Kate Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Comment: Use Thunderbird's Enigmail add-on to verify this message Charset: ISO-8859-1 wj8DBQFHr3q+EfZZRxQVtlQRAgMDAJoDLHA1yJba15kRAZzMKhxmyoSw7ACgwHor BCwCcBX5q/i91iU2ACphf6Y= =q/9E -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Feb 10 22:49:43 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 10 22:50:53 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF7ABC.60805@ecs.soton.ac.uk> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> Message-ID: <47AF7F87.3010907@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | MailScanner doesn't get involved in message delivery at all (that's your | MTA's job) and so this isn't easily possible, no. Wouldn't it be possible to deliver the message without attachments and store the full message? That might be close enough. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHr3+GBvzDRVjxmYERAnQWAKCjCkmz2p1zNaQrc21yqncJwcTlnQCfbcXI ZqiGpkHm/VBMYx2JaAv5cao= =z5lQ -----END PGP SIGNATURE----- From kate at rheel.co.nz Mon Feb 11 01:43:54 2008 From: kate at rheel.co.nz (Kathryn Allan) Date: Mon Feb 11 01:43:42 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF7F87.3010907@vanderkooij.org> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> Message-ID: <47AFA85A.1040403@rheel.co.nz> Its not really message delivery I need though the email attachment doesn't ever go through to an email account but rather would be stored in a folder for another program to access. Kate Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > | MailScanner doesn't get involved in message delivery at all (that's > your > | MTA's job) and so this isn't easily possible, no. > > Wouldn't it be possible to deliver the message without attachments and > store the full message? That might be close enough. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFHr3+GBvzDRVjxmYERAnQWAKCjCkmz2p1zNaQrc21yqncJwcTlnQCfbcXI > ZqiGpkHm/VBMYx2JaAv5cao= > =z5lQ > -----END PGP SIGNATURE----- -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: kate@rheel.co.nz www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail. From devonharding at gmail.com Mon Feb 11 02:17:06 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Feb 11 02:17:15 2008 Subject: Outbound relay on 587 Message-ID: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> My ISP (Comcast) is of course blocking port 25 inbound and out. How can I configure MailScanner to relay all outbound mail to my easyDNS servers via port 587? Thanks, -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080210/385cbc0c/attachment.html From apu at nocservices.com Mon Feb 11 02:57:43 2008 From: apu at nocservices.com (Apu) Date: Mon Feb 11 02:58:04 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> Message-ID: <47AFB9A7.50804@nocservices.com> Devon Harding wrote, On 2/10/08 9:17 PM: > My ISP (Comcast) is of course blocking port 25 inbound and out. How can I > configure MailScanner to relay all outbound mail to my easyDNS servers via > port 587? Check your MTA (sendmail, postfix, etc.) to send via a "smart host." For sendmail, add a define(`SMART_HOST', `mail.isp.net') to your sendmail.mc and regenerate sendmail.cf -- Apu NOC Services Corp. www.nocservices.com From apu at nocservices.com Mon Feb 11 03:10:16 2008 From: apu at nocservices.com (Apu) Date: Mon Feb 11 03:10:30 2008 Subject: Outbound relay on 587 In-Reply-To: <47AFB9A7.50804@nocservices.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> Message-ID: <47AFBC98.9030403@nocservices.com> Apu wrote, On 2/10/08 9:57 PM: > Devon Harding wrote, On 2/10/08 9:17 PM: >> My ISP (Comcast) is of course blocking port 25 inbound and out. How >> can I >> configure MailScanner to relay all outbound mail to my easyDNS servers >> via >> port 587? > > Check your MTA (sendmail, postfix, etc.) to send via a "smart host." > > For sendmail, add a > > define(`SMART_HOST', `mail.isp.net') > > to your sendmail.mc and regenerate sendmail.cf Sorry to reply to myself... but to clarify my off-topic post... define(`SMART_HOST', `mail.isp.net') by itself will send via port 25 and is good if you want to send via Comcast's servers. If you want to send via another server and port 587, you want both define(`SMART_HOST', `mail.isp.net') define(`RELAY_MAILER_ARGS', `TCP $h 587') -- Apu NOC Services Corp. www.nocservices.com From devonharding at gmail.com Mon Feb 11 04:22:59 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Feb 11 04:23:08 2008 Subject: Outbound relay on 587 In-Reply-To: <47AFBC98.9030403@nocservices.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> Message-ID: <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> > > > > If you want to send via another server and port 587, you want both > > define(`SMART_HOST', `mail.isp.net') > define(`RELAY_MAILER_ARGS', `TCP $h 587') > > I wonder if I'm missing something. It looks like it's still using port 25. This is sendmail.mc file: dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # define(`SMART_HOST',`smtpout.secureserver.net') define(`RELAY_MAILER_ARGS', `TCP $h 587') dnl # And this is what I'm getting in /var/log/maillog: Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: timeout waiting for input from smtpout.secureserver.net during client greeting Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: to=, ctladdr= (0/0), delay=00:09:46, xdelay=00:05:00, mailer=relay, pri=120344, relay=smtpout.secureserver.net [64.202.165.58], dsn=4.0.0, stat=Deferred: Connection timed out with smtpout.secureserver.net Feb 10 23:09:43 mars update.bad.phishing.sites: Phishing bad sites list updated Feb 10 23:09:43 mars update.virus.scanners: Delaying cron job up to 600 seconds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080210/321769d7/attachment.html From goetz.reinicke at filmakademie.de Mon Feb 11 08:16:12 2008 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Mon Feb 11 08:16:25 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log Message-ID: <47B0044C.2030007@filmakademie.de> Hi, we will switch from f-secure to avira and I installed the workstation comandline scanner today. The license is installed, updates work. After that I changed the Mailscnner.conf to use the new scanner: "Virus Scanners = antivir". I send me the eicar testfile and the attachements got removed, the sysadmin (me) got the notification and the sender (me) was also informed :-) But in the mail-log on the server there is no "Found .... " line as it has been using f-secure: "Found F-Secure version 4.65=4.65" The Question: Is everything good or someting bad? Thanks for any hint or tip! Best regards G?tz -- G?tz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Gesch?ftsf?hrer: Prof. Thomas Schadt From uxbod at splatnix.net Mon Feb 11 08:31:26 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 11 08:31:44 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <47B0044C.2030007@filmakademie.de> Message-ID: <17860241.121202718686490.JavaMail.root@office.splatnix.net> What is the output from MailScanner --lint ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "G?tz Reinicke" wrote: > Hi, > > we will switch from f-secure to avira and I installed the workstation > > comandline scanner today. The license is installed, updates work. > > After that I changed the Mailscnner.conf to use the new scanner: > > "Virus Scanners = antivir". > > I send me the eicar testfile and the attachements got removed, the > sysadmin (me) got the notification and the sender (me) was also > informed :-) > > But in the mail-log on the server there is no "Found .... " line as it > > has been using f-secure: > > "Found F-Secure version 4.65=4.65" > > The Question: Is everything good or someting bad? > > Thanks for any hint or tip! > > Best regards > > G?tz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From goetz.reinicke at filmakademie.de Mon Feb 11 08:40:49 2008 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2U=?=) Date: Mon Feb 11 08:41:05 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <17860241.121202718686490.JavaMail.root@office.splatnix.net> References: <17860241.121202718686490.JavaMail.root@office.splatnix.net> Message-ID: <47B00A11.8010401@filmakademie.de> Hi, MailScanner --lint Trying to setlogsock(unix) Checking version numbers... Version number in MailScanner.conf (4.66.5) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-Filmakademie-MailScanner-From Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = f-secure antivir" Found these virus scanners installed: clamav, f-secure, antivir =========================================================================== =========================================================================== Virus Scanner test reports: F-Secure said "./1/eicar.com: Infected: EICAR_Test_File [Libra]" F-Secure said "./1/eicar.com: Infected: EICAR Test File [Orion]" F-Secure said "./1/eicar.com: Infected: EICAR-Test-File [AVP]" AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus" If any of your virus scanners (clamav,f-secure,antivir) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Seams O.K. for me ... butm :-) Regards, G?tz --[ UxBoD ]-- schrieb: > What is the output from MailScanner --lint ? > > Regards, > -- G?tz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Gesch?ftsf?hrer: Prof. Thomas Schadt From uxbod at splatnix.net Mon Feb 11 08:51:48 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 11 08:52:08 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <47B00A11.8010401@filmakademie.de> Message-ID: <18038616.151202719908924.JavaMail.root@office.splatnix.net> What happens if you set Virus Scanners = auto ? and then send a message with EICAR in it ? may be worth stopping MS and once you have sent the message run MailScaner --debug and see what is thrown up. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "G?tz Reinicke" wrote: > Hi, > > MailScanner --lint > Trying to setlogsock(unix) > Checking version numbers... > Version number in MailScanner.conf (4.66.5) is correct. > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match > X-Filmakademie-MailScanner-From > > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin reported no errors. > MailScanner.conf says "Virus Scanners = f-secure antivir" > Found these virus scanners installed: clamav, f-secure, antivir > =========================================================================== > =========================================================================== > Virus Scanner test reports: > F-Secure said "./1/eicar.com: Infected: EICAR_Test_File [Libra]" > F-Secure said "./1/eicar.com: Infected: EICAR Test File [Orion]" > F-Secure said "./1/eicar.com: Infected: EICAR-Test-File [AVP]" > AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains > > code of the Eicar-Test-Signature virus" > > If any of your virus scanners (clamav,f-secure,antivir) > are not listed there, you should check that they are installed > correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > > > Seams O.K. for me ... butm :-) > > Regards, > G?tz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gerard at seibercom.net Mon Feb 11 11:33:33 2008 From: gerard at seibercom.net (Gerard) Date: Mon Feb 11 11:33:54 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> Message-ID: <20080211063333.58ebf07d@scorpio> On Sun, 10 Feb 2008 23:22:59 -0500 "Devon Harding" wrote: > > If you want to send via another server and port 587, you want both > > > > define(`SMART_HOST', `mail.isp.net') > > define(`RELAY_MAILER_ARGS', `TCP $h 587') > > > > > I wonder if I'm missing something. It looks like it's still using > port 25. This is sendmail.mc file: > > dnl # Uncomment and edit the following line if your outgoing mail > needs to dnl # be sent out through an external mail server: > dnl # > define(`SMART_HOST',`smtpout.secureserver.net') > define(`RELAY_MAILER_ARGS', `TCP $h 587') > dnl # > > And this is what I'm getting in /var/log/maillog: > > Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: timeout waiting > for input from smtpout.secureserver.net during client greeting > Feb 10 23:09:27 mars sendmail[3111]: m1B3xeD3002518: > to=, ctladdr= (0/0), > delay=00:09:46, xdelay=00:05:00, mailer=relay, pri=120344, > relay=smtpout.secureserver.net [64.202.165.58], dsn=4.0.0, > stat=Deferred: Connection timed out with smtpout.secureserver.net Feb > 10 23:09:43 mars update.bad.phishing.sites: Phishing bad sites list > updated Feb 10 23:09:43 mars update.virus.scanners: Delaying cron job > up to 600 seconds I am not sure if this is your problem or not; however, I use Postfix, and am forced to use port 587 when sending to 'GMAIL', as well as my own ISP. Anyway, to accomplish that, I have to have TLS working on my system. That is rather trivial in Postfix, though I understand it is a major PIA with Sendmail. In any case, you might want to investigate that possibility. -- Gerard gerard@seibercom.net pension: A federally insured chain letter. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/c9193d96/signature.bin From devonharding at gmail.com Mon Feb 11 12:44:40 2008 From: devonharding at gmail.com (Devon Harding) Date: Mon Feb 11 12:44:48 2008 Subject: Outbound relay on 587 In-Reply-To: <20080211063333.58ebf07d@scorpio> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> Message-ID: <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> > > > > I am not sure if this is your problem or not; however, I use Postfix, > and am forced to use port 587 when sending to 'GMAIL', as well as my > own ISP. Anyway, to accomplish that, I have to have TLS working on my > system. That is rather trivial in Postfix, though I understand it is a > major PIA with Sendmail. In any case, you might want to investigate > that possibility. > Well, from the prompt, I can telnet to Godaddy's SMTP servers on port 587, it's just that sendmail doesn't seem to be using that port. I'm wondering what other config do I need to do. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/880e88d2/attachment.html From uxbod at splatnix.net Mon Feb 11 12:48:53 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 11 12:49:21 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> Message-ID: <18908440.721202734133135.JavaMail.root@office.splatnix.net> I presume you did re-compile the .mc and reload the configuration ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Devon Harding" wrote: > I am not sure if this is your problem or not; however, I use Postfix, > and am forced to use port 587 when sending to 'GMAIL', as well as my > own ISP. Anyway, to accomplish that, I have to have TLS working on my > system. That is rather trivial in Postfix, though I understand it is a > major PIA with Sendmail. In any case, you might want to investigate > that possibility. > > Well, from the prompt, I can telnet to Godaddy's SMTP servers on port > 587, it's just that sendmail doesn't seem to be using that port. I'm > wondering what other config do I need to do. > > -Devon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gerard at seibercom.net Mon Feb 11 13:02:37 2008 From: gerard at seibercom.net (Gerard) Date: Mon Feb 11 13:03:03 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> Message-ID: <20080211080237.05f2d5d4@scorpio> On Mon, 11 Feb 2008 07:44:40 -0500 "Devon Harding" wrote: [snip] > Well, from the prompt, I can telnet to Godaddy's SMTP servers on port > 587, it's just that sendmail doesn't seem to be using that port. I'm > wondering what other config do I need to do. OK, using telnet, access the SMTP server and attempt to send a message. You will know immediately if it needs authorization or not to complete the process. You might want to post the output of that telnet session here also. BTW, have you recompiled the *.mc files (I think that is what they are in Sendmail) and then restarted it? -- Gerard gerard@seibercom.net A fool must now and then be right by chance. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/0c9094b6/signature.bin From Denis.Beauchemin at usherbrooke.ca Mon Feb 11 15:06:22 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Mon Feb 11 15:07:05 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AFA85A.1040403@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> <47AFA85A.1040403@rheel.co.nz> Message-ID: <47B0646E.1080606@USherbrooke.ca> Kathryn Allan a ?crit : > Its not really message delivery I need though the email attachment > doesn't ever go through to an email account but rather would be stored > in a folder for another program to access. > > Kathryn, Couldn't you use the following to store the emain on disk: Non Spam Actions = %rules-dir%/non.spam.action.rules where %rules-dir%/non.spam.action.rules contains: From: whoever@yourplace.com store-nonspam FromOrTo: Default deliver header "X-Spam-Status: No" That would store all emails from whoever@yourplace.com on disk and not deliver them. Would that be OK? If you really need to do this only for emails with attachments, then you would have to create a custom SpamAssassin rule that checks for your attachment (there are already some such rules in 20_body_tests.cf and 20_html_tests.cf) and instead use: SpamAssassin Rule Actions = your_rule=>store-nonspam Hope this helps. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From gborders at balanceconsult.com Mon Feb 11 16:20:36 2008 From: gborders at balanceconsult.com (Greg Borders) Date: Mon Feb 11 16:23:19 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AF6523.7080803@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> Message-ID: <47B075D4.90103@balanceconsult.com> Kathryn Allan wrote: > Hi all, > > Have had a request to do this and was wondering if it is even possible. > > Can I set mailscanner up so that any emails from a specific address - > if they have an attachment, the attachment gets stripped and dumped in > a specific folder? > > Thanks > Kate I've used a pair of tools to extract attachments after delivery. http://www.pldaniels.com/ripmime/ http://www.procmail.org/ Use procmail and a create a recipe that pipes a copy of the delivered mail to ripmime. ripmime will extract the attachment to a specified folder. You can then use a script/cron job to detect the presence of the newly created attachment, and fire off your other program that needs it. Greg. -- This email message and any document accompanying it may contain information intended only for the person(s) named. Any use, distribution, copying or disclosure by another person is strictly prohibited. NOTICE TO PERSONS SUBJECT TO UNITED STATES TAXATION: DISCLOSURE UNDER TREASURY CIRCULAR 230: Any tax advice included in this written or electronic communication was not intended or written to be used, and it cannot be used by the taxpayer, for the purpose of avoiding any penalties that may be imposed on the taxpayer by any governmental taxing authority or agency. This written or electronic communication does not represent legal advice. Persons in need of a legal opinion should seek competent counsel. From kate at rheel.co.nz Mon Feb 11 21:07:27 2008 From: kate at rheel.co.nz (Kathryn Allan) Date: Mon Feb 11 21:07:14 2008 Subject: can you strip attachments to a folder In-Reply-To: <47B0646E.1080606@USherbrooke.ca> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> <47AFA85A.1040403@rheel.co.nz> <47B0646E.1080606@USherbrooke.ca> Message-ID: <47B0B90F.4040601@rheel.co.nz> Thanks Denis will give this a shot. Kate Denis Beauchemin wrote: > Kathryn Allan a ?crit : >> Its not really message delivery I need though the email attachment >> doesn't ever go through to an email account but rather would be >> stored in a folder for another program to access. >> >> > Kathryn, > > Couldn't you use the following to store the emain on disk: > > Non Spam Actions = %rules-dir%/non.spam.action.rules > > where %rules-dir%/non.spam.action.rules contains: > From: whoever@yourplace.com store-nonspam > FromOrTo: Default deliver header "X-Spam-Status: No" > > That would store all emails from whoever@yourplace.com on disk and not > deliver them. Would that be OK? If you really need to do this only > for emails with attachments, then you would have to create a custom > SpamAssassin rule that checks for your attachment (there are already > some such rules in 20_body_tests.cf and 20_html_tests.cf) and instead > use: > > SpamAssassin Rule Actions = your_rule=>store-nonspam > > Hope this helps. > > Denis > -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: kate@rheel.co.nz www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail. From edward at tdcs.com.au Mon Feb 11 21:07:37 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Feb 11 21:08:03 2008 Subject: Not scanning for spam? Message-ID: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> For the last three days or so I've noticed some spam getting through. Not huge amounts but it appears from my log they're not even getting looked at (addresses changed to protect the innocent): Feb 12 01:47:14 ubuntu postfix/smtpd[29715]: connect from unknown[219.139.33.58] Feb 12 01:47:17 ubuntu postfix/smtpd[29715]: 1A5F4C70273: client=unknown[219.139.33.58] Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: hold: header Received: from 219.139.33.58 (unknown [219.139.33.58])??by mydomain.com.au (Postfix) with ESMTP id 1A5F4C70273??for ; Tue, 12 Feb 2008 01:47:16 +0900 (WST) from unknown[219.139.33.58]; from= to= proto=ESMTP helo=<219.139.33.58> Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: message-id=<000a01c86ccd$0187cc62$bc517ba5@hugwbuoo> Feb 12 01:47:19 ubuntu MailScanner[24154]: New Batch: Scanning 1 messages, 2517 bytes Feb 12 01:47:19 ubuntu MailScanner[24154]: Spam Checks: Starting Feb 12 01:47:19 ubuntu MailScanner[24154]: Requeue: 1A5F4C70273.EDF38 to B65C4C7029D Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: from=, size=2002, nrcpt=1 (queue active) Feb 12 01:47:19 ubuntu MailScanner[24154]: Unscanned: Delivered 1 messages Feb 12 01:47:19 ubuntu MailScanner[24154]: Virus and Content Scanning: Starting Feb 12 01:47:19 ubuntu postfix/local[29721]: B65C4C7029D: to=, relay=local, delay=3.2, delays=3.2/0.02/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a $EXTENSION) Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: removed Feb 12 01:47:20 ubuntu postfix/smtpd[29715]: disconnect from unknown[219.139.33.58] Feb 12 01:47:21 ubuntu MailScanner[24154]: Virus Scanning completed at 1304 bytes per second Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch completed at 1299 bytes per second (2517 / 1) Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch (1 message) processed in 1.94 seconds Any ideas why it would say it's starting checks then delivers it unscanned? Theres no mention of goecities in my whitelists or anything. Regards, Ed. From edward at tdcs.com.au Mon Feb 11 21:07:37 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Feb 11 21:08:23 2008 Subject: Not scanning for spam? Message-ID: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> For the last three days or so I've noticed some spam getting through. Not huge amounts but it appears from my log they're not even getting looked at (addresses changed to protect the innocent): Feb 12 01:47:14 ubuntu postfix/smtpd[29715]: connect from unknown[219.139.33.58] Feb 12 01:47:17 ubuntu postfix/smtpd[29715]: 1A5F4C70273: client=unknown[219.139.33.58] Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: hold: header Received: from 219.139.33.58 (unknown [219.139.33.58])??by mydomain.com.au (Postfix) with ESMTP id 1A5F4C70273??for ; Tue, 12 Feb 2008 01:47:16 +0900 (WST) from unknown[219.139.33.58]; from= to= proto=ESMTP helo=<219.139.33.58> Feb 12 01:47:19 ubuntu postfix/cleanup[29719]: 1A5F4C70273: message-id=<000a01c86ccd$0187cc62$bc517ba5@hugwbuoo> Feb 12 01:47:19 ubuntu MailScanner[24154]: New Batch: Scanning 1 messages, 2517 bytes Feb 12 01:47:19 ubuntu MailScanner[24154]: Spam Checks: Starting Feb 12 01:47:19 ubuntu MailScanner[24154]: Requeue: 1A5F4C70273.EDF38 to B65C4C7029D Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: from=, size=2002, nrcpt=1 (queue active) Feb 12 01:47:19 ubuntu MailScanner[24154]: Unscanned: Delivered 1 messages Feb 12 01:47:19 ubuntu MailScanner[24154]: Virus and Content Scanning: Starting Feb 12 01:47:19 ubuntu postfix/local[29721]: B65C4C7029D: to=, relay=local, delay=3.2, delays=3.2/0.02/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a $EXTENSION) Feb 12 01:47:19 ubuntu postfix/qmgr[5357]: B65C4C7029D: removed Feb 12 01:47:20 ubuntu postfix/smtpd[29715]: disconnect from unknown[219.139.33.58] Feb 12 01:47:21 ubuntu MailScanner[24154]: Virus Scanning completed at 1304 bytes per second Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch completed at 1299 bytes per second (2517 / 1) Feb 12 01:47:21 ubuntu MailScanner[24154]: Batch (1 message) processed in 1.94 seconds Any ideas why it would say it's starting checks then delivers it unscanned? Theres no mention of goecities in my whitelists or anything. Regards, Ed. From hvdkooij at vanderkooij.org Mon Feb 11 22:22:33 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 11 22:23:02 2008 Subject: can you strip attachments to a folder In-Reply-To: <47AFA85A.1040403@rheel.co.nz> References: <47AF6523.7080803@rheel.co.nz> <47AF7ABC.60805@ecs.soton.ac.uk> <47AF7F87.3010907@vanderkooij.org> <47AFA85A.1040403@rheel.co.nz> Message-ID: <47B0CAA9.2050301@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kathryn Allan wrote: | Its not really message delivery I need though the email attachment | doesn't ever go through to an email account but rather would be stored | in a folder for another program to access. You do not need MailScanner for this. You definitly need to look into procmail to solve your email processing needs. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHsMqnBvzDRVjxmYERAhI+AJ91TYiOBKZyr+XcAfVlIlHdNeyzSQCgpDOm xroiKjdLtpajXnbo83PB1KQ= =OxGj -----END PGP SIGNATURE----- From edward at tdcs.com.au Mon Feb 11 23:08:10 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Feb 11 23:09:35 2008 Subject: Not scanning for spam? In-Reply-To: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> References: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> Message-ID: > Any ideas why it would say it's starting checks then delivers it > unscanned? > > Theres no mention of goecities in my whitelists or anything. > > Regards, > Ed. Sorry for replying to my own post, but this has been resolved. A few mails to the university of Berlin's echo server showed that mailscanner was completely ignoring scanning of ANY messages. This was due to me having the problem sending attachments last week, in which I played with a lot of rules files. One of which was scan.messages.rules. I had the default as no, which is what the other rules files seem to want. Of course, the default is supposed to be yes in this file. One follow up question (I'm using Ubuntu Gutsy server) if you don't mind. What is the correct way to re-load the MailScanner configuration? I'm using "/etc/init.d/mailscanner reload" When I sent my test message, there was no change to the result. A re-boot of the server DID load the new settings. So I must be trying to re-load the settings wrong. Could someone explain how to properly re-start MailScanner? Seems trivial, and I thought I was doing it correctly, but obviously not. Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Feb 11 23:25:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 11 23:26:07 2008 Subject: Not scanning for spam? In-Reply-To: References: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> Message-ID: on 2/11/2008 3:08 PM Edward Dekkers spake the following: >> Any ideas why it would say it's starting checks then delivers it >> unscanned? >> >> Theres no mention of goecities in my whitelists or anything. >> >> Regards, >> Ed. > > Sorry for replying to my own post, but this has been resolved. A few mails > to the university of Berlin's echo server showed that mailscanner was > completely ignoring scanning of ANY messages. > > This was due to me having the problem sending attachments last week, in > which I played with a lot of rules files. One of which was > scan.messages.rules. > > I had the default as no, which is what the other rules files seem to want. > Of course, the default is supposed to be yes in this file. > > One follow up question (I'm using Ubuntu Gutsy server) if you don't mind. > > What is the correct way to re-load the MailScanner configuration? > > I'm using "/etc/init.d/mailscanner reload" > > When I sent my test message, there was no change to the result. > > A re-boot of the server DID load the new settings. > > So I must be trying to re-load the settings wrong. > > Could someone explain how to properly re-start MailScanner? > > Seems trivial, and I thought I was doing it correctly, but obviously not. > > Regards, > Ed. > > > In an RPM based installation a reload usually does just that. Are you using an init script provided by Julian or from someone else? Julian has this init script for Debian based distros; http://www.mailscanner.info/files/4/mailscanner.debian.init.d Maybe if yours is from a packager, it is different. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/24f78135/signature.bin From ssilva at sgvwater.com Mon Feb 11 23:28:31 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 11 23:30:12 2008 Subject: Not scanning for spam? In-Reply-To: References: <1202764057.31705.3.camel@ubuntu.tdcs.com.au> Message-ID: on 2/11/2008 3:08 PM Edward Dekkers spake the following: >> Any ideas why it would say it's starting checks then delivers it >> unscanned? >> >> Theres no mention of goecities in my whitelists or anything. >> >> Regards, >> Ed. > > Sorry for replying to my own post, but this has been resolved. A few mails > to the university of Berlin's echo server showed that mailscanner was > completely ignoring scanning of ANY messages. > > This was due to me having the problem sending attachments last week, in > which I played with a lot of rules files. One of which was > scan.messages.rules. > > I had the default as no, which is what the other rules files seem to want. > Of course, the default is supposed to be yes in this file. > > One follow up question (I'm using Ubuntu Gutsy server) if you don't mind. > > What is the correct way to re-load the MailScanner configuration? > > I'm using "/etc/init.d/mailscanner reload" > > When I sent my test message, there was no change to the result. > > A re-boot of the server DID load the new settings. > > So I must be trying to re-load the settings wrong. > > Could someone explain how to properly re-start MailScanner? > > Seems trivial, and I thought I was doing it correctly, but obviously not. > > Regards, > Ed. > > > And if a reload doesn't work, a "/etc/init.d/mailscanner restart" should. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/9596a13f/signature.bin From ravenpi at gmail.com Tue Feb 12 00:41:05 2008 From: ravenpi at gmail.com (ravenpi@gmail.com) Date: Tue Feb 12 00:41:15 2008 Subject: It done broke. "Returned 22 with signal 0". Message-ID: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Hey, all. Long-time MailScanner user, always been very happy with it. Have it installed on my month-old Ubuntu box, when, suddenly, it died this past Sunday. Syslog says: Mailscanner: Process did not exit cleanly, returned 22 with signal 0 Running in debug mode says: [...] max message size is '40k' max message size is '40k' Ignore errors about failing to find EOCD signature Can't use an undefined value as a symbol reference at /usr/share/MailScanner/MailScanner/Message.pm line 1495. Lines 1494 & 1495 are: $handle = IO::File->new_tmpfile; binmode($handle); The funny thing is, when I change 1494 to $handle = IO::File->new_tmpfile or die "It didn't work: $!" Sure enough, it dies. So, for the hell of it, I made a mini Perl standalone: #!/usr/bin/perl use IO::File; $handle = IO::File->new_tmpfile; binmode($handle); And that worked just fine, so Perl seems okay (no?). I did a full uninstall and re-install, including re-tweaking my config files, and it worked... for about 15 messages, then is doing the exact same thing all over again. ANY ideas? Or do I have to regen my damn box? (Note: I also poked around in all the usual places for signs of an intruder, but haven't found anything.) Thanks much, -Ken -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080211/db7dac5b/attachment.html From ugob at lubik.ca Tue Feb 12 03:53:06 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 12 04:03:50 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Message-ID: ravenpi@gmail.com wrote: > Hey, all. Long-time MailScanner user, always been very happy with it. > Have it installed on my month-old Ubuntu box, when, suddenly, it died > this past Sunday. Syslog says: > Mailscanner: Process did not exit cleanly, returned 22 with signal 0 > > Running in debug mode says: > [...] > max message size is '40k' > max message size is '40k' > Ignore errors about failing to find EOCD signature > Can't use an undefined value as a symbol reference at > /usr/share/MailScanner/MailScanner/Message.pm line 1495. > > Lines 1494 & 1495 are: > $handle = IO::File->new_tmpfile; > binmode($handle); > > The funny thing is, when I change 1494 to > $handle = IO::File->new_tmpfile or die "It didn't work: $!" > Sure enough, it dies. So, for the hell of it, I made a mini Perl > standalone: > #!/usr/bin/perl > use IO::File; > $handle = IO::File->new_tmpfile; > binmode($handle); > > And that worked just fine, so Perl seems okay (no?). > > I did a full uninstall and re-install, including re-tweaking my config > files, and it worked... for about 15 messages, then is doing the exact > same thing all over again. > > ANY ideas? Or do I have to regen my damn box? (Note: I also poked > around in all the usual places for signs of an intruder, but haven't > found anything.) Try using the internal TNEF decoder. Ugo From ugob at lubik.ca Tue Feb 12 04:13:13 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 12 04:13:43 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Message-ID: ravenpi@gmail.com wrote: > Hey, all. Long-time MailScanner user, always been very happy with it. > Have it installed on my month-old Ubuntu box, when, suddenly, it died > this past Sunday. Syslog says: > Mailscanner: Process did not exit cleanly, returned 22 with signal 0 > > Running in debug mode says: What does 'MailScanner --lint' and 'MailScanner -V' show? Ugo From Robert.Meurlin at se.fujitsu.com Tue Feb 12 08:37:34 2008 From: Robert.Meurlin at se.fujitsu.com (Meurlin Robert) Date: Tue Feb 12 08:38:41 2008 Subject: continue not asking DCC Message-ID: <797363C57EE0884786F428AAABCD469201490A68@sea0120sex2.nordic.x> Hello, I got this in my log after installing DCC: continue not asking DCC 506 seconds after failure and when I write in command line cdcc info # 02/11/08 16:43:35 CET /var/dcc/map # Re-resolve names after 17:48:47 # 12 total, 0 working servers # skipping asking DCC server 64 seconds more IPv6 off dcc1.dcc-servers.net,- RTT+1000 ms anon # 192.135.10.194,- # not answering # 208.201.249.233,- # not answering # 209.169.14.29,- # not answering dcc2.dcc-servers.net,- RTT+1000 ms anon # 71.246.8.99,- # not answering # 193.166.171.33,- # not answering dcc3.dcc-servers.net,- RTT+1000 ms anon # 64.124.52.232,- # not answering # 194.228.41.73,- # not answering dcc4.dcc-servers.net,- RTT+1000 ms anon # 137.208.8.26,- # not answering # 209.169.14.27,- # not answering dcc5.dcc-servers.net,- RTT+1000 ms anon # 208.201.249.232,- # not answering # 217.20.119.18,- # not answering I have open UDP port 6277 in/out. Do anyone have any id?e? Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/79d485f6/attachment.html From alxfrag at gmail.com Tue Feb 12 10:40:56 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 12 10:40:35 2008 Subject: No programs allowed Message-ID: <47B177B8.6000001@gmail.com> Hi all, I have a strange problem with mailscanner. I've configured it so as text files are allowed. A few of my users send emails but they are blocked by mailscanner. Mailscanner says: No programs allowed (msg-22222-12). These emails have no attachments. A few of these emails are generated by moodle php scripts and they contain greek characters. Any ideas? Thanks in advance, Alexandros From uxbod at splatnix.net Tue Feb 12 10:48:58 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 12 10:49:29 2008 Subject: No programs allowed In-Reply-To: <47B177B8.6000001@gmail.com> Message-ID: <11368610.151202813338565.JavaMail.root@office.splatnix.net> ----- "AlxFrag" wrote: > Hi all, > > I have a strange problem with mailscanner. I've configured it so as > text > files are allowed. A few of my users send emails but they are blocked > by > mailscanner. > Mailscanner says: > No programs allowed (msg-22222-12). > > These emails have no attachments. A few of these emails are generated > by > moodle php scripts and they contain greek characters. > > > Any ideas? > > Thanks in advance, > > Alexandros find the message in your quarantine and run 'file' against it. Post what that reports please ... Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Tue Feb 12 10:58:14 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 12 10:57:47 2008 Subject: No programs allowed In-Reply-To: <11368610.151202813338565.JavaMail.root@office.splatnix.net> References: <11368610.151202813338565.JavaMail.root@office.splatnix.net> Message-ID: <47B17BC6.6000005@gmail.com> --[ UxBoD ]-- wrote: > ----- "AlxFrag" wrote: > > >> Hi all, >> >> I have a strange problem with mailscanner. I've configured it so as >> text >> files are allowed. A few of my users send emails but they are blocked >> by >> mailscanner. >> Mailscanner says: >> No programs allowed (msg-22222-12). >> >> These emails have no attachments. A few of these emails are generated >> by >> moodle php scripts and they contain greek characters. >> >> >> Any ideas? >> >> Thanks in advance, >> >> Alexandros >> > find the message in your quarantine and run 'file' against it. Post what that reports please ... > > > Regards, > > i've found the quarantined email. It consists of two files called message and msg-5716-14.txt: message: RFC 822 mail text msg-5716-14.txt: PARIX executable -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/eebf7c93/attachment.html From martinh at solidstatelogic.com Tue Feb 12 11:04:56 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Feb 12 11:05:12 2008 Subject: No programs allowed In-Reply-To: <47B17BC6.6000005@gmail.com> Message-ID: <46e542c2de9d7a438e614662f9586a2e@solidstatelogic.com> Hi This is a problem with the file command getting confused with non English 'text' attachments. Latest beta has some things in it to help with this. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 12 February 2008 10:58 > To: MailScanner discussion > Subject: Re: No programs allowed > > --[ UxBoD ]-- wrote: > > ----- "AlxFrag" > wrote: > > > > Hi all, > > I have a strange problem with mailscanner. I've configured it > so as > text > files are allowed. A few of my users send emails but they are > blocked > by > mailscanner. > Mailscanner says: > No programs allowed (msg-22222-12). > > These emails have no attachments. A few of these emails are > generated > by > moodle php scripts and they contain greek characters. > > > Any ideas? > > Thanks in advance, > > Alexandros > > > find the message in your quarantine and run 'file' against it. Post > what that reports please ... > > > Regards, > > > > i've found the quarantined email. It consists of two files called message > and msg-5716-14.txt: > > message: RFC 822 mail text > > msg-5716-14.txt: PARIX executable > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Tue Feb 12 11:07:18 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 12 11:07:40 2008 Subject: No programs allowed In-Reply-To: <47B17BC6.6000005@gmail.com> Message-ID: <19508891.181202814438685.JavaMail.root@office.splatnix.net> Okay, could you do the same thing with file -i please ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Feb 12 11:10:55 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 12 11:11:17 2008 Subject: No programs allowed In-Reply-To: <46e542c2de9d7a438e614662f9586a2e@solidstatelogic.com> Message-ID: <18785887.211202814655221.JavaMail.root@office.splatnix.net> Doh! Good spot Martin, forgot all about that ... Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Martin.Hepworth" wrote: > Hi > > This is a problem with the file command getting confused with non > English 'text' attachments. > > Latest beta has some things in it to help with this. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Tue Feb 12 11:14:42 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 12 11:14:17 2008 Subject: No programs allowed In-Reply-To: <19508891.181202814438685.JavaMail.root@office.splatnix.net> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> Message-ID: <47B17FA2.4030703@gmail.com> --[ UxBoD ]-- wrote: > Okay, could you do the same thing with file -i please ? > > Regards, > > Thanks for your support :) file -i gives: message: message/rfc822 msg-5716-14.txt: text/plain; charset=utf-8 From devonharding at gmail.com Tue Feb 12 13:26:17 2008 From: devonharding at gmail.com (Devon Harding) Date: Tue Feb 12 13:26:25 2008 Subject: Outbound relay on 587 In-Reply-To: <20080211080237.05f2d5d4@scorpio> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> Message-ID: <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> > > > > OK, using telnet, access the SMTP server and attempt to send a message. > You will know immediately if it needs authorization or not to complete > the process. You might want to post the output of that telnet session > here also. > > BTW, have you recompiled the *.mc files (I think that is what they are > in Sendmail) and then restarted it? > > -- I ran a make -C /etc/mail and restarted the PC. I also change the provider to comcast and got a similar message. What is the format of the /etc/mail/authinfo file? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/61d2a9e2/attachment.html From Denis.Beauchemin at usherbrooke.ca Tue Feb 12 13:58:00 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue Feb 12 13:59:53 2008 Subject: continue not asking DCC In-Reply-To: <797363C57EE0884786F428AAABCD469201490A68@sea0120sex2.nordic.x> References: <797363C57EE0884786F428AAABCD469201490A68@sea0120sex2.nordic.x> Message-ID: <47B1A5E8.8080401@USherbrooke.ca> Meurlin Robert a ?crit : > > Hello, > > I got this in my log after installing DCC: > > continue not asking DCC 506 seconds after failure > > > > and when I write in command line > > cdcc info > > # 02/11/08 16:43:35 CET /var/dcc/map > > # Re-resolve names after 17:48:47 > > # 12 total, 0 working servers > > # skipping asking DCC server 64 seconds more > > IPv6 off > > > > dcc1.dcc-servers.net,- RTT+1000 ms anon > > # 192.135.10.194,- > > # not answering > > # 208.201.249.233,- > > # not answering > > # 209.169.14.29,- > > # not answering > > > > dcc2.dcc-servers.net,- RTT+1000 ms anon > > # 71.246.8.99,- > > # not answering > > # 193.166.171.33,- > > # not answering > > > > dcc3.dcc-servers.net,- RTT+1000 ms anon > > # 64.124.52.232,- > > # not answering > > # 194.228.41.73,- > > # not answering > > > > dcc4.dcc-servers.net,- RTT+1000 ms anon > > # 137.208.8.26,- > > # not answering > > # 209.169.14.27,- > > # not answering > > > > dcc5.dcc-servers.net,- RTT+1000 ms anon > > # 208.201.249.232,- > > # not answering > > # 217.20.119.18,- > > # not answering > > > > I have open UDP port 6277 in/out. > > > > Do anyone have any id?e? > > > > Robert > > > Robert, I'm not sure about the port number... my dccifd daemon is listening on 46416 : (output from netstat -tupan) udp 0 0 0.0.0.0:46416 0.0.0.0:* 3694/dccifd Since my iptables accepts established connexions I didn't open any port for it to work: ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED and cdcc info returns: cdcc info # 02/12/08 08:52:24 EST /var/dcc/map # Re-resolve names after 10:02:06 # 1652.01 ms threshold, 1495.53 ms average 12 total, 10 working servers IPv6 off dcc1.dcc-servers.net,- RTT+1000 ms anon # 192.135.10.194,- debian ID 1169 # protocol version 7 # 97% of 32 requests ok 552.01+1000 ms RTT 100 ms queue wait # 194.228.41.13,- CTc-dcc2 ID 1031 # protocol version 7 # 88% of 32 requests ok 613.71+1000 ms RTT 100 ms queue wait # 208.201.249.233,- sonic.net ID 1117 # 33% of 6 requests ok 2431.22+1000 ms RTT 500 ms queue wait dcc2.dcc-servers.net,- RTT+1000 ms anon # 194.119.212.6,- dcc1 ID 1182 # 88% of 32 requests ok 627.57+1000 ms RTT 300 ms queue wait # 203.81.36.6,- PacNet-SG ID 1358 # protocol version 7 # 88% of 32 requests ok 557.65+1000 ms RTT 100 ms queue wait dcc3.dcc-servers.net,- RTT+1000 ms anon # 137.208.8.26,- wuwien ID 1290 # 97% of 32 requests ok 1020.06+1000 ms RTT 300 ms queue wait # 152.20.253.5,- dcc.uncw.edu ID 1201 # 100% of 32 requests ok 807.54+1000 ms RTT 500 ms queue wait dcc4.dcc-servers.net,- RTT+1000 ms anon # 142.27.70.214,- CollegeOfNewCaledonia ID 1189 # protocol version 7 # not answering # 207.195.195.223,- SIHOPE-DCC-3 ID 1085 # 81% of 32 requests ok 1364.47+1000 ms RTT 100 ms queue wait dcc5.dcc-servers.net,- RTT+1000 ms anon # 71.246.8.99,- Misty ID 1170 # protocol version 7 # 94% of 32 requests ok 727.02+1000 ms RTT 200 ms queue wait # *195.20.8.232,- EATSERVER ID 1166 # 100% of 32 requests ok 171.74+1000 ms RTT 70 ms queue wait 127.0.0.1,- RTT-1000 ms 32768 3499495290y548 # 127.0.0.1,- # not answering ################ # 02/12/08 08:52:24 EST GreyList /var/dcc/map # Re-resolve names after 10:43:06 # 1 total, 0 working servers # skipping asking Greylist server 64 seconds more 127.0.0.1,- Greylist 32768 3499495290y548 # 127.0.0.1,6276 # not answering For yesterday's emails I got that many emails caught by DCC: sa-hits --log /var/log/old/maillog.20080211|grep -i dcc DCC_CHECK 3801 Hope this helps. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From campbell at cnpapers.com Tue Feb 12 15:17:19 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Feb 12 15:17:56 2008 Subject: Extreme OT - Thunderbird display problem. Message-ID: <47B1B87F.6020307@cnpapers.com> This is real OT, so I am accepting any spears thrown my way. I don't know where the problem really is - Sendmail, Thunderbird, or just what, so I ask here hoping others have run into this problem. It is definitely not a MailScanner problem. Google hasn't helped me, nor has the Thunderbird site. I use rkhunter to report the status of my systems every day by email. The output of the reports sometimes uses the older console control characters for formatting. This does not display very well on my email reports, as tabs show up as "[1;32m" Anyone know a fix for this either in SendMail, Thunderbird or any other place? I use Linux Sendmail servers and a PC with Thunderbird as a mail reader. Hopefully an add-on or something? Thanks, Steve Campbell From gerard at seibercom.net Tue Feb 12 15:34:08 2008 From: gerard at seibercom.net (Gerard) Date: Tue Feb 12 15:34:34 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> Message-ID: <20080212103408.77fd3e85@scorpio> On Tue, 12 Feb 2008 08:26:17 -0500 "Devon Harding" wrote: > I ran a make -C /etc/mail and restarted the PC. I also change the > provider to comcast and got a similar message. > > What is the format of the /etc/mail/authinfo file? If you mentioned the OS you are employing, I must have missed it. Anyway, that would not be the way to rebuild the *.mc files on a FreeBSD machine. Here, you would enter the /etc/mail directory and run: make all install restart I am not sure how to accomplish that on your OS however. I am probably wrong; however, I just do not think what you used will work. Just my 2?. -- Gerard gerard@seibercom.net A bug in the code is worth two in the documentation. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/a8568217/signature.bin From MailScanner at ecs.soton.ac.uk Tue Feb 12 16:16:38 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 12 16:17:16 2008 Subject: No programs allowed In-Reply-To: <47B17FA2.4030703@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> Message-ID: <47B1C666.9060900@ecs.soton.ac.uk> In which case the simplest thing for you to do is to upgrade to the latest beta release (4.67.something). This includes a new feature where you can match against the output of the "file -i" command as well as (or instead of) the "file" command, in the filetype.rules.conf file. Or else, create an "allow" rule for "PARIX executable" in filetype.rules.conf, and wait until the start of next month when I release the next stable release. AlxFrag wrote: > --[ UxBoD ]-- wrote: >> Okay, could you do the same thing with file -i please ? >> >> Regards, >> >> > Thanks for your support :) > > file -i gives: > > message: message/rfc822 > > msg-5716-14.txt: text/plain; charset=utf-8 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Feb 12 16:19:01 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 12 16:19:35 2008 Subject: No programs allowed In-Reply-To: <47B17FA2.4030703@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> Message-ID: <47B1C6F5.2060701@ecs.soton.ac.uk> Oh, here's the comment from the latest ChangeLog which tells you a bit about the new "file -i" feature: 3 Implemented file MIME type checking, as reported by the "file -i" command. This includees 3 new settings, which all work just like their non-MIME brothers: "Log Permitted File MIME Types", "Allow File MIME Types" and "Deny File MIME Types". The main use is via the filetype.rules.conf file, where a new optional field may be added just after the regular expression field (just after the 2nd field in each line). If this field is added, then the "file -i" command is run on every batch of messages and the output checked against the MIME types specified in the newly inserted 3rd field (out of fields 1-5 on each line of filetype.rules.conf files). AlxFrag wrote: > --[ UxBoD ]-- wrote: >> Okay, could you do the same thing with file -i please ? >> >> Regards, >> >> > Thanks for your support :) > > file -i gives: > > message: message/rfc822 > > msg-5716-14.txt: text/plain; charset=utf-8 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doc at maddoc.net Tue Feb 12 16:25:26 2008 From: doc at maddoc.net (Doc Schneider) Date: Tue Feb 12 16:26:04 2008 Subject: New ClamAV released Message-ID: <47B1C876.9070700@maddoc.net> ClamAV 0.92.1 This is a bugfix release, please refer to the ChangeLog for a complete list of changes. -- -Doc Lincoln, NE. http://www.fsl.com http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From ravenpi at gmail.com Tue Feb 12 17:41:36 2008 From: ravenpi at gmail.com (ravenpi@gmail.com) Date: Tue Feb 12 17:41:46 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> Message-ID: <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> [For the record, I also set up to use the native TNEF decoder.] Thanks for the pointer; I hadn't thought to run that. --lint initially showed a bunch of permissions problems (including temporary files, which was tantalizing), but I fixed up the permissions, and it still fails with debug, etc.. Here is what I now get with --lint: root@elanor:/var/lib/MailScanner# MailScanner --lint Read 759 hostnames from the phishing whitelist MailScanner setting GID to (121) MailScanner setting UID to (112) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = flock MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav So, that looks pretty good to me. Then, I tried the -V: root@elanor:/var/lib/MailScanner# MailScanner -V Running on Linux elanor.jots.org 2.6.20-16-generic #2 SMP Tue Dec 18 05:45:12 UTC 2007 i686 GNU/Linux This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.57.6 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.55 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.74 Mail::Header 3.07 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.07 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.78 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.13 DBD::SQLite 1.53 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Inline missing Mail::ClamAV 3.001007 Mail::SpamAssassin 1.999001 Mail::SPF::Query 0.20 Net::CIDR::Lite 1.25 Net::IP 0.59 Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI 2.56 Test::Harness 0.62 Test::Simple 1.95 Text::Balanced 1.35 URI Don't see anything particularly awry. But thems as knows more than I might be able to point out something I'm overlooking. Thanks for your suggestions! On Feb 11, 2008 11:13 PM, Ugo Bellavance wrote: > ravenpi@gmail.com wrote: > > Hey, all. Long-time MailScanner user, always been very happy with it. > > Have it installed on my month-old Ubuntu box, when, suddenly, it died > > this past Sunday. Syslog says: > > Mailscanner: Process did not exit cleanly, returned 22 with signal 0 > > > > Running in debug mode says: > > What does 'MailScanner --lint' and 'MailScanner -V' show? > > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/5a8b8a8b/attachment.html From glenn.steen at gmail.com Tue Feb 12 18:09:45 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 18:10:01 2008 Subject: Extreme OT - Thunderbird display problem. In-Reply-To: <47B1B87F.6020307@cnpapers.com> References: <47B1B87F.6020307@cnpapers.com> Message-ID: <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> On 12/02/2008, Steve Campbell wrote: > This is real OT, so I am accepting any spears thrown my way. > > I don't know where the problem really is - Sendmail, Thunderbird, or > just what, so I ask here hoping others have run into this problem. It is > definitely not a MailScanner problem. Google hasn't helped me, nor has > the Thunderbird site. > > I use rkhunter to report the status of my systems every day by email. > The output of the reports sometimes uses the older console control > characters for formatting. This does not display very well on my email > reports, as tabs show up as "[1;32m" > > Anyone know a fix for this either in SendMail, Thunderbird or any other > place? I use Linux Sendmail servers and a PC with Thunderbird as a mail > reader. Hopefully an add-on or something? > > Thanks, > > Steve Campbell > The escape sequences are for colorisation of the outpu, try the --nocolor option for your cronjob;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From naolson at gmail.com Tue Feb 12 18:20:44 2008 From: naolson at gmail.com (Nathan Olson) Date: Tue Feb 12 18:20:53 2008 Subject: Outbound relay on 587 In-Reply-To: <20080212103408.77fd3e85@scorpio> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> Message-ID: <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> Try switching the order (remember to rebuild the *.cf files afterwards). define(`RELAY_MAILER_ARGS', `TCP $h 587') define(`SMART_HOST', `mail.isp.net') Nate From glenn.steen at gmail.com Tue Feb 12 18:32:37 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 18:32:48 2008 Subject: Extreme OT - Thunderbird display problem. In-Reply-To: <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> References: <47B1B87F.6020307@cnpapers.com> <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> Message-ID: <223f97700802121032m1012843an5e0d70af511a6a7b@mail.gmail.com> On 12/02/2008, Glenn Steen wrote: > On 12/02/2008, Steve Campbell wrote: > > This is real OT, so I am accepting any spears thrown my way. > > > > I don't know where the problem really is - Sendmail, Thunderbird, or > > just what, so I ask here hoping others have run into this problem. It is > > definitely not a MailScanner problem. Google hasn't helped me, nor has > > the Thunderbird site. > > > > I use rkhunter to report the status of my systems every day by email. > > The output of the reports sometimes uses the older console control > > characters for formatting. This does not display very well on my email > > reports, as tabs show up as "[1;32m" > > > > Anyone know a fix for this either in SendMail, Thunderbird or any other > > place? I use Linux Sendmail servers and a PC with Thunderbird as a mail > > reader. Hopefully an add-on or something? > > > > Thanks, > > > > Steve Campbell > > > The escape sequences are for colorisation of the outpu, try the > --nocolor option for your cronjob;-). > > Cheers ... --nocolors ... Pesky keyboard... But the --cronjob flag should make it skip the colors anyway... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 12 18:46:19 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 18:46:30 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> Message-ID: <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> On 12/02/2008, ravenpi@gmail.com wrote: > [For the record, I also set up to use the native TNEF decoder.] > > Thanks for the pointer; I hadn't thought to run that. --lint initially > showed a bunch of permissions problems (including temporary files, which was > tantalizing), but I fixed up the permissions, and it still fails with debug, > etc.. Here is what I now get with --lint: > > root@elanor:/var/lib/MailScanner# MailScanner --lint > Read 759 hostnames from the phishing whitelist > MailScanner setting GID to (121) > MailScanner setting UID to (112) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = flock > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamav > > So, that looks pretty good to me. Then, I tried the -V: > > root@elanor:/var/lib/MailScanner# MailScanner -V > Running on > Linux elanor.jots.org 2.6.20-16-generic #2 SMP Tue Dec 18 05:45:12 UTC 2007 > i686 GNU/Linux > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.57.6 Pretty old... is this via Ubuntu -deb/apt? (snip) > > Don't see anything particularly awry. But thems as knows more than I might > be able to point out something I'm overlooking. Thanks for your > suggestions! > I'd start by trying out a newer elease.... If all else fails, use the source (tarball) and the debianish init.d script from the download page. If it still missbehaves after that... Well, we'll see then:-). Postfix as MTA? Split maillog files? What do you have in the error file? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Tue Feb 12 19:17:27 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Feb 12 19:17:47 2008 Subject: Extreme OT - Thunderbird display problem. In-Reply-To: <223f97700802121032m1012843an5e0d70af511a6a7b@mail.gmail.com> References: <47B1B87F.6020307@cnpapers.com> <223f97700802121009k1bc07c34xeb3aabd3a17ff6cb@mail.gmail.com> <223f97700802121032m1012843an5e0d70af511a6a7b@mail.gmail.com> Message-ID: <47B1F0C7.7040001@cnpapers.com> Thanks Glenn and Bill for the help. The --nocolor fixed it. Apparently, there must have been a difference in the defaults, as this is a new version from the version I run on all of the other servers. Just learning those are color codes may have been enough to prompt me, but I appreciate the direct nudge. Steve Glenn Steen wrote: > On 12/02/2008, Glenn Steen wrote: > >> On 12/02/2008, Steve Campbell wrote: >> >>> This is real OT, so I am accepting any spears thrown my way. >>> >>> I don't know where the problem really is - Sendmail, Thunderbird, or >>> just what, so I ask here hoping others have run into this problem. It is >>> definitely not a MailScanner problem. Google hasn't helped me, nor has >>> the Thunderbird site. >>> >>> I use rkhunter to report the status of my systems every day by email. >>> The output of the reports sometimes uses the older console control >>> characters for formatting. This does not display very well on my email >>> reports, as tabs show up as "[1;32m" >>> >>> Anyone know a fix for this either in SendMail, Thunderbird or any other >>> place? I use Linux Sendmail servers and a PC with Thunderbird as a mail >>> reader. Hopefully an add-on or something? >>> >>> Thanks, >>> >>> Steve Campbell >>> >>> >> The escape sequences are for colorisation of the outpu, try the >> --nocolor option for your cronjob;-). >> >> Cheers >> > ... --nocolors ... Pesky keyboard... But the --cronjob flag should > make it skip the colors anyway... > > Cheers > From ravenpi at gmail.com Tue Feb 12 19:25:50 2008 From: ravenpi at gmail.com (ravenpi@gmail.com) Date: Tue Feb 12 19:26:02 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> Message-ID: <909697ba0802121125l26eb984j20f250d53549e9dc@mail.gmail.com> I hate having to send e-mails like the one I'm typing right here, but here goes: I'm a nincompoop. Somehow -- and I have no idea how -- /tmp got owned by user 524 (perhaps a reflection of my uninstalling and re-installing MailScanner), with 700 permissions. Ummmm. Duh. And, yeah, I guess that that explains plenty well why creating a tempfile wasn't working. Anyway, thanks for all the suggestions. It's appreciated. -Ken On Feb 12, 2008 1:46 PM, Glenn Steen wrote: > On 12/02/2008, ravenpi@gmail.com wrote: > > [For the record, I also set up to use the native TNEF decoder.] > > > > Thanks for the pointer; I hadn't thought to run that. --lint initially > > showed a bunch of permissions problems (including temporary files, which > was > > tantalizing), but I fixed up the permissions, and it still fails with > debug, > > etc.. Here is what I now get with --lint: > > > > root@elanor:/var/lib/MailScanner# MailScanner --lint > > Read 759 hostnames from the phishing whitelist > > MailScanner setting GID to (121) > > MailScanner setting UID to (112) > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Using locktype = flock > > MailScanner.conf says "Virus Scanners = auto" > > Found these virus scanners installed: clamav > > > > So, that looks pretty good to me. Then, I tried the -V: > > > > root@elanor:/var/lib/MailScanner# MailScanner -V > > Running on > > Linux elanor.jots.org 2.6.20-16-generic #2 SMP Tue Dec 18 05:45:12 UTC > 2007 > > i686 GNU/Linux > > This is Perl version 5.008008 (5.8.8) > > > > This is MailScanner version 4.57.6 > Pretty old... is this via Ubuntu -deb/apt? > > (snip) > > > > Don't see anything particularly awry. But thems as knows more than I > might > > be able to point out something I'm overlooking. Thanks for your > > suggestions! > > > I'd start by trying out a newer elease.... If all else fails, use the > source (tarball) and the debianish init.d script from the download > page. > > If it still missbehaves after that... Well, we'll see then:-). > Postfix as MTA? Split maillog files? What do you have in the error file? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/68b08356/attachment.html From glenn.steen at gmail.com Tue Feb 12 19:35:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 12 19:35:54 2008 Subject: It done broke. "Returned 22 with signal 0". In-Reply-To: <909697ba0802121125l26eb984j20f250d53549e9dc@mail.gmail.com> References: <909697ba0802111641v72c1d849ya8cb4db088af54a1@mail.gmail.com> <909697ba0802120941t1728a728w6e4c8a4eec584741@mail.gmail.com> <223f97700802121046j3700175an75ef605f9c73555c@mail.gmail.com> <909697ba0802121125l26eb984j20f250d53549e9dc@mail.gmail.com> Message-ID: <223f97700802121135u2fcfdcb8w7fa0d03b2ee55725@mail.gmail.com> On 12/02/2008, ravenpi@gmail.com wrote: > I hate having to send e-mails like the one I'm typing right here, but here > goes: I'm a nincompoop. Somehow -- and I have no idea how -- /tmp got owned > by user 524 (perhaps a reflection of my uninstalling and re-installing > MailScanner), with 700 permissions. > > Ummmm. Duh. And, yeah, I guess that that explains plenty well why creating > a tempfile wasn't working. > > Anyway, thanks for all the suggestions. It's appreciated. > > -Ken > It's actually not that uncommon an error.... One "accidentally" removes /tmp ... and "something" comes along and creates it again.... with completely botched perms:-). On a Mdv box close to me (resting on my lap:-) one can see the following: $ ls -ld /tmp drwxrwxrwt 10 root root 15680 2008-02-12 19:23 /tmp/ ... so ... remember to do the chmod 1777 thing;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From devonharding at gmail.com Wed Feb 13 03:19:49 2008 From: devonharding at gmail.com (Devon Harding) Date: Wed Feb 13 03:19:58 2008 Subject: Outbound relay on 587 In-Reply-To: <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFB9A7.50804@nocservices.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> Message-ID: <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> On Tue, Feb 12, 2008 at 1:20 PM, Nathan Olson wrote: > Try switching the order (remember to rebuild the *.cf files afterwards). > > define(`RELAY_MAILER_ARGS', `TCP $h 587') > define(`SMART_HOST', `mail.isp.net') > > Got it working! Here's my settings: /etc/mail/sendmail.mc define(`SMART_HOST',`smtp.comcast.net')dnl define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl /etc/mail/authinfo AuthInfo:smtp.comcast.net "U:username@comcast.net" "P:password" "M:PLAIN" Thanks everyone! -Deovn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080212/1a89eaa0/attachment.html From alxfrag at gmail.com Wed Feb 13 09:12:01 2008 From: alxfrag at gmail.com (AlxFrag) Date: Wed Feb 13 09:11:22 2008 Subject: No programs allowed In-Reply-To: <47B1C666.9060900@ecs.soton.ac.uk> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> Message-ID: <47B2B461.2020203@gmail.com> Julian Field wrote: > In which case the simplest thing for you to do is to upgrade to the > latest beta release (4.67.something). This includes a new feature > where you can match against the output of the "file -i" command as > well as (or instead of) the "file" command, in the filetype.rules.conf > file. > > Or else, create an "allow" rule for "PARIX executable" in > filetype.rules.conf, and wait until the start of next month when I > release the next stable release. > > AlxFrag wrote: >> --[ UxBoD ]-- wrote: >>> Okay, could you do the same thing with file -i please ? >>> >>> Regards, >>> >>> >> Thanks for your support :) >> >> file -i gives: >> >> message: message/rfc822 >> >> msg-5716-14.txt: text/plain; charset=utf-8 >> > > Jules > if i insert the following line in filetype.rules.conf is it gonna work? allow PARIX - - Regards, Alex From MailScanner at ecs.soton.ac.uk Wed Feb 13 09:51:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 09:51:48 2008 Subject: No programs allowed In-Reply-To: <47B2B461.2020203@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> Message-ID: <47B2BD9D.8060804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AlxFrag wrote: > Julian Field wrote: >> In which case the simplest thing for you to do is to upgrade to the >> latest beta release (4.67.something). This includes a new feature >> where you can match against the output of the "file -i" command as >> well as (or instead of) the "file" command, in the >> filetype.rules.conf file. >> >> Or else, create an "allow" rule for "PARIX executable" in >> filetype.rules.conf, and wait until the start of next month when I >> release the next stable release. >> >> AlxFrag wrote: >>> --[ UxBoD ]-- wrote: >>>> Okay, could you do the same thing with file -i please ? >>>> >>>> Regards, >>>> >>>> >>> Thanks for your support :) >>> >>> file -i gives: >>> >>> message: message/rfc822 >>> >>> msg-5716-14.txt: text/plain; charset=utf-8 >>> >> >> Jules >> > if i insert the following line in filetype.rules.conf is it gonna work? > > allow PARIX - - That will solve the problem for this particular file, but you might hit similar problems with other files. Try it and see. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: UTF-8 wj8DBQFHsr2dEfZZRxQVtlQRApwmAKD+hihTvZ0ygN2T0i/q2r971ZmuEQCgtY7v EX64J1WlfDSmD/SKW2LhrLM= =1XLH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Wed Feb 13 10:17:25 2008 From: alxfrag at gmail.com (AlxFrag) Date: Wed Feb 13 10:16:39 2008 Subject: No programs allowed In-Reply-To: <47B2BD9D.8060804@ecs.soton.ac.uk> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> Message-ID: <47B2C3B5.7030409@gmail.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > AlxFrag wrote: > >> Julian Field wrote: >> >>> In which case the simplest thing for you to do is to upgrade to the >>> latest beta release (4.67.something). This includes a new feature >>> where you can match against the output of the "file -i" command as >>> well as (or instead of) the "file" command, in the >>> filetype.rules.conf file. >>> >>> Or else, create an "allow" rule for "PARIX executable" in >>> filetype.rules.conf, and wait until the start of next month when I >>> release the next stable release. >>> >>> AlxFrag wrote: >>> >>>> --[ UxBoD ]-- wrote: >>>> >>>>> Okay, could you do the same thing with file -i please ? >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>> Thanks for your support :) >>>> >>>> file -i gives: >>>> >>>> message: message/rfc822 >>>> >>>> msg-5716-14.txt: text/plain; charset=utf-8 >>>> >>>> >>> Jules >>> >>> >> if i insert the following line in filetype.rules.conf is it gonna work? >> >> allow PARIX - - >> > That will solve the problem for this particular file, but you might hit > similar problems with other files. Try it and see. > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: UTF-8 > > wj8DBQFHsr2dEfZZRxQVtlQRApwmAKD+hihTvZ0ygN2T0i/q2r971ZmuEQCgtY7v > EX64J1WlfDSmD/SKW2LhrLM= > =1XLH > -----END PGP SIGNATURE----- > > ok it works now. As you said i'm having problem with other files too. Running the file command on a text file gave "DOS executable (COM)". -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080213/3699ba60/attachment.html From prandal at herefordshire.gov.uk Wed Feb 13 11:52:30 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 13 11:52:44 2008 Subject: New ClamAV released In-Reply-To: <47B1C876.9070700@maddoc.net> References: <47B1C876.9070700@maddoc.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA02EEE1E6@HC-MBX02.herefordshire.gov.uk> >From a post of mine on the clamav-users mailing list: > clamscan --version behaves differently in 0.92.1 to 0.92 > > # clamscan --version > ClamAV 0.92.1 > > # clamscan --version > ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008 It looks like the checkin to fix bug 699 (https://wwws.clamav.net/bugzilla/show_bug.cgi?id=699) has broken things. There's been a report of segfaults with "clamscan --version" on Solaris. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Doc Schneider > Sent: 12 February 2008 16:25 > To: MailScanner discussion > Subject: New ClamAV released > > ClamAV 0.92.1 > > This is a bugfix release, please refer to the ChangeLog for a complete > list of changes. > > -- > -Doc > Lincoln, NE. > http://www.fsl.com > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Feb 13 13:08:04 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 13 13:08:13 2008 Subject: No programs allowed In-Reply-To: <47B2C3B5.7030409@gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> <47B2C3B5.7030409@gmail.com> Message-ID: <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> On 13/02/2008, AlxFrag wrote: (snip) > > ok it works now. As you said i'm having problem with other files too. > Running the file command on a text file gave "DOS executable (COM)". > Those are usually very "optimistic" one byte magic codes in the magic file that the file command uses. How to comment them out and recompile the magic file has been covered several times on this list.... I suggest you look through the archives for that, unless you know how already;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Feb 13 15:38:45 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 15:39:08 2008 Subject: No programs allowed In-Reply-To: <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> <47B2C3B5.7030409@gmail.com> <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> Message-ID: <47B30F05.5040606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 13/02/2008, AlxFrag wrote: > (snip) > >> ok it works now. As you said i'm having problem with other files too. >> Running the file command on a text file gave "DOS executable (COM)". >> >> > Those are usually very "optimistic" one byte magic codes in the magic > file that the file command uses. How to comment them out and recompile > the magic file has been covered several times on this list.... I > suggest you look through the archives for that, unless you know how > already;-). > To save you having to mess with the "magic" files on your server(s), you can just wait till the start of next month when I'll do a stable release including all the "file -i" stuff for matching MIME types as well as what it can do now. > Cheers > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHsw8GEfZZRxQVtlQRAl92AJ4npcV0JwhQzlAHK9iqds7jM4IxlwCfQllx nPGaJN3Z8xNuYxU4Lo2hX5I= =PBoi -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From devonharding at gmail.com Wed Feb 13 16:34:23 2008 From: devonharding at gmail.com (Devon Harding) Date: Wed Feb 13 16:34:32 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> Message-ID: <2baac6140802130834v2adfd692x40058a60aea09560@mail.gmail.com> > > > > > Got it working! Here's my settings: > > /etc/mail/sendmail.mc > define(`SMART_HOST',`smtp.comcast.net')dnl > define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl > FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl > > /etc/mail/authinfo > AuthInfo:smtp.comcast.net "U:username@comcast.net" "P:password" "M:PLAIN" > > Thanks everyone! > > I just noticed that sendmail is now using the SMART_HOST for my incoming hosts as well. How can I tell it to use the SMART_HOST only for outbound mail? -Deovn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080213/2c3ce790/attachment.html From alxfrag at gmail.com Wed Feb 13 16:36:49 2008 From: alxfrag at gmail.com (AlxFrag) Date: Wed Feb 13 16:35:48 2008 Subject: No programs allowed In-Reply-To: <47B30F05.5040606@ecs.soton.ac.uk> References: <19508891.181202814438685.JavaMail.root@office.splatnix.net> <47B17FA2.4030703@gmail.com> <47B1C666.9060900@ecs.soton.ac.uk> <47B2B461.2020203@gmail.com> <47B2BD9D.8060804@ecs.soton.ac.uk> <47B2C3B5.7030409@gmail.com> <223f97700802130508j783c460aif1ed9c4200707ae4@mail.gmail.com> <47B30F05.5040606@ecs.soton.ac.uk> Message-ID: <47B31CA1.1030509@gmail.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > >> On 13/02/2008, AlxFrag wrote: >> (snip) >> >> >>> ok it works now. As you said i'm having problem with other files too. >>> Running the file command on a text file gave "DOS executable (COM)". >>> >>> >>> >> Those are usually very "optimistic" one byte magic codes in the magic >> file that the file command uses. How to comment them out and recompile >> the magic file has been covered several times on this list.... I >> suggest you look through the archives for that, unless you know how >> already;-). >> >> > To save you having to mess with the "magic" files on your server(s), you > can just wait till the start of next month when I'll do a stable release > including all the "file -i" stuff for matching MIME types as well as > what it can do now. > > >> Cheers >> >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHsw8GEfZZRxQVtlQRAl92AJ4npcV0JwhQzlAHK9iqds7jM4IxlwCfQllx > nPGaJN3Z8xNuYxU4Lo2hX5I= > =PBoi > -----END PGP SIGNATURE----- > > ok thank you. :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080213/d8297d9f/attachment.html From rpoe at plattesheriff.org Wed Feb 13 16:51:33 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Feb 13 16:52:06 2008 Subject: Office 2007 Documents Message-ID: <47B2CBB3.65ED.00A2.0@plattesheriff.org> Having issues with MailScanner rejecting Office2007 document attachments, because they're zip files AFAICT - and inside them are things with multiple extensions From MailScanner at ecs.soton.ac.uk Wed Feb 13 17:57:57 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 17:58:22 2008 Subject: Office 2007 Documents In-Reply-To: <47B2CBB3.65ED.00A2.0@plattesheriff.org> References: <47B2CBB3.65ED.00A2.0@plattesheriff.org> Message-ID: <47B32FA5.9010903@ecs.soton.ac.uk> Add these lines to /etc/MailScanner/filename.rules.conf, somewhere near the top. And note that each of the "words" on each line must be separated with tab characters and not spaces! # These are in the archives which are Microsoft Office 2007 files (e.g. docx) allow \.xml\d*\.rel$ - - allow \.x\d+\.rel$ - - Then "service MailScanner reload" or just wait a few hours and it will start using the new configuration. Rob Poe wrote: > Having issues with MailScanner rejecting Office2007 document attachments, because they're zip files AFAICT - and inside them are things with multiple extensions > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Feb 13 21:15:31 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 13 21:16:02 2008 Subject: Outbound relay on 587 In-Reply-To: <2baac6140802130834v2adfd692x40058a60aea09560@mail.gmail.com> References: <2baac6140802101817h98b835dr7c8b52762b3f799e@mail.gmail.com> <47AFBC98.9030403@nocservices.com> <2baac6140802102022laa57b76x8182c52b91960fdb@mail.gmail.com> <20080211063333.58ebf07d@scorpio> <2baac6140802110444t727b8a7j5ce7b8ac18c47e9b@mail.gmail.com> <20080211080237.05f2d5d4@scorpio> <2baac6140802120526l12a521dco2a4af2870f0215f9@mail.gmail.com> <20080212103408.77fd3e85@scorpio> <8f54b4330802121020w597f4267xd63c924f93684b6e@mail.gmail.com> <2baac6140802121919gd517fe5y9921f7550a82e0a4@mail.gmail.com> <2baac6140802130834v2adfd692x40058a60aea09560@mail.gmail.com> Message-ID: Devon Harding wrote: > > > Got it working! Here's my settings: > > /etc/mail/sendmail.mc > define(`SMART_HOST',`smtp.comcast.net')dnl > define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl > FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl > > /etc/mail/authinfo > AuthInfo:smtp.comcast.net > "U:username@comcast.net " > "P:password" "M:PLAIN" > > Thanks everyone! > > > I just noticed that sendmail is now using the SMART_HOST for my incoming > hosts as well. How can I tell it to use the SMART_HOST only for > outbound mail? I don' undrestand what you mean? It will send everything through the smart host, unless it is local. For other domains, I guess you must use mailertable. Ugo From MailScanner at ecs.soton.ac.uk Wed Feb 13 22:47:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 22:47:47 2008 Subject: New ClamAV released In-Reply-To: <47B1C876.9070700@maddoc.net> References: <47B1C876.9070700@maddoc.net> Message-ID: <47B37366.6000407@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just updated my easy-to-install ClamAV & SpamAssassin package to include ClamAV 0.92.1. Let me know if you have any problems with it, I have just dropped in the new version. Doc Schneider wrote: > ClamAV 0.92.1 > > This is a bugfix release, please refer to the ChangeLog for a complete > list of changes. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHs3NtEfZZRxQVtlQRAp/RAKCF6cR/gq2wn6Btt7qcZfIpSh0nEACg+i7w qXRvBYKDU3N0WyFYXxJxnM0= =3JgG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Feb 13 22:54:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 22:54:57 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> Message-ID: <47B3751B.90001@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just release a new beta 4.67.4 to attempt to fix this problem. It's very awkward to find, as it only occurs on busy systems. I have found a possible reason and have fixed that. Please can you give this new version a try and let me know if it helps solve the duplication problem at all. Thanks folks! Jules. Glenn Steen wrote: > On 08/02/2008, Cedric Devillers wrote: > >> Julian Field wrote: >> >>> Glenn Steen wrote: >>> >>>> On 08/02/2008, Glenn Steen wrote: >>>> >>>>> On 08/02/2008, Glenn Steen wrote: >>>>> >>>>> >>>>>> On 07/02/2008, Cedric Devillers wrote: >>>>>> >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm trying to revive this thread from the last month because we are >>>>>>> observing the exact same behavior on one of our servers. >>>>>>> >>>>>>> >>>>>> Thanks for doing that, and for providing some more info. >>>>>> >>>>>> >>>>>> >>>>>>> So to remember the facts : >>>>>>> >>>>>>> - We are using mailscanner with postfix, and duplicated messages are >>>>>>> generated by mailscanner. >>>>>>> >>>>>>> - This system is the only one where we are observing this behavior. It >>>>>>> have a little particularity : it mainly act as a mail relay, but >>>>>>> sometimes many mails are generated by the server itself (a script) and >>>>>>> injected in postfix queues via sendmail command. We can always reproduce >>>>>>> some duplicated messages with this script. >>>>>>> >>>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>>>>> messages, but they are still entering the mailscanner logic (postix -> >>>>>>> hold queue -> mailscanner (no scan) -> active queue). >>>>>>> >>>>>>> >>>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>>>>> just out of curiosity:-)... >>>>>> >>>>>> >>>>>> >>>>>>> - Mailwatch is running on this server, and for each duplicates we see >>>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>>>>> entry with the full body. Note that the recipient see the full body on >>>>>>> every duplicate. >>>>>>> >>>>>>> It looks like a locking problem, because all duplicates are with the >>>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>>>>> lock some queue file when message is marked not to be scanned by >>>>>>> mailscanner ? >>>>>>> >>>>>>> >>>>>> Yes, this seems plausible... Could you provide some log examples? Just >>>>>> to see that it really is separate children reading the same queue >>>>>> file... >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I will not be very helpfull to debug perl code, but i can provide any >>>>>>> needed logs to help finding the origin of the problem. >>>>>>> >>>>>>> >>>>>> I'll see what I can do, but... I think this isn't "my" code snippets, >>>>>> but a thing that might have been present for a while... And I have a >>>>>> serious lack of time to spend on this ATM (worse than last time, >>>>>> before Xmas)... So no promises:-). >>>>>> >>>>>> >>>>>> >>>>>>> This is really a serious problem in this particular installation. But i >>>>>>> must say that we have dozens of other servers that are running >>>>>>> mailscanner/postfix, and we are very happy about thems :) >>>>>>> >>>>>>> >>>>>> Does it help if you DO scan with MS, but skip things at the next >>>>>> level, for example: >>>>>> Scan Messages = yes >>>>>> Use SpamAssassin = no >>>>>> Dangerous Content Scanning = no >>>>>> ... and possibly a few more (do them with a ruleset, of course:-)? >>>>>> >>>>>> >>>>>> >>>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >>>>> >>>>> Cheers >>>>> >>>>> >>>> I think we need Jules on this one, not only feeble lil' me:-). >>>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >>>> of the scanmail setting... But then, this is a rather complex bit of >>>> code, where the "execution path" isn't always as straightforward as it >>>> seems... Jules, could you spare a moment or two? Just to look at what >>>> could possibly be wrong with the message->scanmail = 0 scenario? >>>> >>> Can you *briefly* explain what the problem is, what the symptoms are and >>> where you think the problem might lie? This is a very long thread.... :-) >>> >>> Jules >>> >>> >> Hi Julian >> >> The problem is that when sending many messages from the mailscanner host >> (here via the sendmail command) and that this host is marked not to be >> scanned by mailscanner (via a ruleset for "Scan Messages"), some mails >> are duplicated by mailscanner. >> >> The ruleset in question is : >> From: 127.0.0.1 no >> >> It seems that when the server is under high load and/or the message sent >> is bigger, then the probability to have duplicates (sometimes 4 or 5 by >> messages) is higher. Note that this is only based on my impressions >> while trying to reproduce the problem :) >> >> I think the problem may be that in this particular case (locally sent >> messages, not to be scanned by mailscanner), the file locking is >> defective and multiple childs are reading the same postfix queue file. >> Note that i was not able to reproduce the problem with "Scan Messages = >> yes". >> >> You can have a look at this log extract that show duplicates for the ID >> 11D67CE47AC : >> >> Feb 8 19:44:21 mail postfix/pickup[20676]: 11D67CE47AC: uid=48 >> from= >> Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: hold: header >> Received: by mail.inforum.be (Postfix, from userid 48)??id 11D67CE47AC; >> Fri, 8 Feb 2008 19:44:20 +0100 (CET) from local; from= >> Feb 8 19:44:21 mail postfix/cleanup[20678]: 11D67CE47AC: >> message-id=<20080208184421.11D67CE47AC@mail.inforum.be> >> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 5B8AECE47A2.4FC7C to >> 08006CE47AB >> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 342ACCE47B0.545F4 to >> E8253CE47A2 >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 8382ECE473F: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail postfix/qmgr[19269]: E8253CE47A2: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 08006CE47AB: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 995D8CE47A5: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 5 messages >> Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: >> Starting >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 8F1BFCE47AC.62C1B to SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> C4702CE473F.14646 to SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 05006CE47AB.74D14 to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 8F1BFCE47AC.62C1B: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 5B8AECE47A2.4FC7C to SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 342ACCE47B0.545F4 to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: C4702CE473F.14646: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 05006CE47AB.74D14: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 5B8AECE47A2.4FC7C: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 342ACCE47B0.545F4: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16264]: New Batch: Forwarding 1 >> unscanned messages, 23120 bytes >> Feb 8 19:44:21 mail postfix/pickup[20676]: 5B439CE47AF: uid=48 >> from= >> Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: hold: header >> Received: by mail.inforum.be (Postfix, from userid 48)??id 5B439CE47AF; >> Fri, 8 Feb 2008 19:44:21 +0100 (CET) from local; from= >> Feb 8 19:44:21 mail postfix/cleanup[20717]: 5B439CE47AF: >> message-id=<20080208184421.5B439CE47AF@mail.inforum.be> >> Feb 8 19:44:21 mail MailScanner[16264]: Requeue: 11D67CE47AC.DC14A to >> B0A22CE47B7 >> Feb 8 19:44:21 mail MailScanner[16264]: Unscanned: Delivered 1 messages >> Feb 8 19:44:21 mail MailScanner[16264]: Virus and Content Scanning: >> Starting >> Feb 8 19:44:21 mail MailScanner[16229]: New Batch: Forwarding 1 >> unscanned messages, 0 bytes >> Feb 8 19:44:21 mail postfix/qmgr[19269]: B0A22CE47B7: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail MailScanner[16229]: Requeue: 11D67CE47AC.3898C to >> 084DCCE47BA >> Feb 8 19:44:21 mail postfix/qmgr[19269]: 084DCCE47BA: >> from=, size=22977, nrcpt=1 (queue active) >> Feb 8 19:44:21 mail MailScanner[16229]: Unscanned: Delivered 1 messages >> Feb 8 19:44:21 mail MailScanner[16229]: Virus and Content Scanning: >> Starting >> Feb 8 19:44:21 mail MailScanner[16264]: Logging message >> 11D67CE47AC.DC14A to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.DC14A: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail MailScanner[16229]: Logging message >> 11D67CE47AC.3898C to SQL >> Feb 8 19:44:21 mail MailScanner[16596]: 11D67CE47AC.3898C: Logged to >> MailWatch SQL >> Feb 8 19:44:21 mail postfix/smtp[20778]: 9EDC5CE47B2: >> to=, relay=mail.alunys.com[212.35.119.247], delay=2, >> status=sent (250 O >> >> > Thanks Cedric, this, and the child thing suggested by alex, > corroborate the theory of what is going bad, limiting what need be > scrutinized.... which is a good thing:-). Still,I've been looking and > can't for the life of me see where it goes haywire....:-/ > Hopefully Jules (or Phil... or me a bit more sober...:-) will find something. > > Cheers > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHs3UoEfZZRxQVtlQRAlg/AJ0cUHoD3g+yvdoDdCtvLjbAU5z/9wCeJ1aE 3zdYbrt+f44K0D/wPXq6l08= =Rdy4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Feb 13 23:14:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 13 23:14:57 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> Message-ID: <47B379D2.6090202@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 08/02/2008, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> >>> On 08/02/2008, Glenn Steen wrote: >>> >>> >>>> On 08/02/2008, Glenn Steen wrote: >>>> >>>> >>>>> On 07/02/2008, Cedric Devillers wrote: >>>>> >>>>> >>>>>> Hello, >>>>>> >>>>>> I'm trying to revive this thread from the last month because we are >>>>>> observing the exact same behavior on one of our servers. >>>>>> >>>>>> >>>>> Thanks for doing that, and for providing some more info. >>>>> >>>>> >>>>> >>>>>> So to remember the facts : >>>>>> >>>>>> - We are using mailscanner with postfix, and duplicated messages are >>>>>> generated by mailscanner. >>>>>> >>>>>> - This system is the only one where we are observing this behavior. It >>>>>> have a little particularity : it mainly act as a mail relay, but >>>>>> sometimes many mails are generated by the server itself (a script) and >>>>>> injected in postfix queues via sendmail command. We can always reproduce >>>>>> some duplicated messages with this script. >>>>>> >>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >>>>>> messages, but they are still entering the mailscanner logic (postix -> >>>>>> hold queue -> mailscanner (no scan) -> active queue). >>>>>> >>>>>> >>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >>>>> just out of curiosity:-)... >>>>> >>>>> >>>>> >>>>>> - Mailwatch is running on this server, and for each duplicates we see >>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >>>>>> entry with the full body. Note that the recipient see the full body on >>>>>> every duplicate. >>>>>> >>>>>> It looks like a locking problem, because all duplicates are with the >>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >>>>>> lock some queue file when message is marked not to be scanned by >>>>>> mailscanner ? >>>>>> >>>>>> >>>>> Yes, this seems plausible... Could you provide some log examples? Just >>>>> to see that it really is separate children reading the same queue >>>>> file... >>>>> >>>>> >>>>> >>>>> >>>>>> I will not be very helpfull to debug perl code, but i can provide any >>>>>> needed logs to help finding the origin of the problem. >>>>>> >>>>>> >>>>> I'll see what I can do, but... I think this isn't "my" code snippets, >>>>> but a thing that might have been present for a while... And I have a >>>>> serious lack of time to spend on this ATM (worse than last time, >>>>> before Xmas)... So no promises:-). >>>>> >>>>> >>>>> >>>>>> This is really a serious problem in this particular installation. But i >>>>>> must say that we have dozens of other servers that are running >>>>>> mailscanner/postfix, and we are very happy about thems :) >>>>>> >>>>>> >>>>> Does it help if you DO scan with MS, but skip things at the next >>>>> level, for example: >>>>> Scan Messages = yes >>>>> Use SpamAssassin = no >>>>> Dangerous Content Scanning = no >>>>> ... and possibly a few more (do them with a ruleset, of course:-)? >>>>> >>>>> >>>>> >>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >>>> >>>> Cheers >>>> >>>> >>> I think we need Jules on this one, not only feeble lil' me:-). >>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >>> of the scanmail setting... But then, this is a rather complex bit of >>> code, where the "execution path" isn't always as straightforward as it >>> seems... Jules, could you spare a moment or two? Just to look at what >>> could possibly be wrong with the message->scanmail = 0 scenario? >>> >>> >>> >> Can you *briefly* explain what the problem is, what the symptoms are and >> where you think the problem might lie? This is a very long thread.... :-) >> >> Jules >> >> > In short: > When using Postfix and setting Scan Messages = no (with a rulset, for > some....), duplicates are "generated" by several MailScanner children > picking up and delivering the same message. Is the whole message being delivered multiple times, or are the duplicates truncated at all? P.S. Sorry for top-posting on this thread a few minutes ago :-( Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHs3nZEfZZRxQVtlQRAgtmAKDyt+y+fafkRvZQURVQajXKUBPCEACglEOV N3ZN77/lKwzizAeWVhpbGkQ= =3CSz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Feb 14 00:06:33 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 00:13:56 2008 Subject: MailScanner consuming 100% CPU Message-ID: <22967703.151202947592999.JavaMail.root@office.splatnix.net> This evening my home server went crazy and when MS starts scanning a message it consumes 100% CPU :( top shows :- 20692 postfix 25 0 234m 67m 3968 R 99.7 2.2 3:20.57 MailScanner if I run a message through using MS --debug it goes through SA fine :- [20692] dbg: shortcircuit: s/c ham due to SC_HAM, using score of -100 [20692] dbg: check: is spam? score=-20.001 required=5 [20692] dbg: check: tests=NO_RELAYS,SC_HAM [20692] dbg: check: subtests= [20692] dbg: plugin: Mail::SpamAssassin::Plugin::Shortcircuit=HASH(0x6d2be20) implements 'compile_now_finish', priority 0 max message size is '30k' then it just hangs. I have set Virus Scanners = none but it still does the same. If I try and attach using strace nothing ever shows. Any ideas I am really stuck :( Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net From uxbod at splatnix.net Thu Feb 14 00:39:56 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 00:40:11 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <22967703.151202947592999.JavaMail.root@office.splatnix.net> Message-ID: <13124449.01202949596358.JavaMail.root@office.splatnix.net> Hmmm ... Something not right me thinks ... the incoming directory only has headers and no content :( [root@mailhub MailScanner]# cd incoming/ [root@mailhub incoming]# ls -lR .: total 12 drwxrwx--- 5 postfix clamav 4096 Feb 14 00:31 24771 drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24818 drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24853 ./24771: total 24 drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 882C8D02BA.66EC9 -rw-rw---- 1 postfix clamav 1135 Feb 14 00:31 882C8D02BA.66EC9.header drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 9A670D02B8.069CB -rw-rw---- 1 postfix clamav 3938 Feb 14 00:31 9A670D02B8.069CB.header drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 C8EBFD02B9.1978E -rw-rw---- 1 postfix clamav 3031 Feb 14 00:31 C8EBFD02B9.1978E.header ./24771/882C8D02BA.66EC9: total 0 ./24771/9A670D02B8.069CB: total 0 ./24771/C8EBFD02B9.1978E: total 0 ./24818: total 0 ./24853: total 0 Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > This evening my home server went crazy and when MS starts scanning a > message it consumes 100% CPU :( > > top shows :- > > 20692 postfix 25 0 234m 67m 3968 R 99.7 2.2 3:20.57 > MailScanner > > if I run a message through using MS --debug it goes through SA fine > :- > > [20692] dbg: shortcircuit: s/c ham due to SC_HAM, using score of -100 > [20692] dbg: check: is spam? score=-20.001 required=5 > [20692] dbg: check: tests=NO_RELAYS,SC_HAM > [20692] dbg: check: subtests= > [20692] dbg: plugin: > Mail::SpamAssassin::Plugin::Shortcircuit=HASH(0x6d2be20) implements > 'compile_now_finish', priority 0 > max message size is '30k' > > then it just hangs. I have set Virus Scanners = none but it still > does the same. If I try and attach using strace nothing ever shows. > Any ideas I am really stuck :( > > > Regards, From MailScanner at ecs.soton.ac.uk Thu Feb 14 08:30:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 14 08:32:46 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <13124449.01202949596358.JavaMail.root@office.splatnix.net> References: <13124449.01202949596358.JavaMail.root@office.splatnix.net> Message-ID: <47B3FC30.7000105@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Start by checking things like the SpamAssassin cache db has not got corrupted. It's in /var/spool/MailScanner/incoming. Just delete the database files and they will rapidly be recreated. It costs you a bit in processing speed for a couple of minutes but does no other harm than that. Screwed cache DB files can cause all sorts of weird symptoms. - --[ UxBoD ]-- wrote: > Hmmm ... > > Something not right me thinks ... the incoming directory only has headers and no content :( > > [root@mailhub MailScanner]# cd incoming/ > [root@mailhub incoming]# ls -lR > .: > total 12 > drwxrwx--- 5 postfix clamav 4096 Feb 14 00:31 24771 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24818 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24853 > > ./24771: > total 24 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 882C8D02BA.66EC9 > -rw-rw---- 1 postfix clamav 1135 Feb 14 00:31 882C8D02BA.66EC9.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 9A670D02B8.069CB > -rw-rw---- 1 postfix clamav 3938 Feb 14 00:31 9A670D02B8.069CB.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 C8EBFD02B9.1978E > -rw-rw---- 1 postfix clamav 3031 Feb 14 00:31 C8EBFD02B9.1978E.header > > ./24771/882C8D02BA.66EC9: > total 0 > > ./24771/9A670D02B8.069CB: > total 0 > > ./24771/C8EBFD02B9.1978E: > total 0 > > ./24818: > total 0 > > ./24853: > total 0 > > > Regards, > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: UTF-8 wj8DBQFHs/w2EfZZRxQVtlQRAh8LAKDkG+vzQ8lT6qrn3him0SVatHJhTgCfcIxU vNIHUATIIvvTXkeMab16H3w= =N5u1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Feb 14 08:39:07 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 08:39:24 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <47B3FC30.7000105@ecs.soton.ac.uk> Message-ID: <21712422.61202978347947.JavaMail.root@office.splatnix.net> Hi Jules, one step ahead ;) tried that at 1am this morning and still the same problem :( a spamassassin -D --lint works just fine, but when I run MS through debug it does appear to complete the SA checks but then hangs when it says "message size 30k". What is happening after this bit ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Start by checking things like the SpamAssassin cache db has not got corrupted. It's in /var/spool/MailScanner/incoming. Just delete the database files and they will rapidly be recreated. It costs you a bit in processing speed for a couple of minutes but does no other harm than that. Screwed cache DB files can cause all sorts of weird symptoms. - --[ UxBoD ]-- wrote: > Hmmm ... > > Something not right me thinks ... the incoming directory only has headers and no content :( > > [root@mailhub MailScanner]# cd incoming/ > [root@mailhub incoming]# ls -lR > .: > total 12 > drwxrwx--- 5 postfix clamav 4096 Feb 14 00:31 24771 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24818 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 24853 > > ./24771: > total 24 > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 882C8D02BA.66EC9 > -rw-rw---- 1 postfix clamav 1135 Feb 14 00:31 882C8D02BA.66EC9.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 9A670D02B8.069CB > -rw-rw---- 1 postfix clamav 3938 Feb 14 00:31 9A670D02B8.069CB.header > drwxrwx--- 2 postfix clamav 4096 Feb 14 00:31 C8EBFD02B9.1978E > -rw-rw---- 1 postfix clamav 3031 Feb 14 00:31 C8EBFD02B9.1978E.header > > ./24771/882C8D02BA.66EC9: > total 0 > > ./24771/9A670D02B8.069CB: > total 0 > > ./24771/C8EBFD02B9.1978E: > total 0 > > ./24818: > total 0 > > ./24853: > total 0 > > > Regards, > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: UTF-8 wj8DBQFHs/w2EfZZRxQVtlQRAh8LAKDkG+vzQ8lT6qrn3him0SVatHJhTgCfcIxU vNIHUATIIvvTXkeMab16H3w= =N5u1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Feb 14 09:33:01 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 09:33:11 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B379D2.6090202@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> <47B379D2.6090202@ecs.soton.ac.uk> Message-ID: <223f97700802140133k60093df0r439be4296311e2e3@mail.gmail.com> On 14/02/2008, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 08/02/2008, Julian Field wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> > >> Glenn Steen wrote: > >> > >>> On 08/02/2008, Glenn Steen wrote: > >>> > >>> > >>>> On 08/02/2008, Glenn Steen wrote: > >>>> > >>>> > >>>>> On 07/02/2008, Cedric Devillers wrote: > >>>>> > >>>>> > >>>>>> Hello, > >>>>>> > >>>>>> I'm trying to revive this thread from the last month because we are > >>>>>> observing the exact same behavior on one of our servers. > >>>>>> > >>>>>> > >>>>> Thanks for doing that, and for providing some more info. > >>>>> > >>>>> > >>>>> > >>>>>> So to remember the facts : > >>>>>> > >>>>>> - We are using mailscanner with postfix, and duplicated messages are > >>>>>> generated by mailscanner. > >>>>>> > >>>>>> - This system is the only one where we are observing this behavior. It > >>>>>> have a little particularity : it mainly act as a mail relay, but > >>>>>> sometimes many mails are generated by the server itself (a script) and > >>>>>> injected in postfix queues via sendmail command. We can always reproduce > >>>>>> some duplicated messages with this script. > >>>>>> > >>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses > >>>>>> messages, but they are still entering the mailscanner logic (postix -> > >>>>>> hold queue -> mailscanner (no scan) -> active queue). > >>>>>> > >>>>>> > >>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... > >>>>> just out of curiosity:-)... > >>>>> > >>>>> > >>>>> > >>>>>> - Mailwatch is running on this server, and for each duplicates we see > >>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final > >>>>>> entry with the full body. Note that the recipient see the full body on > >>>>>> every duplicate. > >>>>>> > >>>>>> It looks like a locking problem, because all duplicates are with the > >>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, > >>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to > >>>>>> lock some queue file when message is marked not to be scanned by > >>>>>> mailscanner ? > >>>>>> > >>>>>> > >>>>> Yes, this seems plausible... Could you provide some log examples? Just > >>>>> to see that it really is separate children reading the same queue > >>>>> file... > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> I will not be very helpfull to debug perl code, but i can provide any > >>>>>> needed logs to help finding the origin of the problem. > >>>>>> > >>>>>> > >>>>> I'll see what I can do, but... I think this isn't "my" code snippets, > >>>>> but a thing that might have been present for a while... And I have a > >>>>> serious lack of time to spend on this ATM (worse than last time, > >>>>> before Xmas)... So no promises:-). > >>>>> > >>>>> > >>>>> > >>>>>> This is really a serious problem in this particular installation. But i > >>>>>> must say that we have dozens of other servers that are running > >>>>>> mailscanner/postfix, and we are very happy about thems :) > >>>>>> > >>>>>> > >>>>> Does it help if you DO scan with MS, but skip things at the next > >>>>> level, for example: > >>>>> Scan Messages = yes > >>>>> Use SpamAssassin = no > >>>>> Dangerous Content Scanning = no > >>>>> ... and possibly a few more (do them with a ruleset, of course:-)? > >>>>> > >>>>> > >>>>> > >>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? > >>>> > >>>> Cheers > >>>> > >>>> > >>> I think we need Jules on this one, not only feeble lil' me:-). > >>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless > >>> of the scanmail setting... But then, this is a rather complex bit of > >>> code, where the "execution path" isn't always as straightforward as it > >>> seems... Jules, could you spare a moment or two? Just to look at what > >>> could possibly be wrong with the message->scanmail = 0 scenario? > >>> > >>> > >>> > >> Can you *briefly* explain what the problem is, what the symptoms are and > >> where you think the problem might lie? This is a very long thread.... :-) > >> > >> Jules > >> > >> > > In short: > > When using Postfix and setting Scan Messages = no (with a rulset, for > > some....), duplicates are "generated" by several MailScanner children > > picking up and delivering the same message. > > Is the whole message being delivered multiple times, or are the > duplicates truncated at all? AFAIU, the messages are delivered seemingly whole (but seem slightly truncated in MW, at least according to Cedric). > P.S. Sorry for top-posting on this thread a few minutes ago :-( It's your list, you are forgiven:-). And with that type of info... We'd pretty much forgive anything (even bad language... not that it'd ever happen with you:-):-). I'll try find some time, but I think that the ones who have reported this problem (Cedric in particular) are the ones that need test this... So, Cedric... Pretty please try this beta on your production host and then report back... So that the fix can be included in the next stable release! Just out of curiosity (I'll at least DL and read the beta...)... Where should I look for the fix? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Feb 14 09:43:47 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 09:43:57 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <21712422.61202978347947.JavaMail.root@office.splatnix.net> References: <47B3FC30.7000105@ecs.soton.ac.uk> <21712422.61202978347947.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802140143n2bbd28f9y7130ae80eecd898f@mail.gmail.com> On 14/02/2008, --[ UxBoD ]-- wrote: > Hi Jules, > > one step ahead ;) tried that at 1am this morning and still the same problem :( a spamassassin -D --lint works just fine, but when I run MS through debug it does appear to complete the SA checks but then hangs when it says "message size 30k". What is happening after this bit ? > > > Regards, > What does your PF logs show? What does a ps listing of the children show? Your not short on disk for tmp/tmpfs? What messages do you have waiting? Something massive? What does a postcat of them look like? .... and probably a few other questions...:-) I'm sure you've looked already, but it doesn't hurt checking:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Thu Feb 14 10:07:14 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Feb 14 10:07:30 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802140143n2bbd28f9y7130ae80eecd898f@mail.gmail.com> Message-ID: <1433407.241202983634886.JavaMail.root@office.splatnix.net> Hi Glenn, pf logs are fine, I even ran a postfix check and set-permissions just in case. Three messages are in the queue and are about 2k in size each. I even dropped the tmpfs and ran it directly to the file system. No change. For the time being I am routing messages directly, as the PostFix checks are blocking most things. I will take a deeper look at it this evening when I am back home. Any other suggestions are greatly appreciated. Any other ways I can debug the code Jules to find where it is stalling ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 14/02/2008, --[ UxBoD ]-- wrote: From cde at alunys.com Thu Feb 14 10:19:01 2008 From: cde at alunys.com (Cedric Devillers) Date: Thu Feb 14 10:20:23 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B3751B.90001@ecs.soton.ac.uk> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> <47B3751B.90001@ecs.soton.ac.uk> Message-ID: <47B41595.2070104@alunys.com> Julian Field wrote: > I have just release a new beta 4.67.4 to attempt to fix this problem. > It's very awkward to find, as it only occurs on busy systems. I have > found a possible reason and have fixed that. > > Please can you give this new version a try and let me know if it helps > solve the duplication problem at all. > > Thanks folks! > Jules. > Thanks for your attention on this problem. Is it possible to just copy some files from the tarball to the production system to test this ? I just ask this because we use home packaged rpm versions of mailscanner (with just custom prefs files and defaults location), so do i need to repackage the whole stuff to test it ? As it is production system, i need to wait after office hours to test it. So i'll try to do it later today or tommorow. -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From cde at alunys.com Thu Feb 14 10:23:55 2008 From: cde at alunys.com (Cedric Devillers) Date: Thu Feb 14 10:25:15 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802140133k60093df0r439be4296311e2e3@mail.gmail.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <223f97700802081102p12a1d049p816ebcfbf99e0f97@mail.gmail.com> <47B379D2.6090202@ecs.soton.ac.uk> <223f97700802140133k60093df0r439be4296311e2e3@mail.gmail.com> Message-ID: <47B416BB.5080600@alunys.com> Glenn Steen wrote: > On 14/02/2008, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> > On 08/02/2008, Julian Field wrote: >> > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA1 >> >> >> >> >> >> >> >> Glenn Steen wrote: >> >> >> >>> On 08/02/2008, Glenn Steen wrote: >> >>> >> >>> >> >>>> On 08/02/2008, Glenn Steen wrote: >> >>>> >> >>>> >> >>>>> On 07/02/2008, Cedric Devillers wrote: >> >>>>> >> >>>>> >> >>>>>> Hello, >> >>>>>> >> >>>>>> I'm trying to revive this thread from the last month because we are >> >>>>>> observing the exact same behavior on one of our servers. >> >>>>>> >> >>>>>> >> >>>>> Thanks for doing that, and for providing some more info. >> >>>>> >> >>>>> >> >>>>> >> >>>>>> So to remember the facts : >> >>>>>> >> >>>>>> - We are using mailscanner with postfix, and duplicated messages are >> >>>>>> generated by mailscanner. >> >>>>>> >> >>>>>> - This system is the only one where we are observing this behavior. It >> >>>>>> have a little particularity : it mainly act as a mail relay, but >> >>>>>> sometimes many mails are generated by the server itself (a script) and >> >>>>>> injected in postfix queues via sendmail command. We can always reproduce >> >>>>>> some duplicated messages with this script. >> >>>>>> >> >>>>>> - MailScanner is configured (by ruleset) to bypass scanning for thoses >> >>>>>> messages, but they are still entering the mailscanner logic (postix -> >> >>>>>> hold queue -> mailscanner (no scan) -> active queue). >> >>>>>> >> >>>>>> >> >>>>> What does the ruleset look like? I'm sure it doesn't matter, but ... >> >>>>> just out of curiosity:-)... >> >>>>> >> >>>>> >> >>>>> >> >>>>>> - Mailwatch is running on this server, and for each duplicates we see >> >>>>>> entries with null size body (2, 3, 4, sometimes 5) then at last a final >> >>>>>> entry with the full body. Note that the recipient see the full body on >> >>>>>> every duplicate. >> >>>>>> >> >>>>>> It looks like a locking problem, because all duplicates are with the >> >>>>>> same postfix queue ID and different entropy part (ID.xxxx, ID.yyyy, >> >>>>>> ID.zzzz, etc). Can it be possible that a mailscanner child "fail" to >> >>>>>> lock some queue file when message is marked not to be scanned by >> >>>>>> mailscanner ? >> >>>>>> >> >>>>>> >> >>>>> Yes, this seems plausible... Could you provide some log examples? Just >> >>>>> to see that it really is separate children reading the same queue >> >>>>> file... >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>>> I will not be very helpfull to debug perl code, but i can provide any >> >>>>>> needed logs to help finding the origin of the problem. >> >>>>>> >> >>>>>> >> >>>>> I'll see what I can do, but... I think this isn't "my" code snippets, >> >>>>> but a thing that might have been present for a while... And I have a >> >>>>> serious lack of time to spend on this ATM (worse than last time, >> >>>>> before Xmas)... So no promises:-). >> >>>>> >> >>>>> >> >>>>> >> >>>>>> This is really a serious problem in this particular installation. But i >> >>>>>> must say that we have dozens of other servers that are running >> >>>>>> mailscanner/postfix, and we are very happy about thems :) >> >>>>>> >> >>>>>> >> >>>>> Does it help if you DO scan with MS, but skip things at the next >> >>>>> level, for example: >> >>>>> Scan Messages = yes >> >>>>> Use SpamAssassin = no >> >>>>> Dangerous Content Scanning = no >> >>>>> ... and possibly a few more (do them with a ruleset, of course:-)? >> >>>>> >> >>>>> >> >>>>> >> >>>> BTW, do you have any milters enabled in Postfix? What version of Postfix? >> >>>> >> >>>> Cheers >> >>>> >> >>>> >> >>> I think we need Jules on this one, not only feeble lil' me:-). >> >>> AFAICS, the locking/unlocking is handled _exactly_ the same regardless >> >>> of the scanmail setting... But then, this is a rather complex bit of >> >>> code, where the "execution path" isn't always as straightforward as it >> >>> seems... Jules, could you spare a moment or two? Just to look at what >> >>> could possibly be wrong with the message->scanmail = 0 scenario? >> >>> >> >>> >> >>> >> >> Can you *briefly* explain what the problem is, what the symptoms are and >> >> where you think the problem might lie? This is a very long thread.... :-) >> >> >> >> Jules >> >> >> >> >> > In short: >> > When using Postfix and setting Scan Messages = no (with a rulset, for >> > some....), duplicates are "generated" by several MailScanner children >> > picking up and delivering the same message. >> >> Is the whole message being delivered multiple times, or are the >> duplicates truncated at all? > AFAIU, the messages are delivered seemingly whole (but seem slightly > truncated in MW, at least according to Cedric). > That's true, here messages are delivered as complete, but in mailwatch we can't see the body (only headers) and the size is marked as null (only a "b" in the size column). >> P.S. Sorry for top-posting on this thread a few minutes ago :-( > It's your list, you are forgiven:-). And with that type of info... > We'd pretty much forgive anything (even bad language... not that it'd > ever happen with you:-):-). > > I'll try find some time, but I think that the ones who have reported > this problem (Cedric in particular) are the ones that need test > this... So, Cedric... Pretty please try this beta on your production > host and then report back... So that the fix can be included in the > next stable release! > > Just out of curiosity (I'll at least DL and read the beta...)... Where > should I look for the fix? > > Cheers As is just replied to Jules, i'll try to test it today. But i won't have much time to play with mailscanner tonight :) Anyway, if i can't today, i will surely try tommorow. -- AmsterGroup 145 rue Barastraat B -1070 Brussels T +32(0)2 556 28 11 F +32(0)2 556 28 10 www.amstergroup.com From MailScanner at ecs.soton.ac.uk Thu Feb 14 10:48:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 14 10:48:59 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B41595.2070104@alunys.com> References: <47AB262E.6070808@alunys.com> <223f97700802080338h6ca967ack8c3c30a3e6788052@mail.gmail.com> <223f97700802080428i1ca27123g244e7657a34aff81@mail.gmail.com> <223f97700802080515l79633e75obe668d2117eea620@mail.gmail.com> <47AC89B2.80906@ecs.soton.ac.uk> <47ACB045.4090504@alunys.com> <223f97700802081339l3f19e204kebb9ef5d7afb390e@mail.gmail.com> <47B3751B.90001@ecs.soton.ac.uk> <47B41595.2070104@alunys.com> Message-ID: <47B41C7E.9060303@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cedric Devillers wrote: > Julian Field wrote: > >> I have just release a new beta 4.67.4 to attempt to fix this problem. >> It's very awkward to find, as it only occurs on busy systems. I have >> found a possible reason and have fixed that. >> >> Please can you give this new version a try and let me know if it helps >> solve the duplication problem at all. >> >> Thanks folks! >> Jules. >> >> > > Thanks for your attention on this problem. > > Is it possible to just copy some files from the tarball to the > production system to test this ? > New copies of Message.pm and MessageBatch.pm should be enough. > I just ask this because we use home packaged rpm versions of mailscanner > (with just custom prefs files and defaults location), so do i need to > repackage the whole stuff to test it ? > > As it is production system, i need to wait after office hours to test > it. So i'll try to do it later today or tommorow. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-15 wj8DBQFHtBx/EfZZRxQVtlQRAklrAKC2Sk/loX1tEstk01vHc1b/vsiJswCgqhOC yJebHTHkl4rT58fnfrQTE24= =Mjjp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alxfrag at gmail.com Thu Feb 14 08:40:06 2008 From: alxfrag at gmail.com (AlxFrag) Date: Thu Feb 14 13:49:00 2008 Subject: Mailscanner warnings Message-ID: <47B3FE66.9050504@gmail.com> Hi, i'm using mailscanner v. 4.66.5-3. My logs file is full of warnings like shown below: Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content Scanning: Starting Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --unzip Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --jar Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --tar Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --tgz Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --deb Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --max-ratio Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --tempdir Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --recursive (-r) Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option --unrar Is there any way i can stop that? Thanks, Alex From MailScanner at ecs.soton.ac.uk Thu Feb 14 14:04:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 14 14:11:17 2008 Subject: Mailscanner warnings In-Reply-To: <47B3FE66.9050504@gmail.com> References: <47B3FE66.9050504@gmail.com> Message-ID: <47B44A78.7080407@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What does MailScanner --lint say? AlxFrag wrote: > Hi, > > i'm using mailscanner v. 4.66.5-3. My logs file is full of warnings > like shown below: > > Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content > Scanning: Starting > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --unzip > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --jar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --tar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --tgz > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --deb > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --max-ratio > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --tempdir > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --recursive (-r) > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK 3Hg59laQALA1YGkA4DDZoVc= =lWdI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:12:03 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:05:46 2008 Subject: Question for the Experts Message-ID: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Dear all I recently made some changes to a domains mx record. It use to be, mx = serverA, which relays clean mail to Exchange Server Because this domain was really getting hammered, I moved it to a more powerful spam filtering server. MX Record is now ServerB, which fwds clean mail to ServerA, which relays it to the Exchange Server. My Problem now is that some spammers are still sending mail direct to my ServerA for this Domain. So I am looking at a way to configure the ServerA, so it only excepts mail for this domain if it comes from server (The more powerful one) So it drops the spammers on ServerA Thanks Kevin This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080214/3f750487/attachment.html From bpirie at rma.edu Thu Feb 14 16:10:03 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Feb 14 16:09:58 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <47B467DB.10204@rma.edu> I just went through a similar process here. I firewalled port 25 on ServerA so ServerA could only receive email from ServerB. Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our systems > free from viruses, you should check this e-mail and any attachments to > it for viruses as we cannot accept any liability for viruses > inadvertently transmitted by use. > From mailscanner at slackadelic.com Thu Feb 14 16:13:21 2008 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Feb 14 16:13:32 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <47B468A1.2000800@slackadelic.com> Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > Kevin, This would more than likely be something you would have to configure at your MTA level and not within MailScanner itself. -Matt From alvaro at hostalia.com Thu Feb 14 16:23:08 2008 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Thu Feb 14 16:23:18 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <47B46AEC.203@hostalia.com> Hi, > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA Just, configure firewall rules to avoid that situation and ServerB's port 25 only accept connections from ServerA. Client's authenticated mails should be sent through the submission port (587). Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From list-mailscanner at linguaphone.com Thu Feb 14 16:23:14 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Feb 14 16:23:28 2008 Subject: Question for the Experts In-Reply-To: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> Message-ID: <1203006194.7860.31.camel@gblades-suse.linguaphone-intranet.co.uk> Configure the firewall on serverA to only accept connections on port 25 coming from serverB On Thu, 2008-02-14 at 16:12, Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx > = serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which > relays it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to > my ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) > So it drops the spammers on ServerA > > > > Thanks > > > > Kevin > > > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our > systems free from viruses, you should check this e-mail and any > attachments to it for viruses as we cannot accept any liability for > viruses inadvertently transmitted by use. > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:30:16 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:24:00 2008 Subject: Question for the Experts In-Reply-To: <47B467DB.10204@rma.edu> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> Message-ID: <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> Hi Brendan I cannot firewall port 25, as it receives mail for many other Domains. Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan Pirie Sent: 14 February 2008 16:10 To: MailScanner discussion Subject: Re: Question for the Experts I just went through a similar process here. I firewalled port 25 on ServerA so ServerA could only receive email from ServerB. Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our systems > free from viruses, you should check this e-mail and any attachments to > it for viruses as we cannot accept any liability for viruses > inadvertently transmitted by use. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:31:53 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:25:35 2008 Subject: Question for the Experts In-Reply-To: <47B468A1.2000800@slackadelic.com> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> Message-ID: <009401c86f27$1bd4d5c0$537e8140$@Murphy@midland-ics.ie> Right - It's a sendmail issue so Ok thanks for pointing this out -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Hayes Sent: 14 February 2008 16:13 To: MailScanner discussion Subject: Re: Question for the Experts Kevin MURPHY wrote: > Dear all > > > > I recently made some changes to a domains mx record. It use to be, mx = > serverA, which relays clean mail to Exchange Server > > Because this domain was really getting hammered, I moved it to a more > powerful spam filtering server. > > MX Record is now ServerB, which fwds clean mail to ServerA, which relays > it to the Exchange Server. > > > > My Problem now is that some spammers are still sending mail direct to my > ServerA for this Domain. > > > > So I am looking at a way to configure the ServerA, so it only excepts > mail for this domain if it comes from server (The more powerful one) So > it drops the spammers on ServerA > > > > Thanks > > > > Kevin ** > Kevin, This would more than likely be something you would have to configure at your MTA level and not within MailScanner itself. -Matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From bpirie at rma.edu Thu Feb 14 16:44:54 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Feb 14 16:44:52 2008 Subject: Question for the Experts In-Reply-To: <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> Message-ID: <47B47006.6000909@rma.edu> Are you saying ServerA is no longer the MX for this particular domain, but it is still the MX for several other domains? Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Hi Brendan > I cannot firewall port 25, as it receives mail for many other Domains. > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan > Pirie > Sent: 14 February 2008 16:10 > To: MailScanner discussion > Subject: Re: Question for the Experts > > I just went through a similar process here. I firewalled port 25 on > ServerA so ServerA could only receive email from ServerB. > > Brendan Pirie > Manager of Information Technology > Randolph-Macon Academy > bpirie@rma.edu > > Kevin MURPHY wrote: >> Dear all >> >> >> >> I recently made some changes to a domains mx record. It use to be, mx = >> serverA, which relays clean mail to Exchange Server >> >> Because this domain was really getting hammered, I moved it to a more >> powerful spam filtering server. >> >> MX Record is now ServerB, which fwds clean mail to ServerA, which relays >> it to the Exchange Server. >> >> >> >> My Problem now is that some spammers are still sending mail direct to my >> ServerA for this Domain. >> >> >> >> So I am looking at a way to configure the ServerA, so it only excepts >> mail for this domain if it comes from server (The more powerful one) So >> it drops the spammers on ServerA >> >> >> >> Thanks >> >> >> >> Kevin ** >> >> >> >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our systems >> free from viruses, you should check this e-mail and any attachments to >> it for viruses as we cannot accept any liability for viruses >> inadvertently transmitted by use. >> > From Kevin.Murphy at midland-ics.ie Thu Feb 14 16:58:28 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Thu Feb 14 16:52:11 2008 Subject: Question for the Experts In-Reply-To: <47B47006.6000909@rma.edu> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie> <47B47006.6000909@rma.edu> Message-ID: <00a001c86f2a$d2b165d0$78143170$@Murphy@midland-ics.ie> Yeah that's the scenario. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan Pirie Sent: 14 February 2008 16:45 To: MailScanner discussion Subject: Re: Question for the Experts Are you saying ServerA is no longer the MX for this particular domain, but it is still the MX for several other domains? Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Hi Brendan > I cannot firewall port 25, as it receives mail for many other Domains. > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan > Pirie > Sent: 14 February 2008 16:10 > To: MailScanner discussion > Subject: Re: Question for the Experts > > I just went through a similar process here. I firewalled port 25 on > ServerA so ServerA could only receive email from ServerB. > > Brendan Pirie > Manager of Information Technology > Randolph-Macon Academy > bpirie@rma.edu > > Kevin MURPHY wrote: >> Dear all >> >> >> >> I recently made some changes to a domains mx record. It use to be, mx = >> serverA, which relays clean mail to Exchange Server >> >> Because this domain was really getting hammered, I moved it to a more >> powerful spam filtering server. >> >> MX Record is now ServerB, which fwds clean mail to ServerA, which relays >> it to the Exchange Server. >> >> >> >> My Problem now is that some spammers are still sending mail direct to my >> ServerA for this Domain. >> >> >> >> So I am looking at a way to configure the ServerA, so it only excepts >> mail for this domain if it comes from server (The more powerful one) So >> it drops the spammers on ServerA >> >> >> >> Thanks >> >> >> >> Kevin ** >> >> >> >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our systems >> free from viruses, you should check this e-mail and any attachments to >> it for viruses as we cannot accept any liability for viruses >> inadvertently transmitted by use. >> > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From ugob at lubik.ca Thu Feb 14 17:26:27 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Feb 14 17:27:06 2008 Subject: Question for the Experts In-Reply-To: <45354.7920370058$1203007154@news.gmane.org> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: Kevin MURPHY wrote: > Right - It's a sendmail issue so > Ok thanks for pointing this out This should be solved with a sendmail ruleset. I wouldn't know how to write it, though. Maybe ask fsl? www.fsl.com. Regards, Ugo From shuttlebox at gmail.com Thu Feb 14 17:28:51 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Feb 14 17:29:00 2008 Subject: Question for the Experts In-Reply-To: <4250301665523923982@unknownmsgid> References: <47B467DB.10204@rma.edu> <47B47006.6000909@rma.edu> <4250301665523923982@unknownmsgid> Message-ID: <625385e30802140928x38246a0fr40b910b0d3ffcbc5@mail.gmail.com> On Thu, Feb 14, 2008 at 5:58 PM, Kevin MURPHY wrote: > Yeah that's the scenario. But if it's not an official server for that domain anymore it shouldn't be configured as one either and therefor reject all attempts to send mail to that domain through it. Sorry if I missed something from your earlier posts. -- /peter From mkercher at nfsmith.com Thu Feb 14 17:42:28 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Feb 14 17:42:51 2008 Subject: Question for the Experts In-Reply-To: <00a001c86f2a$d2b165d0$78143170$@Murphy@midland-ics.ie> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B467DB.10204@rma.edu> <009301c86f26$e273f630$a75be290$@Murphy@midland-ics.ie><47B47006.6000909@rma.edu> <00a001c86f2a$d2b165d0$78143170$@Murphy@midland-ics.ie> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F7750E4@HOUPEX01.nfsmith.info> Give Server A it's own IP address and firewall that single IP to accept SMTP from Server B only. Then, you can allow all SMTP to the other IP address(es) on Server A. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kevin MURPHY Sent: Thursday, February 14, 2008 10:58 AM To: 'MailScanner discussion' Subject: RE: Question for the Experts Yeah that's the scenario. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan Pirie Sent: 14 February 2008 16:45 To: MailScanner discussion Subject: Re: Question for the Experts Are you saying ServerA is no longer the MX for this particular domain, but it is still the MX for several other domains? Brendan Pirie Manager of Information Technology Randolph-Macon Academy bpirie@rma.edu Kevin MURPHY wrote: > Hi Brendan > I cannot firewall port 25, as it receives mail for many other Domains. > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Brendan Pirie > Sent: 14 February 2008 16:10 > To: MailScanner discussion > Subject: Re: Question for the Experts > > I just went through a similar process here. I firewalled port 25 on > ServerA so ServerA could only receive email from ServerB. > > Brendan Pirie > Manager of Information Technology > Randolph-Macon Academy > bpirie@rma.edu > > Kevin MURPHY wrote: >> Dear all >> >> >> >> I recently made some changes to a domains mx record. It use to be, mx >> = serverA, which relays clean mail to Exchange Server >> >> Because this domain was really getting hammered, I moved it to a more >> powerful spam filtering server. >> >> MX Record is now ServerB, which fwds clean mail to ServerA, which >> relays it to the Exchange Server. >> >> >> >> My Problem now is that some spammers are still sending mail direct to >> my ServerA for this Domain. >> >> >> >> So I am looking at a way to configure the ServerA, so it only excepts >> mail for this domain if it comes from server (The more powerful one) >> So it drops the spammers on ServerA >> >> >> >> Thanks >> >> >> >> Kevin ** >> >> >> >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our >> systems free from viruses, you should check this e-mail and any >> attachments to it for viruses as we cannot accept any liability for >> viruses inadvertently transmitted by use. >> > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Feb 14 18:38:25 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 14 18:38:45 2008 Subject: Question for the Experts In-Reply-To: References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > Kevin MURPHY wrote: >> Right - It's a sendmail issue so >> Ok thanks for pointing this out > > This should be solved with a sendmail ruleset. I wouldn't know how to > write it, though. Maybe ask fsl? www.fsl.com. > > Regards, > > Ugo > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" and remake the access file. Or you can change reject to discard if you want it silently dropped. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080214/707dde3e/signature.bin From mkercher at nfsmith.com Thu Feb 14 18:44:33 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Feb 14 18:44:55 2008 Subject: Question for the Experts In-Reply-To: References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> -----Original Message----- on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > Kevin MURPHY wrote: >> Right - It's a sendmail issue so >> Ok thanks for pointing this out > > This should be solved with a sendmail ruleset. I wouldn't know how to > write it, though. Maybe ask fsl? www.fsl.com. > > Regards, > > Ugo > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" and remake the access file. Or you can change reject to discard if you want it silently dropped. -- I think that would reject/discard the emails from Server B as well. Mike From glenn.steen at gmail.com Thu Feb 14 19:55:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 19:55:50 2008 Subject: Question for the Experts In-Reply-To: References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> Message-ID: <223f97700802141155w1d8bc445pbf9a48fc57d86fa4@mail.gmail.com> On 14/02/2008, Scott Silva wrote: > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > > > Kevin MURPHY wrote: > >> Right - It's a sendmail issue so > >> Ok thanks for pointing this out > > > > This should be solved with a sendmail ruleset. I wouldn't know how to > > write it, though. Maybe ask fsl? www.fsl.com. > > > > Regards, > > > > Ugo > > > > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > and remake the access file. > Or you can change reject to discard if you want it silently dropped. > > Not being a Sendmail chap at all.... Couldn't one (in the same access file on serverA) explicitly accept severB to the specific domain and REJECT the rest? Surely should be possible...? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From richard.frovarp at sendit.nodak.edu Thu Feb 14 19:59:36 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Feb 14 19:59:47 2008 Subject: Question for the Experts In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> References: <006e01c86f24$56c27730$04476590$@Murphy@midland-ics.ie> <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> Message-ID: <47B49DA8.8080401@sendit.nodak.edu> Mike Kercher wrote: > > > -----Original Message----- > > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > >> Kevin MURPHY wrote: >> >>> Right - It's a sendmail issue so >>> Ok thanks for pointing this out >>> >> This should be solved with a sendmail ruleset. I wouldn't know how to >> > > >> write it, though. Maybe ask fsl? www.fsl.com. >> >> Regards, >> >> Ugo >> >> > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > and remake the access file. > Or you can change reject to discard if you want it silently dropped. > > -- > > I think that would reject/discard the emails from Server B as well. > > Mike Why not just have Server B pass the message onto Exchange? Seems like a waste to pass it onto a middle man. From glenn.steen at gmail.com Thu Feb 14 20:19:03 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 14 20:19:14 2008 Subject: Question for the Experts In-Reply-To: <47B49DA8.8080401@sendit.nodak.edu> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> Message-ID: <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> On 14/02/2008, Richard Frovarp wrote: > Mike Kercher wrote: > > > > > > -----Original Message----- > > > > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > > > >> Kevin MURPHY wrote: > >> > >>> Right - It's a sendmail issue so > >>> Ok thanks for pointing this out > >>> > >> This should be solved with a sendmail ruleset. I wouldn't know how to > >> > > > > > >> write it, though. Maybe ask fsl? www.fsl.com. > >> > >> Regards, > >> > >> Ugo > >> > >> > > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > > and remake the access file. > > Or you can change reject to discard if you want it silently dropped. > > > > -- > > > > I think that would reject/discard the emails from Server B as well. > > > > Mike > > Why not just have Server B pass the message onto Exchange? Seems like a > waste to pass it onto a middle man. > I agree in principle... but Kevin might have... topologocal considerations.... we're not aware of:-). Since I'm no guru on the access file of Sendmail, I did some googling and found this very friendly (albeit long) article that might be a help: http://blue-labs.org/howto/access_hints.php ... If I'm not mistaken, one could have something like To:exmaple.net REJECT [IP.of.server.B] RELAY ... in the access file on serverA, and then (since the IP thing should be more specific(?)) example.net relayed from serverB should get through.... but nothing else. The big disclaimer here is that what I remember of Sendmail is ... easily enumerated:-). I know this could be done with Postfix access though;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Fri Feb 15 02:55:52 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 02:56:12 2008 Subject: Mailscanner generated duplicate message. In-Reply-To: <223f97700801240433h7d52ba68xe374d5efe7cdc1e4@mail.gmail.com> Message-ID: Glenn Steen wrote on Thu Jan 24 12:33:45 2008 >On 24/12/2007, Mark Sapiro wrote: >> >> The nature of the server is that outgoing mail is virtually all Mailman >> list posts or forwards of mail, all of which was scanned on the way in. >> I would just as soon not have Postfix hold mail from localhost at all, >> but I haven't figured out how to do that. >> >Bypassing MailScanner for outgoing mail is easily done... All you need >is an smtpd listening on another port .... and have that smtpd _not_ >use the header_check... Then see to it that mailman use that port to >submit mails... Set SMTPPORT in your config, IIRC... There are some >examples littering the net, on how to setup a "secondary" smtpd >listener, and you usually have a stub in your master.cf ... Also look >at the wiki, I have some howto there where I use a trick like that to >do multi-recipient splitting (one mail/recipient, so that MailScanner >rules don't work on just the first recipient...). Or give a holler and >I'll dig something out. Glenn, I've been away for a while; thus the delayed response. Thank you for the above advice. It's very helpful. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 15 03:23:42 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 03:23:54 2008 Subject: Mailscanner generated duplicate message In-Reply-To: Message-ID: Alex Neuman wrote: > >On Feb 8, 2008, at 2:02 PM, Glenn Steen wrote: > >> When using Postfix and setting Scan Messages = no (with a rulset, for >> some....), duplicates are "generated" by several MailScanner children >> picking up and delivering the same message. It seems to be something >> to do with timing, since not all generate this behavior, but rather >> under heavy load (as in situations where some form of mailing list or >> bulk mailer (presumably a legit newsletter) send large amounts of >> messages at once). > >Could you reproduce the opposite of this behaviour by using "max >children = 0"? Sorry for being absent from this thread. I was away and set my subscription to nomail, and hadn't bothered to look at the archives. My bad. Anyway, In my case, on Jan 3, I set "Max Children = 2". It had been 5. I so no more dups until one on Jan 19. I then set "Max Children = 1" and have seen no further dups. I expect that I would never see any dups of this kind when "Max Children = 1", since dups apparently only occurred when two separate children picked up the same entry. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 15 03:25:58 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 03:26:12 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <47B3751B.90001@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > >I have just release a new beta 4.67.4 to attempt to fix this problem. >It's very awkward to find, as it only occurs on busy systems. I have >found a possible reason and have fixed that. > >Please can you give this new version a try and let me know if it helps >solve the duplication problem at all. I will try to install this beta within the next few days and set "Max Children = 5" again and see what happens. Thanks. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Feb 15 04:44:10 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Feb 15 04:44:22 2008 Subject: Mailscanner generated duplicate message In-Reply-To: Message-ID: Mark Sapiro wrote: >Julian Field wrote: >> >>I have just release a new beta 4.67.4 to attempt to fix this problem. >>It's very awkward to find, as it only occurs on busy systems. I have >>found a possible reason and have fixed that. >> >>Please can you give this new version a try and let me know if it helps >>solve the duplication problem at all. > > >I will try to install this beta within the next few days and set "Max >Children = 5" again and see what happens. I'm ahead of schedule. I've just installed the 4.67.4 beta and set Max Children = 5. I'll be monitoring my logs for dups. I'll post my findings to the list. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From uxbod at splatnix.net Fri Feb 15 09:24:34 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 09:24:51 2008 Subject: MS hanging and 100% CPU Message-ID: <12733159.51203067474144.JavaMail.root@office.splatnix.net> Hi Jules, I am back home now so can take a look a bit deeper at my problem. Any thoughts on what to look at first ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net From alxfrag at gmail.com Fri Feb 15 09:31:34 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 09:31:43 2008 Subject: Mailscanner warnings In-Reply-To: <47B44A78.7080407@ecs.soton.ac.uk> References: <47B3FE66.9050504@gmail.com> <47B44A78.7080407@ecs.soton.ac.uk> Message-ID: <47B55BF6.2010708@gmail.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > >> Hi, >> >> i'm using mailscanner v. 4.66.5-3. My logs file is full of warnings >> like shown below: >> >> Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content >> Scanning: Starting >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --unzip >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --jar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --tar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --tgz >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --deb >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --max-ratio >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --tempdir >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --recursive (-r) >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring option >> --unrar >> >> >> Is there any way i can stop that? >> >> Thanks, >> >> Alex >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > where should i give MailScanner --lint? :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/67294add/attachment.html From martinh at solidstatelogic.com Fri Feb 15 09:41:47 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 09:42:04 2008 Subject: Mailscanner warnings In-Reply-To: <47B55BF6.2010708@gmail.com> Message-ID: <08c83b70917ecd41bbddb1774ccbedfa@solidstatelogic.com> Hi Looks like mailscanner is sending parameters the clamscan it doesn't understand. You may wish to switch to clamd or clammodule as a faster alternative which should also solve this problem. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:32 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > > > Hi, > > i'm using mailscanner v. 4.66.5-3. My logs file is full of > warnings > like shown below: > > Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content > Scanning: Starting > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --unzip > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --jar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --tar > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --tgz > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --deb > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --max-ratio > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --tempdir > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --recursive (-r) > Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring > option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > > > where should i give > > MailScanner --lint? > > :) ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 09:42:01 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 09:43:24 2008 Subject: Mailscanner warnings In-Reply-To: <47B55BF6.2010708@gmail.com> Message-ID: <5190593.01203068521399.JavaMail.root@office.splatnix.net> yes Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: > Julian Field wrote: From alxfrag at gmail.com Fri Feb 15 09:46:26 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 09:46:35 2008 Subject: Mailscanner warnings In-Reply-To: <08c83b70917ecd41bbddb1774ccbedfa@solidstatelogic.com> References: <08c83b70917ecd41bbddb1774ccbedfa@solidstatelogic.com> Message-ID: <47B55F72.5050705@gmail.com> Martin.Hepworth wrote: > Hi > > Looks like mailscanner is sending parameters the clamscan it doesn't understand. > > You may wish to switch to clamd or clammodule as a faster alternative which should also solve this problem. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 09:32 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Julian Field wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> What does >> MailScanner --lint >> say? >> >> AlxFrag wrote: >> >> >> Hi, >> >> i'm using mailscanner v. 4.66.5-3. My logs file is full of >> warnings >> like shown below: >> >> Feb 14 10:36:45 posidon MailScanner[27874]: Virus and Content >> Scanning: Starting >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --unzip >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --jar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --tar >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --tgz >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --deb >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --max-ratio >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --tempdir >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --recursive (-r) >> Feb 14 10:36:45 posidon MailScanner[27874]: WARNING: Ignoring >> option >> --unrar >> >> >> Is there any way i can stop that? >> >> Thanks, >> >> Alex >> >> >> >> Jules >> >> - -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your >> boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.8.0 (Build 2158) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK >> 3Hg59laQALA1YGkA4DDZoVc= >> =lWdI >> -----END PGP SIGNATURE----- >> >> >> >> where should i give >> >> MailScanner --lint? >> >> :) >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > i'm using clamd. Regards, Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/dc95a309/attachment.html From martinh at solidstatelogic.com Fri Feb 15 10:06:01 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 10:06:16 2008 Subject: Mailscanner warnings In-Reply-To: <47B55F72.5050705@gmail.com> Message-ID: <03035c2c26161f45a425d72397088fc1@solidstatelogic.com> Alex Sounds like clamd's not happy with the 'normal' parameter list of things to scan. What happens if you call clamd --tar from the command line? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:46 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Hi > > Looks like mailscanner is sending parameters the clamscan it doesn't > understand. > > You may wish to switch to clamd or clammodule as a faster > alternative which should also solve this problem. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:32 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > > > Hi, > > i'm using mailscanner v. 4.66.5-3. My logs file is > full of > warnings > like shown below: > > Feb 14 10:36:45 posidon MailScanner[27874]: Virus > and Content > Scanning: Starting > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --unzip > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --jar > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --tar > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --tgz > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --deb > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --max-ratio > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --tempdir > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --recursive (-r) > Feb 14 10:36:45 posidon MailScanner[27874]: > WARNING: Ignoring > option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements > from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > > > where should i give > > MailScanner --lint? > > :) > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > > > i'm using clamd. > > Regards, > Alex ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alxfrag at gmail.com Fri Feb 15 10:11:36 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 10:11:43 2008 Subject: Mailscanner warnings In-Reply-To: <03035c2c26161f45a425d72397088fc1@solidstatelogic.com> References: <03035c2c26161f45a425d72397088fc1@solidstatelogic.com> Message-ID: <47B56558.5060301@gmail.com> It says: /usr/local/sbin/clamd: unrecognized option `--tar' ERROR: Unknown option passed. ERROR: Can't parse the command line Martin.Hepworth wrote: > Alex > > Sounds like clamd's not happy with the 'normal' parameter list of things to scan. > > What happens if you call > > clamd --tar > > from the command line? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 09:46 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Martin.Hepworth wrote: >> >> Hi >> >> Looks like mailscanner is sending parameters the clamscan it doesn't >> understand. >> >> You may wish to switch to clamd or clammodule as a faster >> alternative which should also solve this problem. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 09:32 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Julian Field wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> What does >> MailScanner --lint >> say? >> >> AlxFrag wrote: >> >> >> Hi, >> >> i'm using mailscanner v. 4.66.5-3. My logs file is >> full of >> warnings >> like shown below: >> >> Feb 14 10:36:45 posidon MailScanner[27874]: Virus >> and Content >> Scanning: Starting >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --unzip >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --jar >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --tar >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --tgz >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --deb >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --max-ratio >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --tempdir >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --recursive (-r) >> Feb 14 10:36:45 posidon MailScanner[27874]: >> WARNING: Ignoring >> option >> --unrar >> >> >> Is there any way i can stop that? >> >> Thanks, >> >> Alex >> >> >> >> Jules >> >> - -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements >> from your >> boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 >> 1415 B654 >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.8.0 (Build 2158) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> >> wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK >> 3Hg59laQALA1YGkA4DDZoVc= >> =lWdI >> -----END PGP SIGNATURE----- >> >> >> >> where should i give >> >> MailScanner --lint? >> >> :) >> >> >> >> >> >> >> ******************************************************************** >> ** >> Confidentiality : This e-mail and any attachments are intended for >> the >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show >> them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those >> of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We >> advise >> that you consider this fact when e-mailing us. >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ******************************************************************** >> ** >> >> >> >> i'm using clamd. >> >> Regards, >> Alex >> > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/5359a5a2/attachment.html From uxbod at splatnix.net Fri Feb 15 10:13:44 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:13:57 2008 Subject: Mailscanner warnings In-Reply-To: <47B56558.5060301@gmail.com> Message-ID: <3460604.31203070424335.JavaMail.root@office.splatnix.net> clamd --version ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: > It says: > > /usr/local/sbin/clamd: unrecognized option `--tar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > > > Martin.Hepworth wrote: > > Alex > > Sounds like clamd's not happy with the 'normal' parameter list of > things to scan. > > What happens if you call > > clamd --tar > > from the command line? From alxfrag at gmail.com Fri Feb 15 10:18:49 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 10:19:10 2008 Subject: Mailscanner warnings In-Reply-To: <3460604.31203070424335.JavaMail.root@office.splatnix.net> References: <3460604.31203070424335.JavaMail.root@office.splatnix.net> Message-ID: <47B56709.5070003@gmail.com> --[ UxBoD ]-- wrote: > clamd --version ? > > Regards, > > ClamAV 0.91.2/5829/Fri Feb 15 06:00:17 2008 From Kevin.Murphy at midland-ics.ie Fri Feb 15 10:26:14 2008 From: Kevin.Murphy at midland-ics.ie (Kevin MURPHY) Date: Fri Feb 15 10:19:58 2008 Subject: Question for the Experts In-Reply-To: <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> Message-ID: <010701c86fbd$31a33220$94e99660$@Murphy@midland-ics.ie> Hi Everyone Thanks for so many replies. It's the first time I have used this list and its really great to see how the community helps each other. Glen - I have tried that access file REJECT , but it rejects all mail even from server To:domain.com REJECT [IP Address of Server B] RELAY ----- Transcript of session follows ----- ... while talking to serverA: >>> DATA <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY 550 5.1.1 ... User unknown <<< 503 5.0.0 Need RCPT (recipient) Regards Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 14 February 2008 20:19 To: MailScanner discussion Subject: Re: Question for the Experts On 14/02/2008, Richard Frovarp wrote: > Mike Kercher wrote: > > > > > > -----Original Message----- > > > > on 2/14/2008 9:26 AM Ugo Bellavance spake the following: > > > >> Kevin MURPHY wrote: > >> > >>> Right - It's a sendmail issue so > >>> Ok thanks for pointing this out > >>> > >> This should be solved with a sendmail ruleset. I wouldn't know how to > >> > > > > > >> write it, though. Maybe ask fsl? www.fsl.com. > >> > >> Regards, > >> > >> Ugo > >> > >> > > If I remember right, in /etc/mail/access add "To:blocked_domain REJECT" > > and remake the access file. > > Or you can change reject to discard if you want it silently dropped. > > > > -- > > > > I think that would reject/discard the emails from Server B as well. > > > > Mike > > Why not just have Server B pass the message onto Exchange? Seems like a > waste to pass it onto a middle man. > I agree in principle... but Kevin might have... topologocal considerations.... we're not aware of:-). Since I'm no guru on the access file of Sendmail, I did some googling and found this very friendly (albeit long) article that might be a help: http://blue-labs.org/howto/access_hints.php ... If I'm not mistaken, one could have something like To:exmaple.net REJECT [IP.of.server.B] RELAY ... in the access file on serverA, and then (since the IP thing should be more specific(?)) example.net relayed from serverB should get through.... but nothing else. The big disclaimer here is that what I remember of Sendmail is ... easily enumerated:-). I know this could be done with Postfix access though;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From martinh at solidstatelogic.com Fri Feb 15 10:21:26 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 10:21:42 2008 Subject: Mailscanner warnings In-Reply-To: <47B56558.5060301@gmail.com> Message-ID: <30df0b68ecefe142b3acf274bff3b315@solidstatelogic.com> OK I'm getting confused.... In MailScanner.conf what have you got set for "Virus Scanners"??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 10:12 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > It says: > > /usr/local/sbin/clamd: unrecognized option `--tar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > > > Martin.Hepworth wrote: > > Alex > > Sounds like clamd's not happy with the 'normal' parameter list of > things to scan. > > What happens if you call > > clamd --tar > > from the command line? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 09:46 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Hi > > Looks like mailscanner is sending parameters the > clamscan it doesn't > understand. > > You may wish to switch to clamd or clammodule as a > faster > alternative which should also solve this problem. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of > AlxFrag > Sent: 15 February 2008 09:32 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What does > MailScanner --lint > say? > > AlxFrag wrote: > > > Hi, > > i'm using mailscanner v. 4.66.5-3. My > logs file is > full of > warnings > like shown below: > > Feb 14 10:36:45 posidon > MailScanner[27874]: Virus > and Content > Scanning: Starting > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --unzip > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --jar > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --tar > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --tgz > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --deb > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --max-ratio > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --tempdir > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --recursive (-r) > Feb 14 10:36:45 posidon > MailScanner[27874]: > WARNING: Ignoring > option > --unrar > > > Is there any way i can stop that? > > Thanks, > > Alex > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at > www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new > requirements > from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 > 11F6 5947 > 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > > > wj8DBQFHtEtpEfZZRxQVtlQRAkhlAJ9Of82becRsHgDMmWrVyfvJaVFuOACdFnhK > 3Hg59laQALA1YGkA4DDZoVc= > =lWdI > -----END PGP SIGNATURE----- > > > > where should i give > > MailScanner --lint? > > :) > > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are > intended for > the > addressee only and may be confidential. If they come to > you in error > you must take no action based on them, nor must you copy > or show > them > to anyone. Please advise the sender by replying to this > e-mail > immediately and then delete the original from your > computer. > Opinion : Any opinions expressed in this e-mail are > entirely those > of > the author and unless specifically stated to the > contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a > secure > communications medium and can be subject to data > corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail > and any > attachments are free from known viruses but in keeping > with good > computing practice, you should ensure that they are > virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 1RU, > United Kingdom > > ******************************************************************** > ** > > > > i'm using clamd. > > Regards, > Alex > > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 10:29:03 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:29:16 2008 Subject: Mailscanner warnings In-Reply-To: <47B56709.5070003@gmail.com> Message-ID: <33275.61203071343873.JavaMail.root@office.splatnix.net> would you please run the MailScanner --lint it will either be in /usr/sbin or /usr/local/bin and both should be in your path anyway. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: --[ UxBoD ]-- wrote: > clamd --version ? > > Regards, > > ClamAV 0.91.2/5829/Fri Feb 15 06:00:17 2008 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alxfrag at gmail.com Fri Feb 15 10:42:48 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 10:42:58 2008 Subject: Mailscanner warnings In-Reply-To: <33275.61203071343873.JavaMail.root@office.splatnix.net> References: <33275.61203071343873.JavaMail.root@office.splatnix.net> Message-ID: <47B56CA8.8090501@gmail.com> --[ UxBoD ]-- wrote: > would you please run the MailScanner --lint > > it will either be in /usr/sbin or /usr/local/bin and both should be in your path anyway. > > Regards, > > Read 817 hostnames from the phishing whitelist MailScanner setting GID to (1002) MailScanner setting UID to (1004) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied SpamAssassin reported an error. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav From uxbod at splatnix.net Fri Feb 15 10:49:17 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:49:30 2008 Subject: Mailscanner warnings In-Reply-To: <47B56CA8.8090501@gmail.com> Message-ID: <374929.91203072557945.JavaMail.root@office.splatnix.net> change Virus Scanners to clamd instead of clamav Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: --[ UxBoD ]-- wrote: > would you please run the MailScanner --lint > > it will either be in /usr/sbin or /usr/local/bin and both should be in your path anyway. > > Regards, > > Read 817 hostnames from the phishing whitelist MailScanner setting GID to (1002) MailScanner setting UID to (1004) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied SpamAssassin reported an error. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Fri Feb 15 10:50:05 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 10:50:40 2008 Subject: Mailscanner warnings In-Reply-To: <47B56CA8.8090501@gmail.com> Message-ID: <29f56b3dcdc4e44987b8b6cb1a0715a2@solidstatelogic.com> Ah there you go.. Change the Virus Scanners to Virus Scanners = clamd And make sure the clamd settings are sensible further down the file. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 10:43 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > --[ UxBoD ]-- wrote: > > would you please run the MailScanner --lint > > > > it will either be in /usr/sbin or /usr/local/bin and both should be in > your path anyway. > > > > Regards, > > > > > Read 817 hostnames from the phishing whitelist > MailScanner setting GID to (1002) > MailScanner setting UID to (1004) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid > for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor > bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > SpamAssassin reported an error. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 10:52:41 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 10:52:53 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <1433407.241202983634886.JavaMail.root@office.splatnix.net> Message-ID: <17712783.121203072761250.JavaMail.root@office.splatnix.net> Man this is doing my head in :( Have checked all the directories and the permissions are just fine. It seems that only the header is being extracted from the emails, and not the message body at all. Perhaps my MIME::Tools is corrupt ? But I have download the latest MS and recompiled everything. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > Hi Glenn, > > pf logs are fine, I even ran a postfix check and set-permissions just > in case. Three messages are in the queue and are about 2k in size > each. I even dropped the tmpfs and ran it directly to the file > system. No change. > > For the time being I am routing messages directly, as the PostFix > checks are blocking most things. I will take a deeper look at it this > evening when I am back home. > > Any other suggestions are greatly appreciated. Any other ways I can > debug the code Jules to find where it is stalling ? > > Regards, From alxfrag at gmail.com Fri Feb 15 11:11:42 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 11:11:44 2008 Subject: Mailscanner warnings In-Reply-To: <29f56b3dcdc4e44987b8b6cb1a0715a2@solidstatelogic.com> References: <29f56b3dcdc4e44987b8b6cb1a0715a2@solidstatelogic.com> Message-ID: <47B5736E.8030007@gmail.com> Martin.Hepworth wrote: > Ah there you go.. > > Change the Virus Scanners to > > Virus Scanners = clamd > > And make sure the clamd settings are sensible further down the file. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 10:43 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> --[ UxBoD ]-- wrote: >> >>> would you please run the MailScanner --lint >>> >>> it will either be in /usr/sbin or /usr/local/bin and both should be in >>> >> your path anyway. >> >>> Regards, >>> >>> >>> >> Read 817 hostnames from the phishing whitelist >> MailScanner setting GID to (1002) >> MailScanner setting UID to (1004) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid >> for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor >> bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> SpamAssassin reported an error. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > This gives the error: Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner "clamd" not found in virus.scanners.conf file. Please check your spelling in "Virus Scanners =" line of MailScanner.conf It must be clamd running because in etc/local/clamd.conf i have: LocalSocket /tmp/clamd Also, if i type ps -A i get: 2319 ? 00:36:32 clamd Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/c8362cad/attachment.html From martinh at solidstatelogic.com Fri Feb 15 11:19:41 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 11:19:58 2008 Subject: Mailscanner warnings In-Reply-To: <47B5736E.8030007@gmail.com> Message-ID: <4e78482ecb82a745835658b53c352ed1@solidstatelogic.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 11:12 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Ah there you go.. > > Change the Virus Scanners to > > Virus Scanners = clamd > > And make sure the clamd settings are sensible further down the file. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 10:43 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > --[ UxBoD ]-- wrote: > > > would you please run the MailScanner --lint > > it will either be in /usr/sbin or /usr/local/bin and > both should be in > > > your path anyway. > > > Regards, > > > > > Read 817 hostnames from the phishing whitelist > MailScanner setting GID to (1002) > MailScanner setting UID to (1004) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is > not valid > for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > SpamAssassin reported an error. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > This gives the error: > > Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner "clamd" not found > in virus.scanners.conf file. Please check your spelling in "Virus Scanners > =" line of MailScanner.conf > > > It must be clamd running because in etc/local/clamd.conf i have: > > LocalSocket /tmp/clamd > > Also, if i type ps -A i get: > > 2319 ? 00:36:32 clamd > > Regards > > > Hmm looks there's a problem with the install then. Is this a fresh install or upgrade from an earlier version, as the clamd info in virus.scanners.conf has been present for quite a few releases now. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Feb 15 11:33:03 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 11:33:17 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <17712783.121203072761250.JavaMail.root@office.splatnix.net> Message-ID: <27966505.151203075183846.JavaMail.root@office.splatnix.net> What I think is happening is that due to the message body not being there, MS is getting itself into a loop trying to read to the end of the file. still does not answer why the body is not being extracted :( Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "--[ UxBoD ]--" wrote: > Man this is doing my head in :( Have checked all the directories and > the permissions are just fine. It seems that only the header is being > extracted from the emails, and not the message body at all. > > Perhaps my MIME::Tools is corrupt ? But I have download the latest MS > and recompiled everything. > > Regards, From alxfrag at gmail.com Fri Feb 15 11:39:18 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 11:39:21 2008 Subject: Mailscanner warnings In-Reply-To: <4e78482ecb82a745835658b53c352ed1@solidstatelogic.com> References: <4e78482ecb82a745835658b53c352ed1@solidstatelogic.com> Message-ID: <47B579E6.8090602@gmail.com> Martin.Hepworth wrote: > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 11:12 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Martin.Hepworth wrote: >> >> Ah there you go.. >> >> Change the Virus Scanners to >> >> Virus Scanners = clamd >> >> And make sure the clamd settings are sensible further down the file. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 10:43 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> --[ UxBoD ]-- wrote: >> >> >> would you please run the MailScanner --lint >> >> it will either be in /usr/sbin or /usr/local/bin and >> both should be in >> >> >> your path anyway. >> >> >> Regards, >> >> >> >> >> Read 817 hostnames from the phishing whitelist >> MailScanner setting GID to (1002) >> MailScanner setting UID to (1004) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is >> not valid >> for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> SpamAssassin reported an error. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> >> >> This gives the error: >> >> Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner "clamd" not found >> in virus.scanners.conf file. Please check your spelling in "Virus Scanners >> =" line of MailScanner.conf >> >> >> It must be clamd running because in etc/local/clamd.conf i have: >> >> LocalSocket /tmp/clamd >> >> Also, if i type ps -A i get: >> >> 2319 ? 00:36:32 clamd >> >> Regards >> >> >> >> > > Hmm looks there's a problem with the install then. Is this a fresh install or upgrade from an earlier version, as the clamd info in virus.scanners.conf has been present for quite a few releases now. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > it's fresh install. I have two machines running Mailscanner. The first uses the version 4.57.6 while the second one uses 4.66.5. Both show the warnings in the log file. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/9d4a44a0/attachment.html From martinh at solidstatelogic.com Fri Feb 15 11:48:06 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 11:48:25 2008 Subject: Mailscanner warnings In-Reply-To: <47B579E6.8090602@gmail.com> Message-ID: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> > Martin.Hepworth wrote: > > > > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 11:12 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > Ah there you go.. > > Change the Virus Scanners to > > Virus Scanners = clamd > > And make sure the clamd settings are sensible further > down the file. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of > AlxFrag > Sent: 15 February 2008 10:43 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > --[ UxBoD ]-- wrote: > > > would you please run the MailScanner --lint > > it will either be in /usr/sbin or > /usr/local/bin and > both should be in > > > your path anyway. > > > Regards, > > > > > Read 817 hostnames from the phishing whitelist > MailScanner setting GID to (1002) > MailScanner setting UID to (1004) > > Checking for SpamAssassin errors (if you use > it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: SpamAssassin failed to parse line, > "/usr/bin/pyzor" is > not valid > for "pyzor_path", skipping: pyzor_path > /usr/bin/pyzor > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases > /etc/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > SpamAssassin reported an error. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > This gives the error: > > Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner > "clamd" not found > in virus.scanners.conf file. Please check your spelling in > "Virus Scanners > =" line of MailScanner.conf > > > It must be clamd running because in etc/local/clamd.conf i > have: > > LocalSocket /tmp/clamd > > Also, if i type ps -A i get: > > 2319 ? 00:36:32 clamd > > Regards > > > Hmm looks there's a problem with the install then. Is this a fresh > install or upgrade from an earlier version, as the clamd info in > virus.scanners.conf has been present for quite a few releases now. > > -- > Martin Hepworth > > it's fresh install. > > I have two machines running Mailscanner. The first uses the version 4.57.6 > while the second one uses 4.66.5. > Both show the warnings in the log file. > > > Hmm what does virus.scanners.conf say for the clamd line?? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Fri Feb 15 11:56:28 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Feb 15 11:56:44 2008 Subject: Mailscanner warnings In-Reply-To: <47B579E6.8090602@gmail.com> Message-ID: Also The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of AlxFrag > Sent: 15 February 2008 11:39 > To: MailScanner discussion > Subject: Re: Mailscanner warnings > > Martin.Hepworth wrote: > > > it's fresh install. > > I have two machines running Mailscanner. The first uses the version 4.57.6 > while the second one uses 4.66.5. > Both show the warnings in the log file. > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Fri Feb 15 11:59:00 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 11:59:11 2008 Subject: Mailscanner generated duplicate message In-Reply-To: References: Message-ID: <223f97700802150359p23a75cb5o8edbfe1d44ab459e@mail.gmail.com> On 15/02/2008, Mark Sapiro wrote: > Mark Sapiro wrote: > > >Julian Field wrote: > >> > >>I have just release a new beta 4.67.4 to attempt to fix this problem. > >>It's very awkward to find, as it only occurs on busy systems. I have > >>found a possible reason and have fixed that. > >> > >>Please can you give this new version a try and let me know if it helps > >>solve the duplication problem at all. > > > > > >I will try to install this beta within the next few days and set "Max > >Children = 5" again and see what happens. > > > > I'm ahead of schedule. I've just installed the 4.67.4 beta and set Max > Children = 5. > > I'll be monitoring my logs for dups. I'll post my findings to the list. > Thanks a bundle, Mark! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 15 12:00:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:00:58 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <27966505.151203075183846.JavaMail.root@office.splatnix.net> References: <17712783.121203072761250.JavaMail.root@office.splatnix.net> <27966505.151203075183846.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802150400o254ab926u43fa48c247bb26ae@mail.gmail.com> On 15/02/2008, --[ UxBoD ]-- wrote: > What I think is happening is that due to the message body not being there, MS is getting itself into a loop trying to read to the end of the file. > > still does not answer why the body is not being extracted :( > > > Regards, > Have you enabled any milters in PF lately? Like ... dkim-milter?:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alxfrag at gmail.com Fri Feb 15 12:08:54 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 12:08:59 2008 Subject: Mailscanner warnings In-Reply-To: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> References: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> Message-ID: <47B580D6.7040609@gmail.com> Martin.Hepworth wrote: >> Martin.Hepworth wrote: >> >> >> >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of AlxFrag >> Sent: 15 February 2008 11:12 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> Martin.Hepworth wrote: >> >> Ah there you go.. >> >> Change the Virus Scanners to >> >> Virus Scanners = clamd >> >> And make sure the clamd settings are sensible further >> down the file. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of >> AlxFrag >> Sent: 15 February 2008 10:43 >> To: MailScanner discussion >> Subject: Re: Mailscanner warnings >> >> --[ UxBoD ]-- wrote: >> >> >> would you please run the MailScanner --lint >> >> it will either be in /usr/sbin or >> /usr/local/bin and >> both should be in >> >> >> your path anyway. >> >> >> Regards, >> >> >> >> >> Read 817 hostnames from the phishing whitelist >> MailScanner setting GID to (1002) >> MailScanner setting UID to (1004) >> >> Checking for SpamAssassin errors (if you use >> it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> config: SpamAssassin failed to parse line, >> "/usr/bin/pyzor" is >> not valid >> for "pyzor_path", skipping: pyzor_path >> /usr/bin/pyzor >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> bayes: cannot open bayes databases >> /etc/MailScanner/bayes/bayes_* R/O: >> tie failed: Permission denied >> SpamAssassin reported an error. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> >> >> This gives the error: >> >> Feb 15 12:58:25 hermes MailScanner[6535]: Virus scanner >> "clamd" not found >> in virus.scanners.conf file. Please check your spelling in >> "Virus Scanners >> =" line of MailScanner.conf >> >> >> It must be clamd running because in etc/local/clamd.conf i >> have: >> >> LocalSocket /tmp/clamd >> >> Also, if i type ps -A i get: >> >> 2319 ? 00:36:32 clamd >> >> Regards >> >> >> Hmm looks there's a problem with the install then. Is this a fresh >> install or upgrade from an earlier version, as the clamd info in >> virus.scanners.conf has been present for quite a few releases now. >> >> -- >> Martin Hepworth >> >> it's fresh install. >> >> I have two machines running Mailscanner. The first uses the version 4.57.6 >> while the second one uses 4.66.5. >> Both show the warnings in the log file. >> >> >> >> > > > Hmm what does virus.scanners.conf say for the clamd line?? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > It says: clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local and , in /usr/lib/MailScanner/clamav-wrapper i have: ClamScan=$1/bin/clamdscan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/2a71a284/attachment.html From uxbod at splatnix.net Fri Feb 15 12:11:37 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 12:11:50 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <5132374.01203077446935.JavaMail.root@office.splatnix.net> Message-ID: <26498669.21203077497039.JavaMail.root@office.splatnix.net> yes :) but I have also disabled them Glenn ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 15/02/2008, --[ UxBoD ]-- wrote: From glenn.steen at gmail.com Fri Feb 15 12:15:17 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:15:27 2008 Subject: Mailscanner warnings In-Reply-To: References: <47B579E6.8090602@gmail.com> Message-ID: <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> On 15/02/2008, Martin.Hepworth wrote: > Also > > The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. > Not to mention that no facility of MailScanner would ever run trhe clamd _command_ ... Not whatsoever. What seems to have happened here is that someone has followed a bothced instruction on enabling clamdscan support by futzing the clamav-* wrapper scripts. This of course hasn't worked, since clamd is the server part, not the client. This would explain the bogus log entries on both hosts. What Alex should do is to follow the spirit of the wiki article http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd to get things going on the newer install (4.66.5 was it?), and upgrade the other one to a version later than 4.62.something (just as you say Martin), and do the same there. Only other really viable option would be to run clamavmodule on the old one. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Feb 15 12:17:17 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 12:18:20 2008 Subject: Mailscanner warnings In-Reply-To: <47B580D6.7040609@gmail.com> Message-ID: <23138316.51203077837747.JavaMail.root@office.splatnix.net> what does type clamd show ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "AlxFrag" wrote: > Martin.Hepworth wrote: > > > > Martin.Hepworth wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 15 12:21:15 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:21:25 2008 Subject: Mailscanner warnings In-Reply-To: <47B580D6.7040609@gmail.com> References: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> <47B580D6.7040609@gmail.com> Message-ID: <223f97700802150421q1db3beafv512da14a40308fac@mail.gmail.com> On 15/02/2008, AlxFrag wrote: > (snip) > > It says: > > clamav /usr/lib/MailScanner/clamav-wrapper > /usr/local > clamd /bin/false > /usr/local > > > > and , in /usr/lib/MailScanner/clamav-wrapper i have: > > ClamScan=$1/bin/clamdscan > > That is _not_ the recommended and supported way of using clamd in MailScanner. You will pay an unnecessary fork/exec penalty for this, compared to the very nice direct call thing Rick Cooper implemented. The reason to not use clamavmodule (mainly, apart from some possible build issues) and use Rick's clamd thing instead is that the individual MS child memory footprint is decreased (using clamd)... Since clamavmodule will have to load the signatures into every child. Please undo those mods and look at implementing clamd the right way instead;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 15 12:24:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 12:24:58 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <26498669.21203077497039.JavaMail.root@office.splatnix.net> References: <5132374.01203077446935.JavaMail.root@office.splatnix.net> <26498669.21203077497039.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> On 15/02/2008, --[ UxBoD ]-- wrote: > yes :) but I have also disabled them Glenn ;) > > > Regards, > Are there p records present in any of the queue files? Could you send me a sample? You just might have hit a bug in my p record handling ... which just might get very confused by a broken file in the body part... If that got broken _after_ ReadQf is done verifying it, but _before_ the body gets read/written to the new file. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alxfrag at gmail.com Fri Feb 15 12:35:03 2008 From: alxfrag at gmail.com (AlxFrag) Date: Fri Feb 15 12:35:02 2008 Subject: Mailscanner warnings In-Reply-To: <223f97700802150421q1db3beafv512da14a40308fac@mail.gmail.com> References: <8a49d15818d8814aa96978b01fa4e1ce@solidstatelogic.com> <47B580D6.7040609@gmail.com> <223f97700802150421q1db3beafv512da14a40308fac@mail.gmail.com> Message-ID: <47B586F7.2030504@gmail.com> Glenn Steen wrote: > On 15/02/2008, AlxFrag wrote: > > (snip) > >> It says: >> >> clamav /usr/lib/MailScanner/clamav-wrapper >> /usr/local >> clamd /bin/false >> /usr/local >> >> >> >> and , in /usr/lib/MailScanner/clamav-wrapper i have: >> >> ClamScan=$1/bin/clamdscan >> >> >> > That is _not_ the recommended and supported way of using clamd in > MailScanner. You will pay an unnecessary fork/exec penalty for this, > compared to the very nice direct call thing Rick Cooper implemented. > The reason to not use clamavmodule (mainly, apart from some possible > build issues) and use Rick's clamd thing instead is that the > individual MS child memory footprint is decreased (using clamd)... > Since clamavmodule will have to load the signatures into every child. > > Please undo those mods and look at implementing clamd the right way instead;-). > > Cheers > ok thank you! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/edf8ce56/attachment.html From uxbod at splatnix.net Fri Feb 15 12:51:35 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Feb 15 12:52:05 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> Message-ID: <6021038.81203079895743.JavaMail.root@office.splatnix.net> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Glenn Steen" wrote: > On 15/02/2008, --[ UxBoD ]-- wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Feb 15 13:44:17 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 13:44:27 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <6021038.81203079895743.JavaMail.root@office.splatnix.net> References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> Message-ID: <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> On 15/02/2008, --[ UxBoD ]-- wrote: > yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. > > > Regards, > Phew, another suspected p record problem bites the dust! Good, since I'm seriously out of time, if I'm to be able go downhill skiing next week:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Feb 15 19:13:29 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 15 19:13:50 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> Message-ID: on 2/15/2008 5:44 AM Glenn Steen spake the following: > On 15/02/2008, --[ UxBoD ]-- wrote: >> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. >> >> >> Regards, >> > Phew, another suspected p record problem bites the dust! Good, since > I'm seriously out of time, if I'm to be able go downhill skiing next > week:-). > > Cheers Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P Safe trip!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/aa3095e7/signature.bin From glenn.steen at gmail.com Fri Feb 15 22:09:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 22:09:36 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> Message-ID: <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> On 15/02/2008, Scott Silva wrote: > on 2/15/2008 5:44 AM Glenn Steen spake the following: > > On 15/02/2008, --[ UxBoD ]-- wrote: > >> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. > >> > >> > >> Regards, > >> > > Phew, another suspected p record problem bites the dust! Good, since > > I'm seriously out of time, if I'm to be able go downhill skiing next > > week:-). > > > > Cheers > Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P > Safe trip!! > Ehm, two years ago.... and that was riding the kids bob-like-sleigh (classic STIGA snow racer, for those in the know:-). Have "bitten the dust" numeroustimesin the past, downhill skiing, never so much as sprained a finger....:-). So it should be safe....:-) But thanks for the thought Scott! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Feb 15 23:08:53 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 15 23:09:21 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> Message-ID: on 2/15/2008 2:09 PM Glenn Steen spake the following: > On 15/02/2008, Scott Silva wrote: >> on 2/15/2008 5:44 AM Glenn Steen spake the following: >>> On 15/02/2008, --[ UxBoD ]-- wrote: >>>> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. >>>> >>>> >>>> Regards, >>>> >>> Phew, another suspected p record problem bites the dust! Good, since >>> I'm seriously out of time, if I'm to be able go downhill skiing next >>> week:-). >>> >>> Cheers >> Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P >> Safe trip!! >> > Ehm, two years ago.... and that was riding the kids bob-like-sleigh > (classic STIGA snow racer, for those in the know:-). Have "bitten the > dust" numerous times in the past, downhill skiing, never so much as > sprained a finger....:-). So it should be safe....:-) > But thanks for the thought Scott! > > Cheers How time flies when you are having fun! Seems like just last winter. I guess the memory is the second thing to go ... can't seem to recollect the first! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080215/4c2d4f70/signature.bin From glenn.steen at gmail.com Fri Feb 15 23:53:56 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 15 23:54:07 2008 Subject: MailScanner consuming 100% CPU In-Reply-To: References: <223f97700802150424r5a2373cfjc50f0fb28522d184@mail.gmail.com> <6021038.81203079895743.JavaMail.root@office.splatnix.net> <223f97700802150544m6e634a35x7d163f66b2cf7d89@mail.gmail.com> <223f97700802151409y2651590eg5132e1b4ef80b837@mail.gmail.com> Message-ID: <223f97700802151553v153dd18fr5e2f4b960d645fb0@mail.gmail.com> On 16/02/2008, Scott Silva wrote: > on 2/15/2008 2:09 PM Glenn Steen spake the following: > > On 15/02/2008, Scott Silva wrote: > >> on 2/15/2008 5:44 AM Glenn Steen spake the following: > >>> On 15/02/2008, --[ UxBoD ]-- wrote: > >>>> yippe :) cleared all perl modules and re-installed. all works now. that was fun ;) thanks all. > >>>> > >>>> > >>>> Regards, > >>>> > >>> Phew, another suspected p record problem bites the dust! Good, since > >>> I'm seriously out of time, if I'm to be able go downhill skiing next > >>> week:-). > >>> > >>> Cheers > >> Hopefully, you don't "bite the dust" like last year when you broke your leg! ;-P > >> Safe trip!! > >> > > Ehm, two years ago.... and that was riding the kids bob-like-sleigh > > (classic STIGA snow racer, for those in the know:-). Have "bitten the > > dust" numerous times in the past, downhill skiing, never so much as > > sprained a finger....:-). So it should be safe....:-) > > But thanks for the thought Scott! > > > > Cheers > How time flies when you are having fun! > Seems like just last winter. :-) Time flies...:-) > I guess the memory is the second thing to go ... can't seem to recollect the > first! ;-) What was that.... eh.... I think I agree... Can't remember why though...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Feb 16 00:02:20 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 16 00:02:30 2008 Subject: Question for the Experts In-Reply-To: <3275845634303952132@unknownmsgid> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> <3275845634303952132@unknownmsgid> Message-ID: <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> On 15/02/2008, Kevin MURPHY wrote: > Hi Everyone > > Thanks for so many replies. It's the first time I have used this list and > its really great to see how the community helps each other. > Glen - I have tried that access file REJECT , but it rejects all mail even > from server > > To:domain.com REJECT [IP Address of Server B] RELAY > > ----- Transcript of session follows ----- > ... while talking to serverA: > >>> DATA > <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY > 550 5.1.1 ... User unknown > <<< 503 5.0.0 Need RCPT (recipient) > > Regards > > Kevin > Hm, I think you did that wrong somehow...;) I got a friendly nudge from our old friend Noel (Res... Well, he's my friend anyway:-), who told me basically: ---- Quote To:exmaple.net REJECT [IP.of.server.B] RELAY --------------------------- All he needs is the first line, his relaying ip range should already be in relay-domains file, which takes the local IP range as well as non forging domain names. /etc/mail/access has not been the recommended way to relay for local stuff for some years :) ---- /Quote Which just go to show exactly how rusty my rendmaul... eh, sendmail... skills are:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Sat Feb 16 06:55:46 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Feb 16 06:56:03 2008 Subject: 4.67.4 beta syntax warning - /etc/MailScanner/filename.rules.conf Message-ID: Since installing MailScanner 4.67.4 beta yesterday, I have been seeing this warning in my maillog every time a child starts. MailScanner[26148]: Possible syntax error on line 33 of /etc/MailScanner/filename.rules.conf Line 33 in the file is: allow \.x\d+\.rel$ - - The 'problem' appears to be that on line 33, the whitespace following 'allow' is *3, whereas the front matter says # NOTE: Fields are separated by TAB characters --- Important! I changed it to and the warnings went away. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From glenn.steen at gmail.com Sat Feb 16 09:57:52 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 16 09:58:02 2008 Subject: 4.67.4 beta syntax warning - /etc/MailScanner/filename.rules.conf In-Reply-To: References: Message-ID: <223f97700802160157m126d8694kc0fde3cc35780a64@mail.gmail.com> On 16/02/2008, Mark Sapiro wrote: > Since installing MailScanner 4.67.4 beta yesterday, I have been seeing > this warning in my maillog every time a child starts. > > MailScanner[26148]: Possible syntax error on line 33 of > /etc/MailScanner/filename.rules.conf > > Line 33 in the file is: > > allow \.x\d+\.rel$ - - > > The 'problem' appears to be that on line 33, the whitespace following > 'allow' is *3, whereas the front matter says > > # NOTE: Fields are separated by TAB characters --- Important! > > I changed it to and the warnings went away. > Exactly right.... Even the sun (Jules) seems to have spots....:-):-) I know it is a short-ish test period, but ... any dups? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Sat Feb 16 15:45:13 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Feb 16 15:45:24 2008 Subject: Duplicate Messages - was: 4.67.4 beta syntax warning -/etc/MailScanner/filename.rules.conf In-Reply-To: <223f97700802160157m126d8694kc0fde3cc35780a64@mail.gmail.com> Message-ID: Glenn Steen wrote: >On 16/02/2008, Mark Sapiro wrote: >> >> I changed it to and the warnings went away. >> >Exactly right.... Even the sun (Jules) seems to have spots....:-):-) >I know it is a short-ish test period, but ... any dups? Yes, it is short, but so far, so good. No dups to date. Previously, with similar settings, I never went more that two days without at least one dup, so it's promising. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Sat Feb 16 16:40:05 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Feb 16 16:40:37 2008 Subject: 4.67.4 beta syntax warning - /etc/MailScanner/filename.rules.conf In-Reply-To: References: Message-ID: <47B711E5.2080004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well spotted! Fixed for the next release. Mark Sapiro wrote: > Since installing MailScanner 4.67.4 beta yesterday, I have been seeing > this warning in my maillog every time a child starts. > > MailScanner[26148]: Possible syntax error on line 33 of > /etc/MailScanner/filename.rules.conf > > Line 33 in the file is: > > allow \.x\d+\.rel$ - - > > The 'problem' appears to be that on line 33, the whitespace following > 'allow' is *3, whereas the front matter says > > # NOTE: Fields are separated by TAB characters --- Important! > > I changed it to and the warnings went away. > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHtxHvEfZZRxQVtlQRAv84AJ4hNJp0FfuUv9hwAGJZjbDMurn2uQCgugYM RGGW4eOLNLD8x845+GmmsLo= =X4nf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Sat Feb 16 19:26:46 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 16 19:27:05 2008 Subject: Question for the Experts In-Reply-To: <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> <3275845634303952132@unknownmsgid> <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> Message-ID: on 2/15/2008 4:02 PM Glenn Steen spake the following: > On 15/02/2008, Kevin MURPHY wrote: >> Hi Everyone >> >> Thanks for so many replies. It's the first time I have used this list and >> its really great to see how the community helps each other. >> Glen - I have tried that access file REJECT , but it rejects all mail even >> from server >> >> To:domain.com REJECT [IP Address of Server B] RELAY >> >> ----- Transcript of session follows ----- >> ... while talking to serverA: >>>>> DATA >> <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY >> 550 5.1.1 ... User unknown >> <<< 503 5.0.0 Need RCPT (recipient) >> >> Regards >> >> Kevin >> > Hm, I think you did that wrong somehow...;) > > I got a friendly nudge from our old friend Noel (Res... Well, he's my > friend anyway:-), who told me basically: > ---- Quote > To:exmaple.net REJECT > [IP.of.server.B] RELAY > I would call Noel a friend also. I know he is watching, but staying silent since the "incident". I gotta dig in my inbox and find his address and say hi! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080216/6b8b5cf4/signature.bin From garry at glendown.de Sat Feb 16 19:27:33 2008 From: garry at glendown.de (Garry) Date: Sat Feb 16 19:27:44 2008 Subject: Archive as mqueue files? Message-ID: <47B73925.1080301@glendown.de> In order to test some rules and stuff with a fixed set of mails, I was wondering: Is it possible to automatically archive all incoming mail messages as mqueue files with some settings of MailScanner, or do I need to hack something myself? Tnx, -garry From shuttlebox at gmail.com Sat Feb 16 20:05:56 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Feb 16 20:06:05 2008 Subject: Archive as mqueue files? In-Reply-To: <47B73925.1080301@glendown.de> References: <47B73925.1080301@glendown.de> Message-ID: <625385e30802161205n169a72b5y1493001b6f2a3a99@mail.gmail.com> On Feb 16, 2008 8:27 PM, Garry wrote: > In order to test some rules and stuff with a fixed set of mails, I was > wondering: Is it possible to automatically archive all incoming mail > messages as mqueue files with some settings of MailScanner, or do I need > to hack something myself? Look at "Archive Mail" in MailScanner.conf. ;-) -- /peter From glenn.steen at gmail.com Sat Feb 16 20:59:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 16 20:59:36 2008 Subject: Question for the Experts In-Reply-To: References: <47B468A1.2000800@slackadelic.com> <45354.7920370058$1203007154@news.gmane.org> <224FA7E11EA39E45843E11CEBBD3A36F7750FA@HOUPEX01.nfsmith.info> <47B49DA8.8080401@sendit.nodak.edu> <223f97700802141219v1f9c1cabs8fcae9b1babb809c@mail.gmail.com> <3275845634303952132@unknownmsgid> <223f97700802151602w7c9d1c83oc4c3bdeb93194d90@mail.gmail.com> Message-ID: <223f97700802161259m4db4126bga334e08075330f4f@mail.gmail.com> On 16/02/2008, Scott Silva wrote: > on 2/15/2008 4:02 PM Glenn Steen spake the following: > > On 15/02/2008, Kevin MURPHY wrote: > >> Hi Everyone > >> > >> Thanks for so many replies. It's the first time I have used this list and > >> its really great to see how the community helps each other. > >> Glen - I have tried that access file REJECT , but it rejects all mail even > >> from server > >> > >> To:domain.com REJECT [IP Address of Server B] RELAY > >> > >> ----- Transcript of session follows ----- > >> ... while talking to serverA: > >>>>> DATA > >> <<< 553 5.3.0 ... REJECT[IPADDRESS SERVER B]RELAY > >> 550 5.1.1 ... User unknown > >> <<< 503 5.0.0 Need RCPT (recipient) > >> > >> Regards > >> > >> Kevin > >> > > Hm, I think you did that wrong somehow...;) > > > > I got a friendly nudge from our old friend Noel (Res... Well, he's my > > friend anyway:-), who told me basically: > > ---- Quote > > To:exmaple.net REJECT > > [IP.of.server.B] RELAY > > > I would call Noel a friend also. I know he is watching, but staying silent > since the "incident". > I gotta dig in my inbox and find his address and say hi! > Bug me off-list and I'll dig out a few:-). One need not be a genius to reconstruct the "secret" one... the one that doesn't block everything:-):-). Am busy packing, might be able to get it to you tomorrow evening (when I'm in the mountains.... Yohooo!!!:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From garry at glendown.de Sat Feb 16 21:14:08 2008 From: garry at glendown.de (Garry) Date: Sat Feb 16 21:14:18 2008 Subject: Archive as mqueue files? In-Reply-To: <625385e30802161205n169a72b5y1493001b6f2a3a99@mail.gmail.com> References: <47B73925.1080301@glendown.de> <625385e30802161205n169a72b5y1493001b6f2a3a99@mail.gmail.com> Message-ID: <47B75220.40800@glendown.de> shuttlebox wrote: > Look at "Archive Mail" in MailScanner.conf. ;-) > Tnx, I saw the mbox-line in the comments, and assumed it only created those types of files ... just tried, looks good ... -gg From hvdkooij at vanderkooij.org Sun Feb 17 10:07:59 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 10:08:08 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 Message-ID: <47B8077F.90004@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I upgraded MailScanner 4.66.5 and it now bugs me with the Perl IO thing: **** ERROR: You must upgrade your perl IO module to at least **** ERROR: version 1.2301 or MailScanner will not work! But if I try to recompile the module provided by Jules I get bogged down with: RPM build errors: ~ Installed (but unpackaged) file(s) found: ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/.packlist ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod So it seems the package provided is not clean. And the package from rpmforge seems to conflict with perl itself: Transaction Check Error: ~ file /usr/share/man/man3/IO.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Dir.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::File.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Handle.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Pipe.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Poll.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Seekable.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Select.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::INET.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::UNIX.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 For the moment I have to bypass MailScanner in postfix to make it work. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuAd9BvzDRVjxmYERAimAAJ4mvu2pEoRNrh9b/7708HckmDUbTACfeAto v6T2V0XldyLQ8d4hJPMIQWI= =myyX -----END PGP SIGNATURE----- From uxbod at splatnix.net Sun Feb 17 10:22:24 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Feb 17 10:22:49 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B8077F.90004@vanderkooij.org> Message-ID: <68713.31203243744239.JavaMail.root@office.splatnix.net> ----- "Hugo van der Kooij" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I upgraded MailScanner 4.66.5 and it now bugs me with the Perl IO thing: **** ERROR: You must upgrade your perl IO module to at least **** ERROR: version 1.2301 or MailScanner will not work! But if I try to recompile the module provided by Jules I get bogged down with: RPM build errors: ~ Installed (but unpackaged) file(s) found: ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/.packlist ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod So it seems the package provided is not clean. And the package from rpmforge seems to conflict with perl itself: Transaction Check Error: ~ file /usr/share/man/man3/IO.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Dir.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::File.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Handle.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Pipe.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Poll.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Seekable.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Select.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::INET.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 ~ file /usr/share/man/man3/IO::Socket::UNIX.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-10.el5_0.2 For the moment I have to bypass MailScanner in postfix to make it work. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuAd9BvzDRVjxmYERAimAAJ4mvu2pEoRNrh9b/7708HckmDUbTACfeAto v6T2V0XldyLQ8d4hJPMIQWI= =myyX -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! What does rpm -qa | grep -i socket show ? I have just built to CentOS 5.1 servers with both latest stable and beta without any problems. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Feb 17 10:35:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 10:35:24 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B8077F.90004@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> Message-ID: <47B80DD4.2050609@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How did you upgrade? Did you run install.sh? Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 10:07:57 > > Hi, > > I upgraded MailScanner 4.66.5 and it now bugs me with the Perl IO thing: > > **** ERROR: You must upgrade your perl IO module to at least > **** ERROR: version 1.2301 or MailScanner will not work! > > But if I try to recompile the module provided by Jules I get bogged down > with: > > RPM build errors: > ~ Installed (but unpackaged) file(s) found: > ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/.packlist > ~ /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod > > So it seems the package provided is not clean. > > And the package from rpmforge seems to conflict with perl itself: > > Transaction Check Error: > ~ file /usr/share/man/man3/IO.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Dir.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::File.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Handle.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Pipe.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Poll.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Seekable.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Select.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Socket.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Socket::INET.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > ~ file /usr/share/man/man3/IO::Socket::UNIX.3pm.gz from install of > perl-IO-1.2301-1.el5.rf conflicts with file from package > perl-5.8.8-10.el5_0.2 > > For the moment I have to bypass MailScanner in postfix to make it work. > > Hugo > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > * Hugo van der Kooij > * 0x58F19981 - Unverified(L) > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-15 wj8DBQFHuA3WEfZZRxQVtlQRAsE6AKCjdZpev/XgIJtSAh0HQemtJUVBAgCfSavi X+Sz5A71e1LBwLoSq1oACUY= =w5va -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Feb 17 10:51:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 10:51:13 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B80DD4.2050609@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> Message-ID: <47B81196.8060104@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | How did you upgrade? | Did you run install.sh? I upgraded the packages through yum and installed the MailScanner RPM with rpm -Uvh manually. I do not use that script as I have found that I do not wish to screw up yet another system with the --force option. I have paid too high a price to accept that option ever again with rpm. And to answer the other question: ]# rpm -qa | grep -i socket perl-Socket6-0.19-3.fc6 perl-IO-Socket-INET6-2.51-2.fc6 perl-IO-Socket-SSL-1.12-1.el5.rf The only thing left untested is to take the source RPM of MailScanner 4.67.4 and rebuild it. But I do not think it will make that much of a difference. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation.]# rpm -qa | grep -i socket perl-Socket6-0.19-3.fc6 perl-IO-Socket-INET6-2.51-2.fc6 perl-IO-Socket-SSL-1.12-1.el5.rf >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuBGVBvzDRVjxmYERAifuAJ44pWH3qnwnB7koA/X0rhn7eWXj4ACfXGi1 /eD97kPiauDFudNFq2jhdtA= =lucT -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Feb 17 11:14:24 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 11:14:34 2008 Subject: Bounce increase Message-ID: <47B81710.5020909@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I seem to have an increase in bounces from content scanners that seem to fully ignore my SPF record and resend garbage. I have not yet identified the system that is doing this but I have seen it in various places like ISP's and educational institutions. Does someone recognize the system using these unwanted bounces? It looks a tid bit like a Barracuda but those can be easily identified by the sheer number of added headers in the bounces and the fact that the reference code in these messages is not at all present. I guess it is a postfix + amavisd + ...... setup. What I get back looks something like: BANNED CONTENTS ALERT Our content checker found ~ banned name: multipart/mixed | application/octet-stream,.zip,file.zip | ~ .exe,.exe-ms,file.htm ... .pif in email presumably from you to the following recipient: - -> admissions@aquinas.edu Our internal reference code for your message is 64027-04/eRk+KEAvTGY2 First upstream SMTP client IP address: [211.5.2.75] nm01omta06.auone-net.jp According to a 'Received:' trace, the message originated at: [220.217.50.1], ~ vanderkooij.org ([220.217.50.1]) Return-Path: Message-ID: <200802110849565173190001MAC9@nm01mta.auone-net.jp> Subject: Delivery reports about your e-mail Delivery of the email was stopped! The message has been blocked because it contains a component (as a MIME part or nested within) with declared name or MIME type or contents type violating our access policy. To transfer contents that may be considered risky or unwanted by site policies, or simply too large for mailing, please consider publishing your content on the web, and only sending an URL of the document to the recipient. Depending on the recipient and sender site policies, with a little effort it might still be possible to send any contents (including viruses) using one of the following methods: - - encrypted using pgp, gpg or other encryption methods; - - wrapped in a password-protected or scrambled container or archive ~ (e.g.: zip -e, arj -g, arc g, rar -p, or other methods) Note that if the contents is not intended to be secret, the encryption key or password may be included in the same message for recipient's convenience. We are sorry for inconvenience if the contents was not malicious. The purpose of these restrictions is to cut the most common propagation methods used by viruses and other malware. These often exploit automatic mechanisms and security holes in more popular mail readers (Microsoft mail readers and browsers are a common target). By requiring an explicit and decisive action from the recipient to decode mail, the danger of automatic malware propagation is largely reduced. Reporting-MTA: dns; fir.aquinas.edu Received-From-MTA: smtp; fir.aquinas.edu ([127.0.0.1]) Arrival-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST) Original-Recipient: rfc822;admissions@aquinas.edu Final-Recipient: rfc822;admissions@aquinas.edu Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 554-5.7.1 Rejected, id=64027-04 - BANNED: ~ 554-5.7.1 multipart/mixed | application/octet-stream,.zip,file.zip | ~ 554 5.7.1 .exe,.exe-ms,file.htm ... Last-Attempt-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST) Return-Path: Received: from nm01omta06.auone-net.jp (nm01omta06.auone-net.jp [211.5.2.75]) by fir.aquinas.edu (Postfix) with SMTP id 1CB832618AF for ; Mon, 11 Feb 2008 03:49:57 -0500 (EST) Received: from nm01omta06.auone-net.jp ([211.5.2.75]) by nm01omta06.auone-net.jp ~ via smtpd (for fir.aquinas.edu [198.110.245.41]) with ESMTP; Mon, 11 Feb 2008 03:49:57 -0500 Received: from vanderkooij.org ([220.217.50.1]) by nm01mta.auone-net.jp id <20080211174956503.MAC9.819B608@nm01mta.auone-net.jp>; Mon, 11 Feb 2008 17:49:56 +0900 From: hugo@vanderkooij.org To: admissions@aquinas.edu Subject: Delivery reports about your e-mail Date: Mon, 11 Feb 2008 17:49:06 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_7D574C9E.4731B847" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <200802110849565173190001MAC9@nm01mta.auone-net.jp> - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuBcOBvzDRVjxmYERAm9xAKCjUQHN5D+afmp09lllxuTyQ3ZFPwCgjj0p S0bWsslEgw3aY2n0fz9rcHE= =qQg+ -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Feb 17 11:14:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 11:15:13 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B81196.8060104@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> Message-ID: <47B81727.5020104@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 10:51:01 > > Julian Field wrote: > | How did you upgrade? > | Did you run install.sh? > > I upgraded the packages through yum and installed the MailScanner RPM > with rpm -Uvh manually. > > I do not use that script as I have found that I do not wish to screw up > yet another system with the --force option. I have paid too high a price > to accept that option ever again with rpm. It's just that my install.sh script writes a .rpmmacros file for you that stops all the RPM build errors you were seeing. If you do it all yourself, sorry, but don't expect too much sympathy :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-15 wj8DBQFHuBcrEfZZRxQVtlQRAhPnAJkB/WBRNqj5jN/LvRd5JhaT84mLeQCeP8tV J/52tt4OOK7mbjDp3kz5wCk= =T7aT -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Feb 17 11:53:30 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 11:53:39 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B81727.5020104@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> Message-ID: <47B8203A.9000205@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | | | Hugo van der Kooij wrote: |> * PGP Signed by an unverified key: 02/17/08 at 10:51:01 | |> Julian Field wrote: |> | How did you upgrade? |> | Did you run install.sh? | |> I upgraded the packages through yum and installed the MailScanner RPM |> with rpm -Uvh manually. | |> I do not use that script as I have found that I do not wish to screw up |> yet another system with the --force option. I have paid too high a price |> to accept that option ever again with rpm. | It's just that my install.sh script writes a .rpmmacros file for you | that stops all the RPM build errors you were seeing. If you do it all | yourself, sorry, but don't expect too much sympathy :-) Why is there a requirement for Perl IO of this version? If I go over the mailinglist messages from the pastr months I see people reporting installing per-MailTools 2.02 via yum and not listing per-IO as a requirement. It seems you needed a specific perl-IO version to get perl-MailTools working but why does MailScanner insist to use that version of perl-IO? I will see if a small modification of the MailScanner program will fix this dependency issue. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuCA4BvzDRVjxmYERAoIxAJ0eyprQ4+v9KPOmIGlDHD/K/XoudACfdUUw kpYB607tR7o7UDWDmv7xKVw= =gDpW -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Feb 17 12:34:21 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 12:34:49 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B81727.5020104@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> Message-ID: <47B829CD.70400@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | | | Hugo van der Kooij wrote: |> * PGP Signed by an unverified key: 02/17/08 at 10:51:01 | |> Julian Field wrote: |> | How did you upgrade? |> | Did you run install.sh? | |> I upgraded the packages through yum and installed the MailScanner RPM |> with rpm -Uvh manually. | |> I do not use that script as I have found that I do not wish to screw up |> yet another system with the --force option. I have paid too high a price |> to accept that option ever again with rpm. | It's just that my install.sh script writes a .rpmmacros file for you | that stops all the RPM build errors you were seeing. If you do it all | yourself, sorry, but don't expect too much sympathy :-) I disabled the specific check in MailScanner as a test and MailScanner works just fine from what I can tell. I am currently doing a full set of tests. I can not find specificly what did not work witout this perl IO module in the past months. Can anyone remember that bit of information? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuCnLBvzDRVjxmYERAsb+AKC3qAWOJWhVsJicq1hjfd4X9qtaOQCdHB1h XjI3AX34yEjwHGbPlgDGVzs= =ph1C -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Feb 17 14:33:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 14:33:41 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B829CD.70400@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> Message-ID: <47B845AA.8060803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 12:34:19 > > Julian Field wrote: > | > | > | Hugo van der Kooij wrote: > |> > Old Signed by an unverified key: 02/17/08 at 10:51:01 > | > |> Julian Field wrote: > |> | How did you upgrade? > |> | Did you run install.sh? > | > |> I upgraded the packages through yum and installed the MailScanner RPM > |> with rpm -Uvh manually. > | > |> I do not use that script as I have found that I do not wish to > screw up > |> yet another system with the --force option. I have paid too high a > price > |> to accept that option ever again with rpm. > | It's just that my install.sh script writes a .rpmmacros file for you > | that stops all the RPM build errors you were seeing. If you do it all > | yourself, sorry, but don't expect too much sympathy :-) > > I disabled the specific check in MailScanner as a test and MailScanner > works just fine from what I can tell. I am currently doing a full set of > tests. I always go by what the modules say they need as pre-requisites, not what happens to appear to work. There may be some nasty edge case that you haven't tested. Have you any suggestions for how to avoid this problem entirely? One possibility is to use CPAN to install the modules that I otherwise have to --force. But that still totally screws with the RPM installation of Perl itself, it just does it in a way that is hidden from 'perl -MCPAN' :-( One other possibility is to much with the installation setup of each of my required Perl modules, so that they are always installed in the "site" tree which should be out of the way of CPAN and RPM. Not sure how easy it is to do that though. Any thoughts? > > I can not find specificly what did not work witout this perl IO module > in the past months. Can anyone remember that bit of information? Sorry, I have had a good look. When I upgraded some other Perl module, it must have complained that it needed an even newer version of the IO module than shipped with RedHat 5 or CentOS 5, as that's what I build on. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-15 wj8DBQFHuEWtEfZZRxQVtlQRAnkvAJ9zrQZwagQleV3kxPdDfe3P5Qd7fACfXKYX 8tlBaOVSIDaJVKA8LZwbF+M= =6JMP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Sun Feb 17 15:25:59 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sun Feb 17 15:26:07 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B845AA.8060803@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> Message-ID: <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> On Feb 17, 2008 3:33 PM, Julian Field wrote: > One other possibility is to much with the installation setup of each of > my required Perl modules, so that they are always installed in the > "site" tree which should be out of the way of CPAN and RPM. Not sure how > easy it is to do that though. Any thoughts? I've been dealing with this on Solaris and even though I packaged a IO 1.2301 module it used the older one from within Perl itself, it only searches the INC until it finds a match, it doesn't go through the whole INC and uses the latest module if there are more than one match. I had to use PERLLIB in a few places and didn't like it so I haven't officially released a 4.66 Blastwave package. Instead I have asked the maintainer of Perl to update the included IO which haven't happened yet. :-( -- /peter From hvdkooij at vanderkooij.org Sun Feb 17 16:16:04 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Feb 17 16:16:50 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> Message-ID: <47B85DC4.5090106@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: | On Feb 17, 2008 3:33 PM, Julian Field wrote: |> One other possibility is to much with the installation setup of each of |> my required Perl modules, so that they are always installed in the |> "site" tree which should be out of the way of CPAN and RPM. Not sure how |> easy it is to do that though. Any thoughts? | | I've been dealing with this on Solaris and even though I packaged a IO | 1.2301 module it used the older one from within Perl itself, it only | searches the INC until it finds a match, it doesn't go through the | whole INC and uses the latest module if there are more than one match. | I had to use PERLLIB in a few places and didn't like it so I haven't | officially released a 4.66 Blastwave package. Instead I have asked the | maintainer of Perl to update the included IO which haven't happened | yet. :-( In the case of the RPM version we need to find a way to add the files without hitting the one from the main perl package. The rpmforge package does not hit a conflict on any regular files. Just on the manual pages. If these are properly markes as documentation we just might get away with it .... .... .. Right. First try to install it with yum. That will fail but download the package anyway. Then install it without the documentation: rpm -Uvh /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm - --excludedocs That installs the required package with an acceptable kludge. It does satisfy my wish to avoid the --force option. I am not familiar enough with the Solaris package manager to see if a similar trick might work. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuF3CBvzDRVjxmYERAkokAJ9x7Ad+kj0KHlHeIkOK2rKiuDfxvACfTGVM tt53JdP0th+ZLMz7ZLTP8dE= =2DCf -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Sun Feb 17 17:20:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 17 17:21:21 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B85DC4.5090106@vanderkooij.org> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> Message-ID: <47B86CF1.4010307@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/17/08 at 16:16:02 > > shuttlebox wrote: > | On Feb 17, 2008 3:33 PM, Julian Field > wrote: > |> One other possibility is to much with the installation setup of > each of > |> my required Perl modules, so that they are always installed in the > |> "site" tree which should be out of the way of CPAN and RPM. Not > sure how > |> easy it is to do that though. Any thoughts? > | > | I've been dealing with this on Solaris and even though I packaged a IO > | 1.2301 module it used the older one from within Perl itself, it only > | searches the INC until it finds a match, it doesn't go through the > | whole INC and uses the latest module if there are more than one match. > | I had to use PERLLIB in a few places and didn't like it so I haven't > | officially released a 4.66 Blastwave package. Instead I have asked the > | maintainer of Perl to update the included IO which haven't happened > | yet. :-( > > In the case of the RPM version we need to find a way to add the files > without hitting the one from the main perl package. The rpmforge package > does not hit a conflict on any regular files. Just on the manual pages. > > If these are properly markes as documentation we just might get away > with it .... .... .. > > Right. First try to install it with yum. That will fail but download the > package anyway. Then install it without the documentation: > > rpm -Uvh > /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm > --excludedocs > > That installs the required package with an acceptable kludge. It does > satisfy my wish to avoid the --force option. Slight snag. This package was put together by someone who doesn't actually understand what they are doing. They have got round the clashing file problems by putting it into the "vendorperl" instead of "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". So the nice new version you just installed isn't actually used at all. To prove it to yourself... Try editing the code in the file (e.g. put a syntax error in it), and then run this command. It should fail as there is a syntax error in IO.pm which is where the perl-IO rpm is installed. perl -MIO -e 'print $IO::VERSION;' You'll find it still works perfectly, as it isn't using the version you just installed from dag.wieers.com. Oops. If it was that easy, I would have done it years ago :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHuGz6EfZZRxQVtlQRArKSAKDa2BOWeEjYiU9jTmn10ex3qgczgQCfeR/z NmKfmtGv+e1ZTeuH6dHTjSw= =Fxg7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Mon Feb 18 01:05:48 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Feb 18 01:06:21 2008 Subject: Mailscanner generated duplicate message In-Reply-To: <223f97700802150359p23a75cb5o8edbfe1d44ab459e@mail.gmail.com> Message-ID: Glenn Steen wrote: >On 15/02/2008, Mark Sapiro wrote: >> >> I'm ahead of schedule. I've just installed the 4.67.4 beta and set Max >> Children = 5. >> >> I'll be monitoring my logs for dups. I'll post my findings to the list. >> >Thanks a bundle, Mark! I'm sorry to report that the 4.67.4 beta does not fix my duplicate messages issue. I had two instances of duplication yesterday. Here are the relevant maillog messages Feb 16 07:59:28 sbh16 postfix/smtpd[955]: F031D69069E: client=sbh36.songbird.com[72.52.113.36] Feb 16 07:59:29 sbh16 postfix/cleanup[1036]: F031D69069E: hold: header Received: from dunelt.abriz.net (sbh36.songbird.com [72.52.113.36])??(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by sbh16.songbird.com (Postfix) wit from sbh36.songbird.com[72.52.113.36]; from=<> to= proto=ESMTP helo= Feb 16 07:59:29 sbh16 postfix/cleanup[1036]: F031D69069E: message-id=<20080216155928.6B2C113D4E@dunelt.abriz.net> Feb 16 07:59:29 sbh16 MailScanner[31863]: Requeue: F031D69069E.49A74 to 285CE6906A1 Feb 16 07:59:29 sbh16 MailScanner[31854]: Requeue: F031D69069E.D2AE4 to 699CE6906A7 Feb 16 15:04:19 sbh16 postfix/smtpd[6268]: 7DCF56905E8: client=localhost.localdomain[127.0.0.1] Feb 16 15:04:19 sbh16 postfix/cleanup[6444]: 7DCF56905E8: hold: header Received: from sbh16.songbird.com (localhost.localdomain [127.0.0.1])??by sbh16.songbird.com (Postfix) with ESMTP id 7DCF56905E8??for ; Sat, 16 Feb 2008 15:04:19 -0800 (PST) from localhost.localdomain[127.0.0.1]; from= to= proto=ESMTP helo= Feb 16 15:04:19 sbh16 postfix/cleanup[6444]: 7DCF56905E8: message-id=<380-2200826162342984@earthlink.net> Feb 16 15:04:20 sbh16 MailScanner[5770]: Requeue: 7DCF56905E8.50E16 to CE37369060E Feb 16 15:04:20 sbh16 MailScanner[5655]: Requeue: 7DCF56905E8.B1910 to 5BC9169070D For the time being, I have gone back to Max Children = 1 in MailScanner.conf. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From rohitb at netcore.co.in Mon Feb 18 09:12:38 2008 From: rohitb at netcore.co.in (Rohitb) Date: Mon Feb 18 09:14:19 2008 Subject: MailScanner process defunct on scanning attachments Message-ID: <20080218144238.8rwkcyxuokscc4s0@192.168.2.1> Hi I am having problem with MaiScanner since last 3-4 weeks, MailScanner process defuncts and stops processing mails.On checking ps commmand it shows below output. Is anybody else facing the same issue. ps aux|grep Mail root 13170 0.0 0.0 8748 1288 pts/3 S+ 14:09 0:00 /bin/sh /sbin/service MailScanner restart root 13177 0.0 0.0 10972 1448 pts/3 S+ 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart root 13192 0.0 0.0 10976 1520 pts/3 S+ 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop root 13220 0.0 0.0 5980 576 pts/1 S+ 14:09 0:00 grep Mail postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 0:00 MailScanner: killing children, bwahaha! postfix 30691 2.4 3.5 316392 142740 ? S 09:02 7:34 MailScanner: compressing attachments postfix 30716 26.8 2.3 334060 94956 ? S 09:02 82:22 MailScanner: compressing attachments postfix 30728 16.9 3.3 324112 134868 ? S 09:02 51:54 MailScanner: compressing attachments postfix 30735 8.1 1.9 323708 79160 ? S 09:02 25:09 MailScanner: compressing attachments postfix 30748 7.0 1.5 323932 63212 ? S 09:02 21:39 MailScanner: compressing attachments postfix 30763 0.1 0.5 315404 23524 ? S 09:02 0:19 MailScanner: compressing attachments postfix 30802 16.7 2.6 320368 106572 ? S 09:02 51:16 MailScanner: compressing attachments postfix 30835 0.1 2.1 315476 88060 ? S 09:02 0:19 MailScanner: compressing attachments postfix 30852 6.3 2.5 319344 103124 ? S 09:02 19:19 MailScanner: compressing attachments postfix 30897 2.1 1.5 316372 64164 ? S 09:03 6:36 MailScanner: compressing attachments postfix 30963 7.8 2.6 327264 105916 ? S 09:03 24:06 MailScanner: compressing attachments postfix 30999 16.3 2.4 328536 100172 ? S 09:03 50:14 MailScanner: compressing attachments postfix 31038 16.6 2.0 328620 84392 ? S 09:03 50:56 MailScanner: compressing attachments postfix 31157 7.9 1.8 329416 76784 ? S 09:03 24:22 MailScanner: compressing attachments postfix 31172 1.9 1.9 321068 80544 ? S 09:03 6:05 MailScanner: compressing attachments postfix 31207 1.6 1.8 321244 75668 ? S 09:03 5:10 MailScanner: compressing attachments postfix 31227 2.0 4.4 316196 179244 ? S 09:03 6:20 MailScanner: compressing attachments [root@secure6 ~]# ps aux|grep Mail root 13170 0.0 0.0 8748 1288 pts/3 S+ 14:09 0:00 /bin/sh /sbin/service MailScanner restart root 13177 0.0 0.0 10976 1456 pts/3 S+ 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart root 13278 0.0 0.0 5980 576 pts/1 S+ 14:09 0:00 grep Mail postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 0:00 MailScanner: killing children, bwahaha! postfix 30691 2.4 0.0 0 0 ? Z 09:02 7:34 [MailScanner] postfix 30716 26.8 0.0 0 0 ? Z 09:02 82:23 [MailScanner] postfix 30728 16.8 0.0 0 0 ? Z 09:02 51:54 [MailScanner] postfix 30735 8.1 0.0 0 0 ? Z 09:02 25:10 [MailScanner] postfix 30748 7.0 0.0 0 0 ? Z 09:02 21:39 [MailScanner] postfix 30763 0.1 0.5 315404 24148 ? D 09:02 0:19 MailScanner: compressing attachments postfix 30802 16.7 0.0 0 0 ? Z 09:02 51:17 [MailScanner] postfix 30835 0.1 2.1 315476 88752 ? D 09:02 0:19 MailScanner: compressing attachments postfix 30852 6.3 0.0 0 0 ? Z 09:02 19:19 [MailScanner] postfix 30897 2.1 0.0 0 0 ? Z 09:03 6:36 [MailScanner] postfix 30963 7.8 0.0 0 0 ? Z 09:03 24:06 [MailScanner] postfix 30999 16.3 0.0 0 0 ? Z 09:03 50:14 [MailScanner] postfix 31038 16.6 0.0 0 0 ? Z 09:03 50:56 [MailScanner] postfix 31157 7.9 0.0 0 0 ? Z 09:03 24:22 [MailScanner] postfix 31172 1.9 2.1 321068 88448 ? D 09:03 6:05 MailScanner: compressing attachments postfix 31207 1.6 2.1 321244 86440 ? D 09:03 5:10 MailScanner: compressing attachments postfix 31227 2.0 0.0 0 0 ? Z 09:03 6:20 [MailScanner] Regards Rohit Baisakhiya =================================================================== sms START NETCORE to 575758 to get updates on Netcore's enterprise products and services sms START MYTODAY to 09845398453 for more information on our mobile consumer services or go to http://www.mytodaysms.com =================================================================== From uxbod at splatnix.net Mon Feb 18 09:32:18 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Feb 18 09:32:46 2008 Subject: MailScanner process defunct on scanning attachments In-Reply-To: <20080218144238.8rwkcyxuokscc4s0@192.168.2.1> Message-ID: <28306377.121203327138185.JavaMail.root@office.splatnix.net> anything in your logfiles ? what happens if you MS in debug mode ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Rohitb" wrote: > Hi > I am having problem with MaiScanner since last 3-4 weeks, MailScanner > > process defuncts and stops processing mails.On checking ps commmand it > > shows below output. Is anybody else facing the same issue. > > ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10972 1448 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13192 0.0 0.0 10976 1520 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop > root 13220 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 3.5 316392 142740 ? S 09:02 > 7:34 MailScanner: compressing attachments > postfix 30716 26.8 2.3 334060 94956 ? S 09:02 > 82:22 MailScanner: compressing attachments > postfix 30728 16.9 3.3 324112 134868 ? S 09:02 > 51:54 MailScanner: compressing attachments > postfix 30735 8.1 1.9 323708 79160 ? S 09:02 > 25:09 MailScanner: compressing attachments > postfix 30748 7.0 1.5 323932 63212 ? S 09:02 > 21:39 MailScanner: compressing attachments > postfix 30763 0.1 0.5 315404 23524 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 2.6 320368 106572 ? S 09:02 > 51:16 MailScanner: compressing attachments > postfix 30835 0.1 2.1 315476 88060 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 2.5 319344 103124 ? S 09:02 > 19:19 MailScanner: compressing attachments > postfix 30897 2.1 1.5 316372 64164 ? S 09:03 > 6:36 MailScanner: compressing attachments > postfix 30963 7.8 2.6 327264 105916 ? S 09:03 > 24:06 MailScanner: compressing attachments > postfix 30999 16.3 2.4 328536 100172 ? S 09:03 > 50:14 MailScanner: compressing attachments > postfix 31038 16.6 2.0 328620 84392 ? S 09:03 > 50:56 MailScanner: compressing attachments > postfix 31157 7.9 1.8 329416 76784 ? S 09:03 > 24:22 MailScanner: compressing attachments > postfix 31172 1.9 1.9 321068 80544 ? S 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 1.8 321244 75668 ? S 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 4.4 316196 179244 ? S 09:03 > 6:20 MailScanner: compressing attachments > > > > [root@secure6 ~]# ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10976 1456 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13278 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 0.0 0 0 ? Z > 09:02 7:34 [MailScanner] > postfix 30716 26.8 0.0 0 0 ? Z > 09:02 82:23 [MailScanner] > postfix 30728 16.8 0.0 0 0 ? Z > 09:02 51:54 [MailScanner] > postfix 30735 8.1 0.0 0 0 ? Z > 09:02 25:10 [MailScanner] > postfix 30748 7.0 0.0 0 0 ? Z > 09:02 21:39 [MailScanner] > postfix 30763 0.1 0.5 315404 24148 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 0.0 0 0 ? Z > 09:02 51:17 [MailScanner] > postfix 30835 0.1 2.1 315476 88752 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 0.0 0 0 ? Z > 09:02 19:19 [MailScanner] > postfix 30897 2.1 0.0 0 0 ? Z > 09:03 6:36 [MailScanner] > postfix 30963 7.8 0.0 0 0 ? Z > 09:03 24:06 [MailScanner] > postfix 30999 16.3 0.0 0 0 ? Z > 09:03 50:14 [MailScanner] > postfix 31038 16.6 0.0 0 0 ? Z > 09:03 50:56 [MailScanner] > postfix 31157 7.9 0.0 0 0 ? Z > 09:03 24:22 [MailScanner] > postfix 31172 1.9 2.1 321068 88448 ? D 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 2.1 321244 86440 ? D 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 0.0 0 0 ? Z > 09:03 6:20 [MailScanner] > > > Regards > Rohit Baisakhiya > > > =================================================================== > > sms START NETCORE to 575758 to get updates on Netcore's enterprise > products and services > > sms START MYTODAY to 09845398453 for more information on our mobile > consumer services or go to http://www.mytodaysms.com > > =================================================================== -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andrew.Chester at ukuvuma.co.za Mon Feb 18 09:34:37 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Mon Feb 18 09:42:48 2008 Subject: HTML/Newsletters being received as unreadable code Message-ID: Hi All We have recently implemented MailScanner in a mail gateway of ours, and since then about 4 random emails have come through as unreadable code. The emails seem to HTML based, be it newsletters that have been subscribed to or confirmation of flight details to a user, and seem to be random. The code looks like the following (obviously different for each mail): ]I.Jn*'?'w&]*Z+Z ?4)4)4)4)4)4)??!?4)4)e??????? ?%?%??????4)?e???????????1?4)%??????????????????4)?? ??? ???????M?4)??? ?4)4)e????4)4)e?????????4)??????4)Q?????? ?4)4) IU0??????????4)4) ????????????4)A???????? ???4)?????????????4)???Q???????? 4)??????4)4)%????1=??4)4) ????4)Q0<%???4) ? ???%L%P??4)4)?4)4)4)4)4)4)??!??4)4)Y??????????? ?%e4)??????Y????????4)??????%??1???????????4)???? ???????? ?4)????e?? ?4)4)Y?????4)4)Y?????????4)??????4)A????? ?4)4)QQ9Q%=8????????4)U??? ????????????4)????????4)4)M? ????????????4)???????? ?????4)??????????4)????????????4)4)???????1=??4)4) ??4)3g?%??0<4)?? ??????M?e%???4) ?4)4)?4(4(4(4(Q?????????4)%????????????????????????4)A?????????????4)???????????????????????????4)e??????????????????4(4(()Q????????)?????U????)??(( Does anyone know what the problem for the above is and how to solve it? Another problem has come up where with an email that a user has received, the subject line was removed completely. The email is a newsletter which is received daily, and the problem has never occured before using MailScanner. Any ideas on this? The system we are running is as follows: OS - FreeBSD 6.3 MTA - Postfix 2.4.6 Mailcanner 4.64.3 Any help will be greatly appreciated, thanks. CONFIDENTIALITY CLAUSE This message is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by telephone. VERTROULIKHEIDSKLOUSULE Di? boodskap is slegs vir die gebruik van die individu of entiteit aan wie dit gerig is en bevat streng vertroulike inligting. Indien die leser nie die voorgenome ontvanger is nie, of die werknemer of agent verantwoordelik vir die lewering van die boodskap aan die voorgenome ontvanger nie, word u hiermee meegedeel dat enige verspreiding of kopi?ring van di? boodskap streng verbode is. Indien u die kommunikasie verkeerdelik ontvang het, stel asseblief die afsender telefonies in kennis. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080218/a6b90bb8/attachment.html From martinh at solidstatelogic.com Mon Feb 18 09:44:16 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Feb 18 09:44:26 2008 Subject: MailScanner process defunct on scanning attachments In-Reply-To: <20080218144238.8rwkcyxuokscc4s0@192.168.2.1> Message-ID: <49128710df3e134d9893e1df437b5baf@solidstatelogic.com> Also What version of mailScanner? MailScanner -V Output as well.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rohitb > Sent: 18 February 2008 09:13 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner process defunct on scanning attachments > > Hi > I am having problem with MaiScanner since last 3-4 weeks, MailScanner > process defuncts and stops processing mails.On checking ps commmand it > shows below output. Is anybody else facing the same issue. > > ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10972 1448 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13192 0.0 0.0 10976 1520 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop > root 13220 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 3.5 316392 142740 ? S 09:02 > 7:34 MailScanner: compressing attachments > postfix 30716 26.8 2.3 334060 94956 ? S 09:02 > 82:22 MailScanner: compressing attachments > postfix 30728 16.9 3.3 324112 134868 ? S 09:02 > 51:54 MailScanner: compressing attachments > postfix 30735 8.1 1.9 323708 79160 ? S 09:02 > 25:09 MailScanner: compressing attachments > postfix 30748 7.0 1.5 323932 63212 ? S 09:02 > 21:39 MailScanner: compressing attachments > postfix 30763 0.1 0.5 315404 23524 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 2.6 320368 106572 ? S 09:02 > 51:16 MailScanner: compressing attachments > postfix 30835 0.1 2.1 315476 88060 ? S 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 2.5 319344 103124 ? S 09:02 > 19:19 MailScanner: compressing attachments > postfix 30897 2.1 1.5 316372 64164 ? S 09:03 > 6:36 MailScanner: compressing attachments > postfix 30963 7.8 2.6 327264 105916 ? S 09:03 > 24:06 MailScanner: compressing attachments > postfix 30999 16.3 2.4 328536 100172 ? S 09:03 > 50:14 MailScanner: compressing attachments > postfix 31038 16.6 2.0 328620 84392 ? S 09:03 > 50:56 MailScanner: compressing attachments > postfix 31157 7.9 1.8 329416 76784 ? S 09:03 > 24:22 MailScanner: compressing attachments > postfix 31172 1.9 1.9 321068 80544 ? S 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 1.8 321244 75668 ? S 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 4.4 316196 179244 ? S 09:03 > 6:20 MailScanner: compressing attachments > > > > [root@secure6 ~]# ps aux|grep Mail > root 13170 0.0 0.0 8748 1288 pts/3 S+ > 14:09 0:00 /bin/sh /sbin/service MailScanner restart > root 13177 0.0 0.0 10976 1456 pts/3 S+ > 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart > root 13278 0.0 0.0 5980 576 pts/1 S+ > 14:09 0:00 grep Mail > postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 > 0:00 MailScanner: killing children, bwahaha! > postfix 30691 2.4 0.0 0 0 ? Z > 09:02 7:34 [MailScanner] > postfix 30716 26.8 0.0 0 0 ? Z > 09:02 82:23 [MailScanner] > postfix 30728 16.8 0.0 0 0 ? Z > 09:02 51:54 [MailScanner] > postfix 30735 8.1 0.0 0 0 ? Z > 09:02 25:10 [MailScanner] > postfix 30748 7.0 0.0 0 0 ? Z > 09:02 21:39 [MailScanner] > postfix 30763 0.1 0.5 315404 24148 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30802 16.7 0.0 0 0 ? Z > 09:02 51:17 [MailScanner] > postfix 30835 0.1 2.1 315476 88752 ? D 09:02 > 0:19 MailScanner: compressing attachments > postfix 30852 6.3 0.0 0 0 ? Z > 09:02 19:19 [MailScanner] > postfix 30897 2.1 0.0 0 0 ? Z > 09:03 6:36 [MailScanner] > postfix 30963 7.8 0.0 0 0 ? Z > 09:03 24:06 [MailScanner] > postfix 30999 16.3 0.0 0 0 ? Z > 09:03 50:14 [MailScanner] > postfix 31038 16.6 0.0 0 0 ? Z > 09:03 50:56 [MailScanner] > postfix 31157 7.9 0.0 0 0 ? Z > 09:03 24:22 [MailScanner] > postfix 31172 1.9 2.1 321068 88448 ? D 09:03 > 6:05 MailScanner: compressing attachments > postfix 31207 1.6 2.1 321244 86440 ? D 09:03 > 5:10 MailScanner: compressing attachments > postfix 31227 2.0 0.0 0 0 ? Z > 09:03 6:20 [MailScanner] > > > Regards > Rohit Baisakhiya > > > =================================================================== > > sms START NETCORE to 575758 to get updates on Netcore's enterprise > products and services > > sms START MYTODAY to 09845398453 for more information on our mobile > consumer services or go to http://www.mytodaysms.com > > =================================================================== > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From lhaig at haigmail.com Mon Feb 18 10:45:04 2008 From: lhaig at haigmail.com (Lance Haig) Date: Mon Feb 18 10:45:12 2008 Subject: List of perl modules required for a MailScanner install? Message-ID: <47B961B0.1040800@haigmail.com> Hi, Does anyone have a list of all the modules and programs needed for a MailScanner install? I can't use Julian's install script on my system. Regards Lance From rohitb at netcore.co.in Mon Feb 18 11:30:24 2008 From: rohitb at netcore.co.in (Rohitb) Date: Mon Feb 18 11:30:41 2008 Subject: MailScanner process defunct on scanning attachments In-Reply-To: <28306377.121203327138185.JavaMail.root@office.splatnix.net> References: <28306377.121203327138185.JavaMail.root@office.splatnix.net> Message-ID: <20080218170024.pey1nrku0w04kcgg@192.168.2.1> I am running MailScanner version 4.64.3, i dont see anything unusual in the logs. Will try to run it in debug mode and send the output once done. I try lint it did not showed any warnings or errors. Rohit Quoting "--[ UxBoD ]--" : > anything in your logfiles ? what happens if you MS in debug mode ? > > Regards, > > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 > // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- "Rohitb" wrote: > >> Hi >> I am having problem with MaiScanner since last 3-4 weeks, MailScanner >> >> process defuncts and stops processing mails.On checking ps commmand it >> >> shows below output. Is anybody else facing the same issue. >> >> ps aux|grep Mail >> root 13170 0.0 0.0 8748 1288 pts/3 S+ >> 14:09 0:00 /bin/sh /sbin/service MailScanner restart >> root 13177 0.0 0.0 10972 1448 pts/3 S+ >> 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart >> root 13192 0.0 0.0 10976 1520 pts/3 S+ >> 14:09 0:00 /bin/bash /etc/init.d/MailScanner stop >> root 13220 0.0 0.0 5980 576 pts/1 S+ >> 14:09 0:00 grep Mail >> postfix 30690 0.0 0.4 97600 19172 ? Ds 09:02 >> 0:00 MailScanner: killing children, bwahaha! >> postfix 30691 2.4 3.5 316392 142740 ? S 09:02 >> 7:34 MailScanner: compressing attachments >> postfix 30716 26.8 2.3 334060 94956 ? S 09:02 >> 82:22 MailScanner: compressing attachments >> postfix 30728 16.9 3.3 324112 134868 ? S 09:02 >> 51:54 MailScanner: compressing attachments >> postfix 30735 8.1 1.9 323708 79160 ? S 09:02 >> 25:09 MailScanner: compressing attachments >> postfix 30748 7.0 1.5 323932 63212 ? S 09:02 >> 21:39 MailScanner: compressing attachments >> postfix 30763 0.1 0.5 315404 23524 ? S 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30802 16.7 2.6 320368 106572 ? S 09:02 >> 51:16 MailScanner: compressing attachments >> postfix 30835 0.1 2.1 315476 88060 ? S 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30852 6.3 2.5 319344 103124 ? S 09:02 >> 19:19 MailScanner: compressing attachments >> postfix 30897 2.1 1.5 316372 64164 ? S 09:03 >> 6:36 MailScanner: compressing attachments >> postfix 30963 7.8 2.6 327264 105916 ? S 09:03 >> 24:06 MailScanner: compressing attachments >> postfix 30999 16.3 2.4 328536 100172 ? S 09:03 >> 50:14 MailScanner: compressing attachments >> postfix 31038 16.6 2.0 328620 84392 ? S 09:03 >> 50:56 MailScanner: compressing attachments >> postfix 31157 7.9 1.8 329416 76784 ? S 09:03 >> 24:22 MailScanner: compressing attachments >> postfix 31172 1.9 1.9 321068 80544 ? S 09:03 >> 6:05 MailScanner: compressing attachments >> postfix 31207 1.6 1.8 321244 75668 ? S 09:03 >> 5:10 MailScanner: compressing attachments >> postfix 31227 2.0 4.4 316196 179244 ? S 09:03 >> 6:20 MailScanner: compressing attachments >> >> >> >> [root@secure6 ~]# ps aux|grep Mail >> root 13170 0.0 0.0 8748 1288 pts/3 S+ >> 14:09 0:00 /bin/sh /sbin/service MailScanner restart >> root 13177 0.0 0.0 10976 1456 pts/3 S+ >> 14:09 0:00 /bin/bash /etc/init.d/MailScanner restart >> root 13278 0.0 0.0 5980 576 pts/1 S+ >> 14:09 0:00 grep Mail >> postfix 30690 0.0 0.5 97600 24212 ? Ds 09:02 >> 0:00 MailScanner: killing children, bwahaha! >> postfix 30691 2.4 0.0 0 0 ? Z >> 09:02 7:34 [MailScanner] >> postfix 30716 26.8 0.0 0 0 ? Z >> 09:02 82:23 [MailScanner] >> postfix 30728 16.8 0.0 0 0 ? Z >> 09:02 51:54 [MailScanner] >> postfix 30735 8.1 0.0 0 0 ? Z >> 09:02 25:10 [MailScanner] >> postfix 30748 7.0 0.0 0 0 ? Z >> 09:02 21:39 [MailScanner] >> postfix 30763 0.1 0.5 315404 24148 ? D 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30802 16.7 0.0 0 0 ? Z >> 09:02 51:17 [MailScanner] >> postfix 30835 0.1 2.1 315476 88752 ? D 09:02 >> 0:19 MailScanner: compressing attachments >> postfix 30852 6.3 0.0 0 0 ? Z >> 09:02 19:19 [MailScanner] >> postfix 30897 2.1 0.0 0 0 ? Z >> 09:03 6:36 [MailScanner] >> postfix 30963 7.8 0.0 0 0 ? Z >> 09:03 24:06 [MailScanner] >> postfix 30999 16.3 0.0 0 0 ? Z >> 09:03 50:14 [MailScanner] >> postfix 31038 16.6 0.0 0 0 ? Z >> 09:03 50:56 [MailScanner] >> postfix 31157 7.9 0.0 0 0 ? Z >> 09:03 24:22 [MailScanner] >> postfix 31172 1.9 2.1 321068 88448 ? D 09:03 >> 6:05 MailScanner: compressing attachments >> postfix 31207 1.6 2.1 321244 86440 ? D 09:03 >> 5:10 MailScanner: compressing attachments >> postfix 31227 2.0 0.0 0 0 ? Z >> 09:03 6:20 [MailScanner] >> >> >> Regards >> Rohit Baisakhiya >> >> >> =================================================================== >> >> sms START NETCORE to 575758 to get updates on Netcore's enterprise >> products and services >> >> sms START MYTODAY to 09845398453 for more information on our mobile >> consumer services or go to http://www.mytodaysms.com >> >> =================================================================== > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =================================================================== sms START NETCORE to 575758 to get updates on Netcore's enterprise products and services sms START MYTODAY to 09845398453 for more information on our mobile consumer services or go to http://www.mytodaysms.com =================================================================== From MailScanner at ecs.soton.ac.uk Mon Feb 18 11:32:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 18 11:32:56 2008 Subject: List of perl modules required for a MailScanner install? In-Reply-To: <47B961B0.1040800@haigmail.com> References: <47B961B0.1040800@haigmail.com> Message-ID: <47B96CB2.4080607@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's a great big table in the install.sh script, that contains all the information you need. Lance Haig wrote: > Hi, > > Does anyone have a list of all the modules and programs needed for a > MailScanner install? > > I can't use Julian's install script on my system. > > Regards > > Lance > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHuWzSEfZZRxQVtlQRAoj4AJ9gBZHt0OUYiscVYpBB7c2BzxjplwCgve+P iHY4b4obDAxG4dLFG956G+k= =pOFw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Mon Feb 18 11:44:22 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Mon Feb 18 11:44:43 2008 Subject: List of perl modules required for a MailScanner install? In-Reply-To: <47B961B0.1040800@haigmail.com> References: <47B961B0.1040800@haigmail.com> Message-ID: > Does anyone have a list of all the modules and programs needed for a > MailScanner install? From a minimal FC8 server installation, I needed to install a few rpms using yum to install MailScanner with Julian's script: # yum install rpm-build # yum install perl-devel # yum install perl-Test-Simple Since perl-Test-Simple is included with MailScanner, might it be possible to remove the requirement for that (and save having problems with yum trying to update it) if it's listed earlier in the MailScanner install.sh? The other two requirements seem pretty basic, and probably don't need to be included with MailScanner. FWIW I found what was required by looking for "not found" error messages when installing MailScanner, and then using "yum provides" on those files. HTH, Anthony -- www.fonant.com - Quality web sites From lhaig at haigmail.com Mon Feb 18 11:55:09 2008 From: lhaig at haigmail.com (Lance Haig) Date: Mon Feb 18 11:55:19 2008 Subject: List of perl modules required for a MailScanner install? In-Reply-To: <47B96CB2.4080607@ecs.soton.ac.uk> References: <47B961B0.1040800@haigmail.com> <47B96CB2.4080607@ecs.soton.ac.uk> Message-ID: <47B9721D.20502@haigmail.com> Julian Field wrote: > There's a great big table in the install.sh script, that contains all > the information you need. > > Lance Haig wrote: >> Hi, > >> Does anyone have a list of all the modules and programs needed for a >> MailScanner install? > >> I can't use Julian's install script on my system. > >> Regards > >> Lance > > > Jules > Hi Julian, Thank you. I will go RTFM :-) Lance From tgc at statsbiblioteket.dk Mon Feb 18 13:21:31 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Feb 18 13:21:41 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B86CF1.4010307@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> Message-ID: <47B9865B.2040400@statsbiblioteket.dk> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Hugo van der Kooij wrote: >> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 >> >> shuttlebox wrote: >> | On Feb 17, 2008 3:33 PM, Julian Field >> wrote: >> |> One other possibility is to much with the installation setup of >> each of >> |> my required Perl modules, so that they are always installed in the >> |> "site" tree which should be out of the way of CPAN and RPM. Not >> sure how >> |> easy it is to do that though. Any thoughts? >> | >> | I've been dealing with this on Solaris and even though I packaged a IO >> | 1.2301 module it used the older one from within Perl itself, it only >> | searches the INC until it finds a match, it doesn't go through the >> | whole INC and uses the latest module if there are more than one match. >> | I had to use PERLLIB in a few places and didn't like it so I haven't >> | officially released a 4.66 Blastwave package. Instead I have asked the >> | maintainer of Perl to update the included IO which haven't happened >> | yet. :-( >> >> In the case of the RPM version we need to find a way to add the files >> without hitting the one from the main perl package. The rpmforge package >> does not hit a conflict on any regular files. Just on the manual pages. >> >> If these are properly markes as documentation we just might get away >> with it .... .... .. >> >> Right. First try to install it with yum. That will fail but download the >> package anyway. Then install it without the documentation: >> >> rpm -Uvh >> /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm >> --excludedocs >> >> That installs the required package with an acceptable kludge. It does >> satisfy my wish to avoid the --force option. > Slight snag. This package was put together by someone who doesn't > actually understand what they are doing. They have got round the > clashing file problems by putting it into the "vendorperl" instead of > "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". > Careful now. Dag is well aware of this issue and has stated many times that there is no good solution for RHEL < 5. On rhel5 however this is nolonger an issue: $ cat /etc/redhat-release CentOS release 5 (Final) $ perl -V Summary of my perl5 (revision 5 version 8 subversion 8) configuration: Built under linux Compiled at Nov 8 2007 06:49:16 @INC: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 . See? It searches vendor_perl before the core paths. > So the nice new version you just installed isn't actually used at all. > True on RHEL/CentOS < 5. > To prove it to yourself... > Try editing the code in the file (e.g. put a syntax error in it), and > then run this command. It should fail as there is a syntax error in > IO.pm which is where the perl-IO rpm is installed. > perl -MIO -e 'print $IO::VERSION;' > You'll find it still works perfectly, as it isn't using the version you > just installed from dag.wieers.com. > > Oops. > > If it was that easy, I would have done it years ago :-) > Did you actually try this on rhel5? To avoid egg on my face I did, here's the result: $ cat /etc/redhat-release CentOS release 5 (Final) # rpm --excludedocs -i perl-IO-1.2301-1.el5.rf.i386.rpm # rpm -q perl perl-IO perl-5.8.8-10.el5_0.2 perl-IO-1.2301-1.el5.rf $ perl -MIO -e 'print $IO::VERSION;' 1.23 # rpm -e perl-IO $ perl -MIO -e 'print $IO::VERSION;' 1.22 Seems to work okay to me. -tgc From MailScanner at ecs.soton.ac.uk Mon Feb 18 13:43:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 18 13:44:16 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B9865B.2040400@statsbiblioteket.dk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> <47B9865B.2040400@statsbiblioteket.dk> Message-ID: <47B98B88.4020606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom G. Christensen wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Hugo van der Kooij wrote: >>> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 >>> >>> shuttlebox wrote: >>> | On Feb 17, 2008 3:33 PM, Julian Field >>> wrote: >>> |> One other possibility is to much with the installation setup of >>> each of >>> |> my required Perl modules, so that they are always installed in the >>> |> "site" tree which should be out of the way of CPAN and RPM. Not >>> sure how >>> |> easy it is to do that though. Any thoughts? >>> | >>> | I've been dealing with this on Solaris and even though I packaged >>> a IO >>> | 1.2301 module it used the older one from within Perl itself, it only >>> | searches the INC until it finds a match, it doesn't go through the >>> | whole INC and uses the latest module if there are more than one >>> match. >>> | I had to use PERLLIB in a few places and didn't like it so I haven't >>> | officially released a 4.66 Blastwave package. Instead I have asked >>> the >>> | maintainer of Perl to update the included IO which haven't happened >>> | yet. :-( >>> >>> In the case of the RPM version we need to find a way to add the files >>> without hitting the one from the main perl package. The rpmforge >>> package >>> does not hit a conflict on any regular files. Just on the manual pages. >>> >>> If these are properly markes as documentation we just might get away >>> with it .... .... .. >>> >>> Right. First try to install it with yum. That will fail but download >>> the >>> package anyway. Then install it without the documentation: >>> >>> rpm -Uvh >>> /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm >>> --excludedocs >>> >>> That installs the required package with an acceptable kludge. It does >>> satisfy my wish to avoid the --force option. >> Slight snag. This package was put together by someone who doesn't >> actually understand what they are doing. They have got round the >> clashing file problems by putting it into the "vendorperl" instead of >> "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". >> > Careful now. Dag is well aware of this issue and has stated many times > that there is no good solution for RHEL < 5. But how am I supposed to produce a set of RPMs that work for RHEL4 and RHEL5? I don't want to produce yet another different distribution. > On rhel5 however this is nolonger an issue: > $ cat /etc/redhat-release > CentOS release 5 (Final) > $ perl -V > Summary of my perl5 (revision 5 version 8 subversion 8) configuration: > > Built under linux > Compiled at Nov 8 2007 06:49:16 > @INC: > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.8 > /usr/lib/perl5/site_perl/5.8.7 > /usr/lib/perl5/site_perl/5.8.6 > /usr/lib/perl5/site_perl/5.8.5 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.8 > /usr/lib/perl5/vendor_perl/5.8.7 > /usr/lib/perl5/vendor_perl/5.8.6 > /usr/lib/perl5/vendor_perl/5.8.5 > /usr/lib/perl5/vendor_perl > /usr/lib/perl5/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/5.8.8 > . > > See? > It searches vendor_perl before the core paths. > >> So the nice new version you just installed isn't actually used at all. >> > True on RHEL/CentOS < 5. > >> To prove it to yourself... >> Try editing the code in the file (e.g. put a syntax error in it), and >> then run this command. It should fail as there is a syntax error in >> IO.pm which is where the perl-IO rpm is installed. >> perl -MIO -e 'print $IO::VERSION;' >> You'll find it still works perfectly, as it isn't using the version >> you just installed from dag.wieers.com. >> >> Oops. >> >> If it was that easy, I would have done it years ago :-) >> > Did you actually try this on rhel5? > > To avoid egg on my face I did, here's the result: > $ cat /etc/redhat-release > CentOS release 5 (Final) > # rpm --excludedocs -i perl-IO-1.2301-1.el5.rf.i386.rpm > # rpm -q perl perl-IO > perl-5.8.8-10.el5_0.2 > perl-IO-1.2301-1.el5.rf > $ perl -MIO -e 'print $IO::VERSION;' > 1.23 > # rpm -e perl-IO > $ perl -MIO -e 'print $IO::VERSION;' > 1.22 > > Seems to work okay to me. > > -tgc Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFHuYuIEfZZRxQVtlQRAnXvAKCPhieDkT/J6VZIhnJ+Z2KfGl6GAgCeKHJL DvPZ5i5PanrrCH+WHT31XFs= =n5wg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From tgc at statsbiblioteket.dk Mon Feb 18 14:33:05 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Feb 18 14:33:14 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B98B88.4020606@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> <47B9865B.2040400@statsbiblioteket.dk> <47B98B88.4020606@ecs.soton.ac.uk> Message-ID: <47B99721.50106@statsbiblioteket.dk> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Tom G. Christensen wrote: >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>>> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 >>>> >>>> That installs the required package with an acceptable kludge. It does >>>> satisfy my wish to avoid the --force option. >>> Slight snag. This package was put together by someone who doesn't >>> actually understand what they are doing. They have got round the >>> clashing file problems by putting it into the "vendorperl" instead of >>> "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". >>> >> Careful now. Dag is well aware of this issue and has stated many times >> that there is no good solution for RHEL < 5. > But how am I supposed to produce a set of RPMs that work for RHEL4 and > RHEL5? I don't want to produce yet another different distribution. > I didnt imply you did. However you asserted in no uncertain terms that Dag was not aware of this problem when the RPMforge package was created and that the package was somehow wrong. To my knowledge he is acutely aware of this issue and he very deliberately puts things in vendor_perl because putting it anywhere else makes it impossible to install the package due to file conflicts. Upgrading core perl modules on RHEL < 5 is not possible via RPM because of the INC path issue, using --force to overwrite the files from the perl package to do it is just another (even worse) kludge (though not as bad as using CPAN). You also asserted that Hugo would have problem due to this issue, I think I've shown that he will not as he is using CentOS 5.1. -tgc From ismail at ismailozatay.net Mon Feb 18 14:33:23 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Mon Feb 18 14:33:58 2008 Subject: About archive mail Message-ID: <47B99733.4070600@ismailozatay.net> Hello everyone ; Is it possible to archive someone's outgoing e-mails into different e-mail boxes? For example ; From: user1@domain.com user1@backup1.local user1@backup2.local From: user2@domain.com user2@backup1.local user2@backup2.local Thanks ismail From hvdkooij at vanderkooij.org Mon Feb 18 17:19:09 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 18 17:19:39 2008 Subject: MailScanner 4.66.5 woes on Centos 5.1 In-Reply-To: <47B86CF1.4010307@ecs.soton.ac.uk> References: <47B8077F.90004@vanderkooij.org> <47B80DD4.2050609@ecs.soton.ac.uk> <47B81196.8060104@vanderkooij.org> <47B81727.5020104@ecs.soton.ac.uk> <47B829CD.70400@vanderkooij.org> <47B845AA.8060803@ecs.soton.ac.uk> <625385e30802170725s51786e8dg1838c1fcbb0170f0@mail.gmail.com> <47B85DC4.5090106@vanderkooij.org> <47B86CF1.4010307@ecs.soton.ac.uk> Message-ID: <47B9BE0D.7070402@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | | | Hugo van der Kooij wrote: |> * PGP Signed by an unverified key: 02/17/08 at 16:16:02 | |> shuttlebox wrote: |> | On Feb 17, 2008 3:33 PM, Julian Field |> wrote: |> |> One other possibility is to much with the installation setup of |> each of |> |> my required Perl modules, so that they are always installed in the |> |> "site" tree which should be out of the way of CPAN and RPM. Not |> sure how |> |> easy it is to do that though. Any thoughts? |> | |> | I've been dealing with this on Solaris and even though I packaged a IO |> | 1.2301 module it used the older one from within Perl itself, it only |> | searches the INC until it finds a match, it doesn't go through the |> | whole INC and uses the latest module if there are more than one match. |> | I had to use PERLLIB in a few places and didn't like it so I haven't |> | officially released a 4.66 Blastwave package. Instead I have asked the |> | maintainer of Perl to update the included IO which haven't happened |> | yet. :-( | |> In the case of the RPM version we need to find a way to add the files |> without hitting the one from the main perl package. The rpmforge package |> does not hit a conflict on any regular files. Just on the manual pages. | |> If these are properly markes as documentation we just might get away |> with it .... .... .. | |> Right. First try to install it with yum. That will fail but download the |> package anyway. Then install it without the documentation: | |> rpm -Uvh |> /var/cache/yum/rpmforge/packages/perl-IO-1.2301-1.el5.rf.i386.rpm |> --excludedocs | |> That installs the required package with an acceptable kludge. It does |> satisfy my wish to avoid the --force option. | Slight snag. This package was put together by someone who doesn't | actually understand what they are doing. They have got round the | clashing file problems by putting it into the "vendorperl" instead of | "perl" tree. But the "perl" tree is earlier in @INC than "vendorperl". | | So the nice new version you just installed isn't actually used at all. | | To prove it to yourself... | Try editing the code in the file (e.g. put a syntax error in it), and | then run this command. It should fail as there is a syntax error in | IO.pm which is where the perl-IO rpm is installed. | perl -MIO -e 'print $IO::VERSION;' | You'll find it still works perfectly, as it isn't using the version you | just installed from dag.wieers.com. Let me try this. ... $ perl -MIO -e 'print $IO::VERSION."\n";' 1.23 Isn't this what I should expect? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHub4KBvzDRVjxmYERAh2ZAJoDOq2EU0QLkv+TuKzugmJMdsdVNQCfaAj7 kwrkFRlp5sVUgcxFldNALoQ= =Z3v2 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Feb 18 17:30:48 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Feb 18 17:31:43 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47B9C0C8.2040104@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Chester wrote: | We have recently implemented MailScanner in a mail gateway of ours, and | since then about 4 random emails have come through as unreadable code. | The emails seem to HTML based, be it newsletters that have been | subscribed to or confirmation of flight details to a user, and seem to | be random. The code looks like the following (obviously different for | each mail): | | ]I.Jn*'?'w&]*Z+Z | ?4)4)4)4)4)4)??!?4)4)e??????? ?%?%??????4)?e???????????1?4)% ??????????????????4) | ?? ??? ???????M?4)????4)4)e????4)4)e?????????4)??????4)Q?????? | ?4)4) Sounds like a unicode message. In what language is it send? (I guess you got plenty of options in South Afrika in that regard.) Preferably we need to see the full message before and after MailScanner handles it. I guess before is out of the queston but the message after might tell us a thing or two by inspecting all of the headers. Sometimes messages are send in a broken format and that might interfere with the proper working of MailScanner or other programs. Hugo. PS: Je mist een telefoonnummer in je bericht. (I read the Afrikaanse disclaimer ;-) - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHucC+BvzDRVjxmYERAnoNAJ9m6c/9Mu6caJJqZrpghVxnBSdeBgCdG9QZ 5Sv9U4lCCa5ZJXA5vNPFfc4= =9Hbr -----END PGP SIGNATURE----- From mark at msapiro.net Mon Feb 18 17:39:03 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Feb 18 17:39:17 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47B9C2B7.9060807@msapiro.net> Andrew Chester wrote: > > We have recently implemented MailScanner in a mail gateway of ours, and > since then about 4 random emails have come through as unreadable code. The > emails seem to HTML based, be it newsletters that have been subscribed to > or confirmation of flight details to a user, and seem to be random. The > code looks like the following (obviously different for each mail): > > ]I.Jn*'?'w&]*Z+Z > > Does anyone know what the problem for the above is and how to solve it? I am a MailScanner noob, but I know a lot about email. It looks like a character set issue of some kind, but beyond that, it is difficult to say. It would help me greatly to understand the problem if instead of posting what appears to be a copy/paste of some rendering of the message, you would post the full, raw message source. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From lukas at spritelink.net Mon Feb 18 23:06:06 2008 From: lukas at spritelink.net (Lukas Garberg) Date: Tue Feb 19 00:05:50 2008 Subject: 4.65.3-1 Segmentation fault at end of batch Message-ID: <47BA0F5E.6050409@spritelink.net> Hi list, I run a spam filter solution with three identical (cloned) servers running Linux 2.6.21.5 (Slackware 12.0) with MailScanner 4.65.3-1, postfix 2.4.6, SpamAssassin 3.2.4 & perl 5.8.8. Hardware is Pentium 4 2.6 GHz with 1 GB RAM. A 128 MB ramdisk is mounted on MailScanners incoming directory. I should maybe also note that all the three machines use the same SA bayes-database stored in SQL on a fourth machine. Now to the problem: _Two_ of the machines have a strange problem with MailScanner segfault:ing at the end of almost every batch; this is what a ps aux | grep MailS looks like: root@xxx:/opt# ps aux | grep MailS postfix 3462 0.0 1.9 23936 19896 ? Ss 00:22 0:00 MailScanner: starting child postfix 4467 3.8 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4475 4.2 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4484 4.4 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4490 4.9 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4493 5.6 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4503 6.5 0.0 0 0 ? Z 00:35 0:02 [MailScanner] postfix 4508 7.6 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4512 9.2 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4517 12.1 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4527 16.4 0.0 0 0 ? Z 00:36 0:02 [MailScanner] postfix 4533 23.8 4.8 55764 49944 ? S 00:36 0:01 MailScanner: waiting for messages postfix 4539 60.6 4.7 54828 48940 ? S 00:36 0:01 MailScanner: starting child root 4543 0.0 0.0 2004 636 pts/0 R+ 00:36 0:00 grep MailS Note that one of the three machines runs perfectly! If I run MailScanner with Debug & Debug SpamAssassin set to yes this is the end of the output of /opt/MailScanner/bin/check_MailScanner: [4843] dbg: check: is spam? score=13.138 required=5 [4843] dbg: check: tests=BAYES_99,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC, STOX_REPLY_TYPE,TRACKER_ID,TVD_SPACE_RATIO [4843] dbg: check: subtests=__ANY_OUTLOOK_MUA,__CT,__CTE,__CTYPE_CHARSET_QUOTED, __CT_TEXT_PLAIN,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RCVD_TUE,__FH_HAS_XMSMAIL, __FH_HAS_XPRIORITY,__HAS_ANY_URI,__HAS_MIMEOLE,__HAS_MSGID,__HAS_MSMAIL_PRI, __HAS_RCVD,__HAS_SUBJECT,__HAS_X_MAILER,__HDR_ORDER_FTSDMCXXXX,__HELO_NO_DOMAIN, __LAST_UNTRUSTED_RELAY_NO_AUTH,__MIMEOLE_MS,__MIME_VERSION,__MISSING_REF, __MSGID_DOLLARS_MAYBE,__MSGID_DOLLARS_OK,__MSGID_OK_HEX,__MSGID_RANDY, __NONEMPTY_BODY,__NO_INR_YES_REF,__OE_MSGID_2,__OE_MUA,__RATWARE_0_TZ_DATE, __RCVD_IN_SORBS,__RCVD_IN_ZEN,__RDNS_DYNAMIC_HCC,__RDNS_DYNAMIC_IPADDR, __RDNS_INDICATOR_TYPE,__SANE_MSGID,__TOCC_EXISTS,__XM_MSOE6,__XM_MS_IN_GENERAL, __XM_OUTLOOK_EXPRESS [4843] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=10.716, head-points=10.716, learned-points=4 [4843] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam /opt/MailScanner/bin/check_mailscanner: line 131: 4822 Segmentation fault $process $config I've seen a few other posts to the list with similar problems, and most answers have been bayes-related. I, at least in my case, don't find a bayes error very probable since the MailScanner successfully scans & learns all messages but the last one (Max Unscanned Messages Per Scan = 10) and everything runs smoothly on one of the threes machines, with a common bayes DB. Any ideas on how to go further into solving this problem? Thank you in advance, Lukas Garberg From rohitb at netcore.co.in Tue Feb 19 05:50:46 2008 From: rohitb at netcore.co.in (Rohit B) Date: Tue Feb 19 06:00:52 2008 Subject: About archive mail In-Reply-To: <47B99733.4070600@ismailozatay.net> References: <47B99733.4070600@ismailozatay.net> Message-ID: <47BA6E36.4020502@netcore.co.in> Hi Ismail You dont need MS for that, it can be archived using the watchdog function in your MTA. We do that using postfix. Ismail OZATAY wrote: > Hello everyone ; > > Is it possible to archive someone's outgoing e-mails into different > e-mail boxes? For example ; > > From: user1@domain.com user1@backup1.local user1@backup2.local > From: user2@domain.com user2@backup1.local user2@backup2.local > > Thanks > > ismail -- Regards, Rohit Baisakhiya netCORE Solutions Pvt. Ltd. http://www.netcore.co.in PH : +91 22 6662 8174 FAX : +91 22 6662 8134 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4125 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/6e2f0256/smime.bin From ismail at ismailozatay.net Tue Feb 19 07:25:39 2008 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Tue Feb 19 07:26:38 2008 Subject: About archive mail In-Reply-To: <47BA6E36.4020502@netcore.co.in> References: <47B99733.4070600@ismailozatay.net> <47BA6E36.4020502@netcore.co.in> Message-ID: <47BA8473.6030506@ismailozatay.net> Hi Rohit ; Could you give an example , please? Thanks ismail > Hi Ismail > You dont need MS for that, it can be archived using the watchdog > function in your MTA. We do that using postfix. > > Ismail OZATAY wrote: >> Hello everyone ; >> >> Is it possible to archive someone's outgoing e-mails into different >> e-mail boxes? For example ; >> >> From: user1@domain.com user1@backup1.local user1@backup2.local >> From: user2@domain.com user2@backup1.local user2@backup2.local >> >> Thanks >> >> ismail > From alxfrag at gmail.com Tue Feb 19 09:03:35 2008 From: alxfrag at gmail.com (AlxFrag) Date: Tue Feb 19 09:03:09 2008 Subject: Mailscanner warnings In-Reply-To: <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> Message-ID: <47BA9B67.20901@gmail.com> Glenn Steen wrote: > On 15/02/2008, Martin.Hepworth wrote: > >> Also >> >> The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. >> >> > Not to mention that no facility of MailScanner would ever run trhe > clamd _command_ ... Not whatsoever. > > What seems to have happened here is that someone has followed a > bothced instruction on enabling clamdscan support by futzing the > clamav-* wrapper scripts. This of course hasn't worked, since clamd is > the server part, not the client. > This would explain the bogus log entries on both hosts. > > What Alex should do is to follow the spirit of the wiki article > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > to get things going on the newer install (4.66.5 was it?), and upgrade > the other one to a version later than 4.62.something (just as you say > Martin), and do the same there. > Only other really viable option would be to run clamavmodule on the old one. > > Cheers > Good morning, I've followed your advice and these described in http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd. I've also modified the clamav-wrapper file to its original form. Now, no warnings are displayed. The problem is that clamscan is running that needs too much CPU. How can i switch to clamdscan? Thanks, Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/bfb92aa3/attachment.html From ram at netcore.co.in Tue Feb 19 09:23:56 2008 From: ram at netcore.co.in (ram) Date: Tue Feb 19 09:24:08 2008 Subject: How do I use 3rd party clamav signatures for spam & phishing Message-ID: <1203413036.25764.30.camel@localhost.localdomain> I would like to use 3rd party signatures available with Clamav for spam and phishing. But I assume MailScanner would marks mails caught by these as Virus , rather than spam. What do you folks recommend on a) Using such signatures for clam for large traffic servers b) Using clamav module for SA c) How do I avoid getting spams marked as virus Thanks Ram From goetz.reinicke at filmakademie.de Tue Feb 19 15:24:17 2008 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2U=?=) Date: Tue Feb 19 15:24:33 2008 Subject: Switch from f-secure to avira - No "found ..." message in the log In-Reply-To: <18038616.151202719908924.JavaMail.root@office.splatnix.net> References: <18038616.151202719908924.JavaMail.root@office.splatnix.net> Message-ID: <47BAF4A1.8010100@filmakademie.de> Hi, --[ UxBoD ]-- schrieb: > What happens if you set Virus Scanners = auto ? and then send a message with EICAR in it ? may be worth stopping MS and once you have sent the message run MailScaner --debug and see what is thrown up. Setting "Virus Scanners = auto" ends in the log message: I have found antivir clamav f-secure scanners installed, and will use them all by default. Executing "MailScanner --debug" gives this message: error (program file of AntiVir has been modified): Strange - what's going on...? :-) - Any ideas? Regards G?tz -- G?tz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Gesch?ftsf?hrer: Prof. Thomas Schadt From ugob at lubik.ca Tue Feb 19 16:57:42 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Feb 19 16:58:13 2008 Subject: Mailscanner warnings In-Reply-To: <47BA9B67.20901@gmail.com> References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> Message-ID: AlxFrag wrote: > Glenn Steen wrote: >> On 15/02/2008, Martin.Hepworth wrote: >> >>> Also >>> >>> The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. >>> >>> >> Not to mention that no facility of MailScanner would ever run trhe >> clamd _command_ ... Not whatsoever. >> >> What seems to have happened here is that someone has followed a >> bothced instruction on enabling clamdscan support by futzing the >> clamav-* wrapper scripts. This of course hasn't worked, since clamd is >> the server part, not the client. >> This would explain the bogus log entries on both hosts. >> >> What Alex should do is to follow the spirit of the wiki article >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >> to get things going on the newer install (4.66.5 was it?), and upgrade >> the other one to a version later than 4.62.something (just as you say >> Martin), and do the same there. >> Only other really viable option would be to run clamavmodule on the old one. >> >> Cheers >> > Good morning, > > I've followed your advice and these described in > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd. > I've also modified the clamav-wrapper file to its original form. > > Now, no warnings are displayed. The problem is that clamscan is running > that needs too much CPU. > How can i switch to clamdscan? - make sure you're running a version of MS that supports clamd - make appropriate changes in MailScanner.conf - restart MailScanner Ugo From rpoe at plattesheriff.org Tue Feb 19 18:48:22 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Feb 19 18:49:07 2008 Subject: Spam Messages Message-ID: <47BAD011.65ED.00A2.0@plattesheriff.org> I'm getting a lot of these recently .. ( I put in the Address Removed to avoid tripping filters).. Anyone have any rules for this? ---------------------------------------------------------------------------------------- SpamAssassin (not cached, score=4.952, required 5, BAYES_60 1.00, DCC_CHECK 2.17, RCVD_IN_PBL 0.91, RCVD_IN_SORBS_DUL 0.88) Hello! I am tired tonight. I am nice girl that would like to chat with you. Email me at <> only, because I am using my friend's email to write this. I will show you some of my private pictures From uxbod at splatnix.net Tue Feb 19 18:54:14 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 19 18:54:39 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: <28557253.1751203447254870.JavaMail.root@office.splatnix.net> Justin Mason posted his blog again earlier on the SA list. These should help http://taint.org/2007/08/15/004348a.html Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Rob Poe" wrote: > I'm getting a lot of these recently .. ( I put in the Address Removed > to avoid tripping filters).. > > Anyone have any rules for this? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Feb 19 18:54:58 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Feb 19 18:55:20 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: <23493887.1781203447298960.JavaMail.root@office.splatnix.net> can you post a example so we can run it through own MS installations ? pastebin or a URL to the actual message ideally. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Rob Poe" wrote: > I'm getting a lot of these recently .. ( I put in the Address Removed > to avoid tripping filters).. > > Anyone have any rules for this? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andrew.Chester at ukuvuma.co.za Tue Feb 19 19:22:21 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Tue Feb 19 19:30:18 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47B9C2B7.9060807@msapiro.net> Message-ID: Hi The message is sent in English, with HTML coding. The headers (of one of the mails) looks like this: "from apollo.ukuvuma.co.za ([196.46.186.99]) by domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1) with ESMTP id 2008021918054545-356 ; Tue, 19 Feb 2008 18:05:45 +0200" "from inet01.xybanetx.co.za (unknown [196.46.184.239]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for ; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)" "from apollo.ukuvuma.co.za ([196.46.186.99]) by inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2) with ESMTP id 2008021917413397-3560 ; Tue, 19 Feb 2008 17:41:33 +0200" "from smtp.sa.24.com (smtp.sa.24.com [196.28.152.23]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for ; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)" "from 24cpt-msg01.za.ds.naspers.com (Not Verified[196.28.152.25]) by smtp.sa.24.com with MailMarshal (v6,1,8,2172) id ; Tue, 19 Feb 2008 18:12:41 +0200" "from mail.kalahari.net ([196.14.118.77]) by 24cpt-msg01.za.ds.naspers.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:12:41 +0200" "from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:13:04 +0200" As far as the raw message is concerned, it is exactly that which I sent previously - its the entire message. Another message received today looks like this (entire email): ]I.Jn*'?'w&idjVjz?nRKf[1I??hZ)?tjdj?6W"&WB77v&B2cF2W76vR2&VV66VBf"f'W6W2@FvW&W26FVB'FRVWgVvFWvB0&V?WfVBF&R6V P.S. Dankie Hugo ;-) Mark Sapiro Sent by: mailscanner-bounces@lists.mailscanner.info 2008/02/18 07:36 PM Please respond to MailScanner discussion To MailScanner discussion cc Subject Re: HTML/Newsletters being received as unreadable code X-Ukuvuma Solutions-MailScanner-From: mailscanner-bounces@lists.mailscanner.info X-Spam-Status: No Andrew Chester wrote: > > We have recently implemented MailScanner in a mail gateway of ours, and > since then about 4 random emails have come through as unreadable code. The > emails seem to HTML based, be it newsletters that have been subscribed to > or confirmation of flight details to a user, and seem to be random. The > code looks like the following (obviously different for each mail): > > ]I.Jn*'?'w&]*Z+Z > > Does anyone know what the problem for the above is and how to solve it? I am a MailScanner noob, but I know a lot about email. It looks like a character set issue of some kind, but beyond that, it is difficult to say. It would help me greatly to understand the problem if instead of posting what appears to be a copy/paste of some rendering of the message, you would post the full, raw message source. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by the Ukuvuma Apollo gateway and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/d2d35514/attachment.html From mark at msapiro.net Tue Feb 19 20:00:13 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Feb 19 20:00:27 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: Message-ID: Andrew Chester wrote: > >The message is sent in English, with HTML coding >The headers (of one of the mails) looks like this: > >"from apollo.ukuvuma.co.za ([196.46.186.99]) by >domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1) with ESMTP >id 2008021918054545-356 ; Tue, 19 Feb 2008 18:05:45 +0200" > >"from inet01.xybanetx.co.za (unknown [196.46.184.239]) by >apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for >; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)" > >"from apollo.ukuvuma.co.za ([196.46.186.99]) by >inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2) with ESMTP >id 2008021917413397-3560 ; Tue, 19 Feb 2008 17:41:33 +0200" > > >"from smtp.sa.24.com (smtp.sa.24.com [196.28.152.23]) by >apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for >; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)" > > >"from 24cpt-msg01.za.ds.naspers.com (Not Verified[196.28.152.25]) by >smtp.sa.24.com with MailMarshal (v6,1,8,2172) id ; Tue, 19 >Feb 2008 18:12:41 +0200" > > >"from mail.kalahari.net ([196.14.118.77]) by 24cpt-msg01.za.ds.naspers.com >with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:12:41 +0200" > > >"from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft >SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:13:04 +0200" > >As far as the raw message is concerned, it is exactly that which I sent >previously - its the entire message. Another message received today looks >like this (entire email): You misunderstand what I am asking for. I have attached the file Raw_email.txt to this post. That file contains the raw message to which I am replying (the list post from you). This is the equivalent of what I would like to see from one of your garbled messages. You appear to be using Lotus Notes as your mailer. If I could, I would tell you how to get what I want to see, but I have no idea how to do this with Lotus Notes. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- Return-Path: X-Original-To: mark@msapiro.net Delivered-To: msapiro_mark@sbh16.songbird.com Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sbh16.songbird.com (Postfix) with ESMTP id A099C6905EA for ; Tue, 19 Feb 2008 11:34:59 -0800 (PST) Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m1JJUIXZ012806; Tue, 19 Feb 2008 19:30:32 GMT X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $ Received: from domino.ukuvuma.co.za (domino.ukuvuma.co.za [196.46.184.173]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m1JJU8Zn012791 for ; Tue, 19 Feb 2008 19:30:16 GMT In-Reply-To: <47B9C2B7.9060807@msapiro.net> To: MailScanner discussion MIME-Version: 1.0 X-Mailer: Lotus Notes Release 7.0.2 September 26, 2006 Message-ID: Date: Tue, 19 Feb 2008 21:22:21 +0200 From: "Andrew Chester" X-MIMETrack: Serialize by Router on USMR01/Server/Ukuvuma(Release 7.0.2FP1|January 10, 2007) at 02/19/2008 21:23:03, Serialize complete at 02/19/2008 21:23:03 Subject: Re: HTML/Newsletters being received as unreadable code X-BeenThere: mailscanner@lists.mailscanner.info X-Mailman-Version: 2.1.5 Precedence: list Reply-To: MailScanner discussion List-Id: MailScanner discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0149753535==" Sender: mailscanner-bounces@lists.mailscanner.info Errors-To: mailscanner-bounces@lists.mailscanner.info X-MailScanner-ID: A099C6905EA.C069A X-GPC-MailScanner: Found to be clean X-GPC-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.599, required 5, autolearn=not spam, BAYES_00 -2.60, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_LOW -1.00, SPF_PASS -0.00) X-GPC-MailScanner-From: mailscanner-bounces@lists.mailscanner.info X-Spam-Status: No This is a multipart message in MIME format. --=_alternative 006B1BAD422573F4_= Content-Type: text/plain; charset="ISO-8859-2" Content-Transfer-Encoding: quoted-printable Hi The message is sent in English, with HTML coding.=20 The headers (of one of the mails) looks like this: "from apollo.ukuvuma.co.za ([196.46.186.99]) by=20 domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1) with ESMTP=20 id 2008021918054545-356 ; Tue, 19 Feb 2008 18:05:45 +0200" "from inet01.xybanetx.co.za (unknown [196.46.184.239]) by=20 apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for=20 ; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)" "from apollo.ukuvuma.co.za ([196.46.186.99]) by=20 inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2) with ESMTP=20 id 2008021917413397-3560 ; Tue, 19 Feb 2008 17:41:33 +0200" "from smtp.sa.24.com (smtp.sa.24.com [196.28.152.23]) by=20 apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for=20 ; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)" "from 24cpt-msg01.za.ds.naspers.com (Not Verified[196.28.152.25]) by=20 smtp.sa.24.com with MailMarshal (v6,1,8,2172) id ; Tue, 19=20 Feb 2008 18:12:41 +0200" "from mail.kalahari.net ([196.14.118.77]) by 24cpt-msg01.za.ds.naspers.com = with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:12:41 +0200" "from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft=20 SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 18:13:04 +0200" As far as the raw message is concerned, it is exactly that which I sent=20 previously - its the entire message. Another message received today looks=20 like this (entire email):=20 ]I.Jn*'?'=1Aw=16&idjVjz?n=17RKf[1I?=D9h=1AZ)?tjdj?6W"=04=16=16=17&WB=07=06= =1777v&B=062=03=03=03c=03F2=06W76=16vR=06=172=06&VV=0766=16VB=06f"=07f'W6W2= =06=16@F=16vW&W2=066FVB=06'=07FR=05VWgV=12=04=17=06=06v=17FWv=17=06=16B=060= &V?WfVB=07F=06&R=066V=16 P.S. Dankie Hugo ;-) Mark Sapiro =20 Sent by: mailscanner-bounces@lists.mailscanner.info 2008/02/18 07:36 PM Please respond to MailScanner discussion To MailScanner discussion cc Subject Re: HTML/Newsletters being received as unreadable code X-Ukuvuma Solutions-MailScanner-From:=20 mailscanner-bounces@lists.mailscanner.info X-Spam-Status: No Andrew Chester wrote: >=20 > We have recently implemented MailScanner in a mail gateway of ours, and=20 > since then about 4 random emails have come through as unreadable code.=20 The=20 > emails seem to HTML based, be it newsletters that have been subscribed=20 to=20 > or confirmation of flight details to a user, and seem to be random. The=20 > code looks like the following (obviously different for each mail): >=20 > ]I.Jn*'?'=1Aw=16&]*Z+Z >=20 > Does anyone know what the problem for the above is and how to solve it? I am a MailScanner noob, but I know a lot about email. It looks like a=20 character set issue of some kind, but beyond that, it is difficult to=20 say. It would help me greatly to understand the problem if instead of=20 posting what appears to be a copy/paste of some rendering of the=20 message, you would post the full, raw message source. --=20 Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan --=20 MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!=20 --=20 This message has been scanned for viruses and dangerous content by the Ukuvuma Apollo gateway and is believed to be clean. --=_alternative 006B1BAD422573F4_= Content-Type: text/html; charset="ISO-8859-2" Content-Transfer-Encoding: quoted-printable
Hi

The message is sent in English, with HTML coding.
The headers (of one of the mails) lo= oks like this:

"from apollo.ukuvuma.co.za ([19= 6.46.186.99])          by domino.ukuvuma.co.za (Lotus Domino Release 7.0.2FP1)          with ESMTP id 200802191= 8054545-356 ;          Tue, 19 Feb 2008 18:05:45 +0200"

"from inet01.xybanetx.co.za (un= known [196.46.184.239]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 1C4F55D26 for <dvh@ukuvuma.co.za>; Tue, 19 Feb 2008 18:11:47 +0200 (SAST)"=

"from apollo.ukuvuma.co.za ([19= 6.46.186.99])          by inet01.xybanetx.co.za (Lotus Domino Release 6.5.4FP2)          with ESMTP id 200802191= 7413397-3560 ;          Tue, 19 Feb 2008 17:41:33 +0200"


"from smtp.sa.24.com (smtp.sa.2= 4.com [196.28.152.23]) by apollo.ukuvuma.co.za (Postfix) with ESMTP id 59D655D0F for <dvh@xybanetx.co.za>; Tue, 19 Feb 2008 18:11:38 +0200 (SAST)"= ;


"from 24cpt-msg01.za.ds.naspers= .com (Not Verified[196.28.152.25]) by smtp.sa.24.com with MailMarshal (v6,1,8,21= 72) id <B47bafff90000>; Tue, 19 Feb 2008 18:12:41 +0200"


"from mail.kalahari.net ([196.1= 4.118.77]) by 24cpt-msg01.za.ds.naspers.com with Microsoft SMTPSVC(6.0.3790.3959);  Tue, 19 Feb 2008 18:12:41 +0200"


"from tfs91 ([196.14.118.91]) by mail.kalahari.net with Microsoft SMTPSVC(6.0.3790.3959);  Tue, 19 Feb 2008 18:13:04 +0200"
As far as the raw message is concern= ed, it is exactly that which I sent previously - its the entire message. Another message received today looks like this (entire email):

]I.Jn*'Ƣ'=1Aw=16&idjVjzҥn=17RKf[1I= 23;=D9h=1AZ)޵tjdj۬6W"=04=16=16=17&WB=07=06=1777v&B= =062=03=03=03c=03F2=06W76=16vR=06=172=06&VV=0766=16VB=06f"=07f'W6W= 2=06=16@F=16vW&W2=066FVB=06'=07FR=05VWgV=12=04=17=06=06v=17FWv=17=06=16= B=060&VƖWfVB=07F=06&R=066V=16

P.S.
Dankie Hugo ;-)




Mark Sapiro <mark@= msapiro.net>
Sent by: mailscanner-bounces@lists.m= ailscanner.info

2008/02/18 07:36 PM
Please respond to
MailScanner discussion <mailscanner@lists.mailscanner.info>
To
MailScanner discussion <mailscann= er@lists.mailscanner.info>
cc
Subject
Re: HTML/Newsletters being received as unreadable code





X-Ukuvuma Solutions-MailScanner-From: mailscanner-bo= unces@lists.mailscanner.info
X-Spam-Status: No

Andrew Chester wrote:
>
> We have recently implemented MailScanner in a mail gateway of ours, and
> since then about 4 random emails have come through as unreadable code. The
> emails seem to HTML based, be it newsletters that have been subscribed to
> or confirmation of flight details to a user, and seem to be random. The
> code looks like the following (obviously different for each mail):
>
> ]I.Jn*'?'=1Aw=16&]*Z+Z
<snip>
>
> Does anyone know what the problem for the above is and how to solve it?


I am a MailScanner noob, but I know a lot about email. It looks like a
character set issue of some kind, but beyond that, it is difficult to
say. It would help me greatly to understand the problem if instead of
posting what appears to be a copy/paste of some rendering of the
message, you would post the full, raw message source.

--
Mark Sapiro <mark@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
This message has been scanned for viruses and
dangerous content by the Ukuvuma Apollo gateway and is
believed to be clean.
--=_alternative 006B1BAD422573F4_=-- --===============0149753535== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! --===============0149753535==-- From ssilva at sgvwater.com Tue Feb 19 20:19:03 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 19 20:19:29 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: > > > You misunderstand what I am asking for. I have attached the file > Raw_email.txt to this post. That file contains the raw message to > which I am replying (the list post from you). This is the equivalent > of what I would like to see from one of your garbled messages. > > You appear to be using Lotus Notes as your mailer. If I could, I would > tell you how to get what I want to see, but I have no idea how to do > this with Lotus Notes. > > I think it is something like "View message source" or "View E-mail Message Source". Then you can copy and paste that into a new message. It has been a long time since I used Notes. Probably before IBM bought it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080219/21da666c/signature.bin From lhaig at haigmail.com Tue Feb 19 20:39:57 2008 From: lhaig at haigmail.com (Lance Haig) Date: Tue Feb 19 20:40:07 2008 Subject: Debian removal and install Message-ID: <47BB3E9D.50406@haigmail.com> Hi , I have tried unsuccessfully to install MailScanner on a Debian vps I have. I first tried to use the package but that was a very old version of MS. I then deleted all the files and tried t install the tar version but I have borked that up completely. is there a Debian person who has documented this process? I have my postfix server running and it relays the mail just fine. Thanks Lance From cooper at hmcnetworks.com Tue Feb 19 20:46:23 2008 From: cooper at hmcnetworks.com (Al Cooper) Date: Tue Feb 19 20:49:08 2008 Subject: White List Not Working Message-ID: <03c401c87338$7dacd260$79067720$@com> MailScanner version: 4.66.5 Spamassassin version: 3.2.3 Output from spamassassin --lint: [22373] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /etc/MailScanner/rules/spam.whitelist.rules I have checked the config in both Mailscanner.conf and spam.assassin.prefs.conf and the whitelist is pointing to /etc/MailScanner/rules/spam.whitelist.rules. Any idea why whitelisting is not working? Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikea at mikea.ath.cx Tue Feb 19 20:54:29 2008 From: mikea at mikea.ath.cx (mikea) Date: Tue Feb 19 20:54:40 2008 Subject: White List Not Working In-Reply-To: <03c401c87338$7dacd260$79067720$@com> References: <03c401c87338$7dacd260$79067720$@com> Message-ID: <20080219205428.GB83159@mikea.ath.cx> On Tue, Feb 19, 2008 at 01:46:23PM -0700, Al Cooper wrote: > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, It would be _most_ helpful to have the line in question available for examination, together with indications as to whether whitespace in the line is space(s) or tab(s). -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From cooper at hmcnetworks.com Tue Feb 19 21:07:17 2008 From: cooper at hmcnetworks.com (Al Cooper) Date: Tue Feb 19 21:10:03 2008 Subject: White List Not Working In-Reply-To: <20080219205428.GB83159@mikea.ath.cx> References: <03c401c87338$7dacd260$79067720$@com> <20080219205428.GB83159@mikea.ath.cx> Message-ID: <03cb01c8733b$694b5af0$3be210d0$@com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mikea Sent: Tuesday, February 19, 2008 1:54 PM To: MailScanner discussion Subject: Re: White List Not Working On Tue, Feb 19, 2008 at 01:46:23PM -0700, Al Cooper wrote: > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, It would be _most_ helpful to have the line in question available for examination, together with indications as to whether whitespace in the line is space(s) or tab(s). -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hi All, I am assuming that the "line in question" is my spam.whitelist.rules file. I set that file back to its default setting in attempt to clear up the error. The spam.whitelist.rules file is below: # If you are basing a blacklist on this then you can refer to # a null (empty) sender address with "/^$/" as the address to match. # # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes FromOrTo: default no Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Tue Feb 19 21:17:34 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Feb 19 21:17:46 2008 Subject: White List Not Working In-Reply-To: <03cb01c8733b$694b5af0$3be210d0$@com> References: <03c401c87338$7dacd260$79067720$@com> <20080219205428.GB83159@mikea.ath.cx> <03cb01c8733b$694b5af0$3be210d0$@com> Message-ID: <625385e30802191317h319347c3v3b9bb4b5c6ee5add@mail.gmail.com> On Feb 19, 2008 10:07 PM, Al Cooper wrote: > I am assuming that the "line in question" is my spam.whitelist.rules file. > I set that file back to its default setting in attempt to clear up the > error. > > The spam.whitelist.rules file is below: > > > # If you are basing a blacklist on this then you can refer to > # a null (empty) sender address with "/^$/" as the address to match. > # > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > #From: 152.78. yes > #From: 130.246. yes > FromOrTo: default no Am I correct in assuming you have linked mailscanner.cf to the above file? You can't do that, the rules files are for MailScanner, not SpamAssassin. Remove that link to start with and it should work. -- /peter From jaearick at colby.edu Tue Feb 19 21:30:08 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Feb 19 21:30:42 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: Hi, I put these in my spam.assassin.prefs.conf file, at the bottom: #---added to kill chat spam, 2/15/2008 body CHAT3 /Hello! I am/ describe CHAT3 chat spam3 score CHAT3 5.0 body CHAT4 /Please rate me/ describe CHAT4 chat spam4 score CHAT4 5.0 body CHAT5 /I am nice girl/ describe CHAT5 chat spam5 score CHAT5 5.0 body CHAT6 /I have found you/ describe CHAT6 chat spam6 score CHAT6 5.0 Most are killed by CHAT3 + CHAT5 quite nicely. Jeff Earickson Colby College On Tue, 19 Feb 2008, Rob Poe wrote: > Date: Tue, 19 Feb 2008 12:48:22 -0600 > From: Rob Poe > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Spam Messages > > I'm getting a lot of these recently .. ( I put in the Address Removed to avoid tripping filters).. > > Anyone have any rules for this? > > ---------------------------------------------------------------------------------------- > > SpamAssassin (not cached, score=4.952, required 5, BAYES_60 1.00, > DCC_CHECK 2.17, RCVD_IN_PBL 0.91, RCVD_IN_SORBS_DUL 0.88) > > Hello! I am tired tonight. I am nice girl that would like to chat with you. > Email me at <> only, because I am using my friend's > email to write this. I will show you some of my private pictures > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Denis.Beauchemin at usherbrooke.ca Tue Feb 19 21:37:03 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue Feb 19 21:38:01 2008 Subject: White List Not Working In-Reply-To: <03c401c87338$7dacd260$79067720$@com> References: <03c401c87338$7dacd260$79067720$@com> Message-ID: <47BB4BFF.3050509@USherbrooke.ca> Al Cooper a ?crit : > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, > > > > Al, You shouldn't use MailScanner's whitelist in spam.assassin.prefs.conf. That's what's causing your warning. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From cooper at hmcnetworks.com Tue Feb 19 21:44:38 2008 From: cooper at hmcnetworks.com (Al Cooper) Date: Tue Feb 19 21:47:23 2008 Subject: White List Not Working In-Reply-To: <47BB4BFF.3050509@USherbrooke.ca> References: <03c401c87338$7dacd260$79067720$@com> <47BB4BFF.3050509@USherbrooke.ca> Message-ID: <000a01c87340$a0e2abd0$e2a80370$@com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Tuesday, February 19, 2008 2:37 PM To: MailScanner discussion Subject: Re: White List Not Working Al Cooper a ?crit : > MailScanner version: 4.66.5 > Spamassassin version: 3.2.3 > > > Output from spamassassin --lint: > > > [22373] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/mailscanner.cf": > /etc/MailScanner/rules/spam.whitelist.rules > > > I have checked the config in both Mailscanner.conf and > spam.assassin.prefs.conf and the whitelist is pointing to > /etc/MailScanner/rules/spam.whitelist.rules. > > Any idea why whitelisting is not working? > > Thanks, > > > > Al, You shouldn't use MailScanner's whitelist in spam.assassin.prefs.conf. That's what's causing your warning. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Thanks Denis, That solved the problem. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From raymond at prolocation.net Tue Feb 19 22:25:55 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Feb 19 22:26:12 2008 Subject: Spam Messages In-Reply-To: References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: Hi! > I put these in my spam.assassin.prefs.conf file, at the bottom: > > #---added to kill chat spam, 2/15/2008 > body CHAT3 /Hello! I am/ > describe CHAT3 chat spam3 > score CHAT3 5.0 > body CHAT4 /Please rate me/ > describe CHAT4 chat spam4 > score CHAT4 5.0 > body CHAT5 /I am nice girl/ > describe CHAT5 chat spam5 > score CHAT5 5.0 > body CHAT6 /I have found you/ > describe CHAT6 chat spam6 > score CHAT6 5.0 > > Most are killed by CHAT3 + CHAT5 quite nicely. So is a lot of regular mail. Pffff.... Be carefull adding oneliners like this and scoring it 5. Bye, Raymond. From mi6 at orcon.net.nz Wed Feb 20 02:16:54 2008 From: mi6 at orcon.net.nz (Charlie) Date: Wed Feb 20 02:17:01 2008 Subject: mailscanner restarts Message-ID: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> Hi, I was just wondering if there is a setting I can change so that Mailscanner only restarts every 24 hours? It is taking too long to start up and everyone's emails are queuing up for too long as a result. Also, Mailscanner is taking at least 8-10 minutes to start up on my box. It is a Pentium 4, 2.4GHz, with 1GB RAM. Is this an abnormally long time? Thanks! Charlie From raymond at prolocation.net Wed Feb 20 02:24:19 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Feb 20 02:24:38 2008 Subject: mailscanner restarts In-Reply-To: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> References: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> Message-ID: Hi! > I was just wondering if there is a setting I can change so that Mailscanner > only restarts every 24 hours? It is taking too long to start up and > everyone's emails are queuing up for too long as a result. > > Also, Mailscanner is taking at least 8-10 minutes to start up on my box. It > is a Pentium 4, 2.4GHz, with 1GB RAM. Is this an abnormally long time? You most likely run a outdated ClamAV. Reload times should be really short. Bye, Raymond. From r.berber at computer.org Wed Feb 20 02:42:23 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Feb 20 02:42:37 2008 Subject: mailscanner restarts In-Reply-To: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> References: <01f901c87366$aa7c9950$0200a8c0@CharlieCompaq> Message-ID: Charlie wrote: > I was just wondering if there is a setting I can change so that > Mailscanner only restarts every 24 hours? It is taking too long to start > up and everyone's emails are queuing up for too long as a result. # To avoid resource leaks, re-start periodically. Forces a re-read of all # the configuration files too, so new updates to the bad phishing sites list # are read frequently. Restart Every = 14400 You want to increase that one to 86400. > Also, Mailscanner is taking at least 8-10 minutes to start up on my box. > It is a Pentium 4, 2.4GHz, with 1GB RAM. Is this an abnormally long time? Yes, that's too long. -- Ren? Berber From Andrew.Chester at ukuvuma.co.za Wed Feb 20 10:29:07 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Wed Feb 20 10:36:27 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 258 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/3a7393cc/signature-0001.obj From prandal at herefordshire.gov.uk Wed Feb 20 10:55:49 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 20 10:56:15 2008 Subject: Spam Messages In-Reply-To: <47BAD011.65ED.00A2.0@plattesheriff.org> References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0303D6D0@HC-MBX02.herefordshire.gov.uk> body HC_GIRL /\bnice girl that would like to chat.{1,16}Email me at .{1,32}\.info.{1,120}\bpic(ture)?s\b/ describe HC_GIRL Girl with pics scam score HC_GIRL 5 body HC_GIRL2 /I am writing from my friend's email/ describe HC_GIRL2 Girl with pics scam score HC_GIRL2 5 Mind the linewraps in the above. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Rob Poe > Sent: 19 February 2008 18:48 > To: MailScanner discussion > Subject: Spam Messages > > I'm getting a lot of these recently .. ( I put in the > Address Removed to avoid tripping filters).. > > Anyone have any rules for this? > > -------------------------------------------------------------- > -------------------------- > > SpamAssassin (not cached, score=4.952, required 5, BAYES_60 1.00, > DCC_CHECK 2.17, RCVD_IN_PBL 0.91, RCVD_IN_SORBS_DUL 0.88) > > Hello! I am tired tonight. I am nice girl that would like to > chat with you. > Email me at <> only, because I am using my friend's > email to write this. I will show you some of my private pictures > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Wed Feb 20 11:34:16 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Feb 20 11:34:34 2008 Subject: Spam Messages In-Reply-To: References: <47BAD011.65ED.00A2.0@plattesheriff.org> Message-ID: On Tue, 19 Feb 2008, Raymond Dijkxhoorn wrote: >> I put these in my spam.assassin.prefs.conf file, at the bottom: >> >> #---added to kill chat spam, 2/15/2008 >> body CHAT3 /Hello! I am/ >> describe CHAT3 chat spam3 >> score CHAT3 5.0 >> body CHAT4 /Please rate me/ >> describe CHAT4 chat spam4 >> score CHAT4 5.0 >> body CHAT5 /I am nice girl/ >> describe CHAT5 chat spam5 >> score CHAT5 5.0 >> body CHAT6 /I have found you/ >> describe CHAT6 chat spam6 >> score CHAT6 5.0 >> >> Most are killed by CHAT3 + CHAT5 quite nicely. > > So is a lot of regular mail. Pffff.... Be carefull adding oneliners like this > and scoring it 5. Not true. My spam threshold is 6, discard is 10. I've had zero false positives. All but one message that have been flagged by these rules were CHAT3+CHAT5, score > 10 (avg about 13)... discarded. The remaining one message triggered CHAT4, plus a bunch of regular SA stuff to get a 13.76. My one reservation was doing body SA rules, extra CPU cycles. But I had a lot of people complaining about the "I am tired/bored/lonely" spams and these rules silenced the complaints. Jeff Earickson Colby College From steve.freegard at fsl.com Wed Feb 20 12:01:11 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Feb 20 12:01:49 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47BC1687.8060203@fsl.com> Andrew Chester wrote: > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net ^^^ There's your problem - you have spaces in your %org-name% setting in MailScanner.conf. Fix that and restart and it should work correctly. Cheers, Steve. -- Steve Freegard Fort Systems Ltd. From sbanderson at impromed.com Wed Feb 20 14:17:25 2008 From: sbanderson at impromed.com (Scott B. Anderson) Date: Wed Feb 20 14:18:12 2008 Subject: OT Spam Assassin Prefs question Message-ID: My users have been seeing a large amount of Russian charset email spam. How would I set a SA rule to include all Cyrillic (sp) emails or would this be better set at the MTA (sendmail in my case) ? Scott Anderson sbanderson@impromed.com IT Administrator ImproMed, Inc. From glenn.steen at gmail.com Wed Feb 20 15:34:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 20 15:34:42 2008 Subject: Mailscanner warnings In-Reply-To: References: <47B579E6.8090602@gmail.com> <223f97700802150415x69c94c3an156b333901a1895@mail.gmail.com> <47BA9B67.20901@gmail.com> Message-ID: <223f97700802200734n29031a3eg763c55dbddc1c09d@mail.gmail.com> On 19/02/2008, Ugo Bellavance wrote: > AlxFrag wrote: > > Glenn Steen wrote: > >> On 15/02/2008, Martin.Hepworth wrote: > >> > >>> Also > >>> > >>> The clamd facility is only really stable at 4.62 or later and didn't exist before 4.61.. > >>> > >>> > >> Not to mention that no facility of MailScanner would ever run trhe > >> clamd _command_ ... Not whatsoever. > >> > >> What seems to have happened here is that someone has followed a > >> bothced instruction on enabling clamdscan support by futzing the > >> clamav-* wrapper scripts. This of course hasn't worked, since clamd is > >> the server part, not the client. > >> This would explain the bogus log entries on both hosts. > >> > >> What Alex should do is to follow the spirit of the wiki article > >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > >> to get things going on the newer install (4.66.5 was it?), and upgrade > >> the other one to a version later than 4.62.something (just as you say > >> Martin), and do the same there. > >> Only other really viable option would be to run clamavmodule on the old one. > >> > >> Cheers > >> > > Good morning, > > > > I've followed your advice and these described in > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd. > > I've also modified the clamav-wrapper file to its original form. > > > > Now, no warnings are displayed. The problem is that clamscan is running > > that needs too much CPU. > > How can i switch to clamdscan? > > - make sure you're running a version of MS that supports clamd > - make appropriate changes in MailScanner.conf > - restart MailScanner > > Ugo > If the version is too old for clamd (4.62.something...?), then use clamavmodule. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Wed Feb 20 15:45:55 2008 From: mark at msapiro.net (Mark Sapiro) Date: Wed Feb 20 15:46:15 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC1687.8060203@fsl.com> Message-ID: Steve Freegard wrote: >Andrew Chester wrote: >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > ^^^ > >There's your problem - you have spaces in your %org-name% setting in >MailScanner.conf. While the space in %org-name% is wrong, it does not seem to be the cause of the problem. Here's what I see in the last few headers and body: --------------------------------------------------------------- content-transfer-encoding: base64 content-type: text/plain; charset=utf-8 X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net X-Spam-Status: No X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net X-Spam-Status: No WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK ----------------------------------------------------------------- The two sets of MailScanner headers are curious, but it looks from the Received: headers that the message passed twice through apollo.ukuvuma.co.za so it was probably scanned twice. The real problem is the empty lines preceeding each set of MailScanner headers. This causes the MailScanner headers to be part of the body which totally destroys the base64 encoding and results in the garbled message. I suspect that all base64 encoded messages get garbled this way and non-bas64 encoded messages show the MailScanner headers in the body. Perhaps someone with more MailScanner experience has a clue as to why the MailScanner headers are preceded by an empty line. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From shuttlebox at gmail.com Wed Feb 20 15:58:20 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Feb 20 15:58:34 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: <47BC1687.8060203@fsl.com> Message-ID: <625385e30802200758h4b791069r209f8ee1008e6d@mail.gmail.com> On Wed, Feb 20, 2008 at 4:45 PM, Mark Sapiro wrote: > Steve Freegard wrote: > > >Andrew Chester wrote: > >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > > ^^^ > > > >There's your problem - you have spaces in your %org-name% setting in > >MailScanner.conf. > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. Why don't you fix it first and then post new output? That error has been known to cause all kinds of problems in the past and in your version of MailScanner a check for wrong org-names was introduced to the --lint check which I guess you never ran as you also missed: # **** RULE: It must not contain any spaces! **** ...right above the conf line in question. :-) -- /peter From MailScanner at ecs.soton.ac.uk Wed Feb 20 16:03:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 16:03:45 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: References: Message-ID: <47BC4F49.204@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Steve Freegard wrote: > > >> Andrew Chester wrote: >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> >> ^^^ >> >> There's your problem - you have spaces in your %org-name% setting in >> MailScanner.conf. >> > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. > > Here's what I see in the last few headers and body: > > --------------------------------------------------------------- > content-transfer-encoding: base64 > content-type: text/plain; charset=utf-8 > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz > IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu > Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg > YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK > ----------------------------------------------------------------- > > The two sets of MailScanner headers are curious, but it looks from the > Received: headers that the message passed twice through > apollo.ukuvuma.co.za so it was probably scanned twice. > > The real problem is the empty lines preceeding each set of MailScanner > headers. This causes the MailScanner headers to be part of the body > which totally destroys the base64 encoding and results in the garbled > message. > > I suspect that all base64 encoded messages get garbled this way and > non-bas64 encoded messages show the MailScanner headers in the body. > > Perhaps someone with more MailScanner experience has a clue as to why > the MailScanner headers are preceded by an empty line. > It's probably the MTA (or MailScanner) attempting to render the message in a form correct for the next mail handling program it passes through. There should always be a blank line after the last header. But I don't guarantee what MailScanner will do if the headers end on an incomplete line, as it never happens in real mail that hasn't been screwed by something (in your case, the space in %org-name%). The point about spaces in %org-name% is very clearly documented in the MailScanner.conf file. If you break that rule I make no guarantees what may happen to your mail. I will add some more code to check for that and flag it very boldly in the logs, and ensure that MailScanner --debug and MailScanner --lint check for it too. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvE9LEfZZRxQVtlQRAsPEAKC3epcVVp8RrJAKRa0MNSqQK/yfZgCfQ1mD /gzKDix5AGtCwHyCaIaL8vM= =Wr2g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Feb 20 16:07:08 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 16:07:32 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC4F49.204@ecs.soton.ac.uk> Message-ID: <21904417.1681203523628463.JavaMail.root@office.splatnix.net> Jules, perhaps MS should not even start if that is the case ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Steve Freegard wrote: > > >> Andrew Chester wrote: >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> >> ^^^ >> >> There's your problem - you have spaces in your %org-name% setting in >> MailScanner.conf. >> > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. > > Here's what I see in the last few headers and body: > > --------------------------------------------------------------- > content-transfer-encoding: base64 > content-type: text/plain; charset=utf-8 > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz > IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu > Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg > YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK > ----------------------------------------------------------------- > > The two sets of MailScanner headers are curious, but it looks from the > Received: headers that the message passed twice through > apollo.ukuvuma.co.za so it was probably scanned twice. > > The real problem is the empty lines preceeding each set of MailScanner > headers. This causes the MailScanner headers to be part of the body > which totally destroys the base64 encoding and results in the garbled > message. > > I suspect that all base64 encoded messages get garbled this way and > non-bas64 encoded messages show the MailScanner headers in the body. > > Perhaps someone with more MailScanner experience has a clue as to why > the MailScanner headers are preceded by an empty line. > It's probably the MTA (or MailScanner) attempting to render the message in a form correct for the next mail handling program it passes through. There should always be a blank line after the last header. But I don't guarantee what MailScanner will do if the headers end on an incomplete line, as it never happens in real mail that hasn't been screwed by something (in your case, the space in %org-name%). The point about spaces in %org-name% is very clearly documented in the MailScanner.conf file. If you break that rule I make no guarantees what may happen to your mail. I will add some more code to check for that and flag it very boldly in the logs, and ensure that MailScanner --debug and MailScanner --lint check for it too. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvE9LEfZZRxQVtlQRAsPEAKC3epcVVp8RrJAKRa0MNSqQK/yfZgCfQ1mD /gzKDix5AGtCwHyCaIaL8vM= =Wr2g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Wed Feb 20 17:04:17 2008 From: mark at msapiro.net (Mark Sapiro) Date: Wed Feb 20 17:04:30 2008 Subject: OT Spam Assassin Prefs question In-Reply-To: Message-ID: Scott B. Anderson wrote: >My users have been seeing a large amount of Russian charset email spam. How > would I set a SA rule to include all Cyrillic (sp) emails or would this be > better set at the MTA (sendmail in my case) ? You could set a header rule something like header X_RULE_NAME Content-Type =~ /charset="?(ibm-855|iso-8859-5|iso-ir-11|koi8-r|koi8-u|maccyrillic|macukranian|windows-1251|cp-866)/i -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Andrew.Chester at ukuvuma.co.za Wed Feb 20 17:30:50 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Wed Feb 20 17:37:59 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <21904417.1681203523628463.JavaMail.root@office.splatnix.net> Message-ID: Hi guys Thanks for the info, I corrected the space between the org-name and this seemed to have solved the problem as I tested it again and this time it was delivered correctly. Thanks for all the help! And yes, egg on my face shall we say, I'll read the comments in the config more attentativly from now on ;-) Kind Regards, Andrew "--[ UxBoD ]--" Sent by: mailscanner-bounces@lists.mailscanner.info 2008/02/20 06:04 PM Please respond to MailScanner discussion To MailScanner discussion cc Subject Re: HTML/Newsletters being received as unreadable code Jules, perhaps MS should not even start if that is the case ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Steve Freegard wrote: > > >> Andrew Chester wrote: >> >>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>> >> ^^^ >> >> There's your problem - you have spaces in your %org-name% setting in >> MailScanner.conf. >> > > While the space in %org-name% is wrong, it does not seem to be the > cause of the problem. > > Here's what I see in the last few headers and body: > > --------------------------------------------------------------- > content-transfer-encoding: base64 > content-type: text/plain; charset=utf-8 > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net > X-Spam-Status: No > > WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz > IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu > Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg > YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK > ----------------------------------------------------------------- > > The two sets of MailScanner headers are curious, but it looks from the > Received: headers that the message passed twice through > apollo.ukuvuma.co.za so it was probably scanned twice. > > The real problem is the empty lines preceeding each set of MailScanner > headers. This causes the MailScanner headers to be part of the body > which totally destroys the base64 encoding and results in the garbled > message. > > I suspect that all base64 encoded messages get garbled this way and > non-bas64 encoded messages show the MailScanner headers in the body. > > Perhaps someone with more MailScanner experience has a clue as to why > the MailScanner headers are preceded by an empty line. > It's probably the MTA (or MailScanner) attempting to render the message in a form correct for the next mail handling program it passes through. There should always be a blank line after the last header. But I don't guarantee what MailScanner will do if the headers end on an incomplete line, as it never happens in real mail that hasn't been screwed by something (in your case, the space in %org-name%). The point about spaces in %org-name% is very clearly documented in the MailScanner.conf file. If you break that rule I make no guarantees what may happen to your mail. I will add some more code to check for that and flag it very boldly in the logs, and ensure that MailScanner --debug and MailScanner --lint check for it too. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvE9LEfZZRxQVtlQRAsPEAKC3epcVVp8RrJAKRa0MNSqQK/yfZgCfQ1mD /gzKDix5AGtCwHyCaIaL8vM= =Wr2g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by the Ukuvuma Apollo gateway and is believed to be clean. CONFIDENTIALITY CLAUSE This message is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by telephone. VERTROULIKHEIDSKLOUSULE Dié boodskap is slegs vir die gebruik van die individu of entiteit aan wie dit gerig is en bevat streng vertroulike inligting. Indien die leser nie die voorgenome ontvanger is nie, of die werknemer of agent verantwoordelik vir die lewering van die boodskap aan die voorgenome ontvanger nie, word u hiermee meegedeel dat enige verspreiding of kopiëring van dié boodskap streng verbode is. Indien u die kommunikasie verkeerdelik ontvang het, stel asseblief die afsender telefonies in kennis. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/30c064bb/attachment.html From MailScanner at ecs.soton.ac.uk Wed Feb 20 17:42:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 17:42:53 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC4F49.204@ecs.soton.ac.uk> References: <47BC4F49.204@ecs.soton.ac.uk> Message-ID: <47BC6684.7080300@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > * PGP Signed: 02/20/08 at 16:03:23 > > > > Mark Sapiro wrote: >> Steve Freegard wrote: >> >> >>> Andrew Chester wrote: >>> >>>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>>> >>> ^^^ >>> >>> There's your problem - you have spaces in your %org-name% setting in >>> MailScanner.conf. >>> >> >> While the space in %org-name% is wrong, it does not seem to be the >> cause of the problem. >> >> Here's what I see in the last few headers and body: >> >> --------------------------------------------------------------- >> content-transfer-encoding: base64 >> content-type: text/plain; charset=utf-8 >> >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No >> >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No >> >> WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz >> IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu >> Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg >> YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK >> ----------------------------------------------------------------- >> >> The two sets of MailScanner headers are curious, but it looks from the >> Received: headers that the message passed twice through >> apollo.ukuvuma.co.za so it was probably scanned twice. >> >> The real problem is the empty lines preceeding each set of MailScanner >> headers. This causes the MailScanner headers to be part of the body >> which totally destroys the base64 encoding and results in the garbled >> message. >> >> I suspect that all base64 encoded messages get garbled this way and >> non-bas64 encoded messages show the MailScanner headers in the body. >> >> Perhaps someone with more MailScanner experience has a clue as to why >> the MailScanner headers are preceded by an empty line. >> > It's probably the MTA (or MailScanner) attempting to render the > message in a form correct for the next mail handling program it passes > through. There should always be a blank line after the last header. > But I don't guarantee what MailScanner will do if the headers end on > an incomplete line, as it never happens in real mail that hasn't been > screwed by something (in your case, the space in %org-name%). > > The point about spaces in %org-name% is very clearly documented in the > MailScanner.conf file. > > If you break that rule I make no guarantees what may happen to your mail. > > I will add some more code to check for that and flag it very boldly in > the logs, and ensure that MailScanner --debug and MailScanner --lint > check for it too. When you run MailScanner --lint, a polite warning is already shown, which I reckon is sufficient for that case. But when you run MailScanner - --debug, there was no obvious warning, so now you get this printed instead, which I think is obvious enough for nearly everyone (the rows of "*"s are included in the output) : ************************************************************************ In MailScanner.conf, your "%org-name%" or "Mail Header" setting contains spaces and/or other illegal characters. Including any spaces will break all your mail system. Otherwise, it should only contain characters from the set a-z, A-Z, 0-9 and "-". While theoretically some other characters are allowed, many commercial mail systems fail to handle them correctly. This is clearly noted in the MailScanner.conf file, immediately above the %org-name% setting. Please read the documentation! ************************************************************************ Clear enough for you? :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvGaHEfZZRxQVtlQRAqCkAKDVBknIo31mlCMZjJei4hA8sTFdrgCfYcxE Xx+u7XzasyvAT3h2YyJTY64= =6Vjk -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Feb 20 17:55:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 17:55:43 2008 Subject: OT Spam Assassin Prefs question In-Reply-To: References: Message-ID: <47BC6988.2080101@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Sapiro wrote: > Scott B. Anderson wrote: > > >> My users have been seeing a large amount of Russian charset email spam. How >> would I set a SA rule to include all Cyrillic (sp) emails or would this be >> better set at the MTA (sendmail in my case) ? >> > > > You could set a header rule something like > > header X_RULE_NAME Content-Type =~ > /charset="?(ibm-855|iso-8859-5|iso-ir-11|koi8-r|koi8-u|maccyrillic|macukranian|windows-1251|cp-866)/ > There is already functionality built into SpamAssasin to do this for you, probably more reliably than you could code yourself (no insult intended!). Here's the relevant chunk of "man Mail::SpamAssassin::Conf" ... ok_locales xx [ yy zz ... ] (default: all) This option is used to specify which locales are considered OK for incoming mail. Mail using the character sets that are allowed by this option will not be marked as possibly being spam in a foreign language. If you receive lots of spam in foreign languages, and never get any non-spam in these languages, this may help. Note that all ISO-8859-* character sets, and Windows code page character sets, are always permitted by default. Set this to "all" to allow all character sets. This is the default. The rules "CHARSET_FARAWAY", "CHARSET_FARAWAY_BODY", and "CHARSET_FARAWAY_HEADERS" are triggered based on how this is set. Examples: ok_locales all (allow all locales) ok_locales en (only allow English) ok_locales en ja zh (allow English, Japanese, and Chinese) Note: if there are multiple ok_locales lines, only the last one is used. Select the locales to allow from the list below: en - Western character sets in general ja - Japanese character sets ko - Korean character sets ru - Cyrillic character sets th - Thai character sets zh - Chinese (both simplified and traditional) character sets So if you set "ok_locales en" that will probably do what you want. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvGmKEfZZRxQVtlQRAn8KAKC2T5D9nWVBLajr9Sq2kMVt2CmCYQCcD/JJ dybHN0CfAv6VdepL/qWZw/g= =bkqd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From itdept at fractalweb.com Wed Feb 20 17:55:36 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 17:55:56 2008 Subject: possible corrupt sanesecurity defs Message-ID: <47BC6998.3060801@fractalweb.com> Our server downloaded what I believe to be either a corrupt sanesecurity definition file or a valid file with a false-positive. In any case, hundreds of messages were incorrectly tagged as infected. Not a good day. How do I go about releasing these? And how can we prevent this from happening in the future? Any help would be much appreciated. From brose at med.wayne.edu Wed Feb 20 18:12:21 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Feb 20 18:12:41 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6998.3060801@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> Message-ID: <610C64469748E84DB6BDD5BD23F01A764DEE@MED-CORE03-MS1.med.wayne.edu> I just discovered the same issue. Email.Hdr.Sanesecurity.07021900 is bad and I'm not sure what the thought was behind that one. It looks like the signature is for "Return-Path: < g>" -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik Sent: Wednesday, February 20, 2008 12:56 PM To: mailscanner@lists.mailscanner.info Subject: possible corrupt sanesecurity defs Our server downloaded what I believe to be either a corrupt sanesecurity definition file or a valid file with a false-positive. In any case, hundreds of messages were incorrectly tagged as infected. Not a good day. How do I go about releasing these? And how can we prevent this from happening in the future? Any help would be much appreciated. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Wed Feb 20 18:12:52 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Feb 20 18:13:35 2008 Subject: OT Spam Assassin Prefs question In-Reply-To: References: Message-ID: <47BC6DA4.5000900@evi-inc.com> Scott B. Anderson wrote: > My users have been seeing a large amount of Russian charset email spam. How would I set a SA rule to include all Cyrillic (sp) emails or would this be better set at the MTA (sendmail in my case) ? > See the "ok_locales" option in the Mail::SpamAssassin::Conf manpage: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html Note that ok_locales is character set based, not language analysis based like ok_languages. It also supports a *very* limited list of locales, and any unsupported locales are essentially "OK" by default. you'd probably want to do something like: ok_locales en ja ko th zh Which would effectively cause all messages with Cyrillic in them to trigger the CHARSET_FARAWAY rules and be penalized. (note I left "ru" out of the "ok" list). From itdept at fractalweb.com Wed Feb 20 18:17:09 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 18:17:27 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6998.3060801@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> Message-ID: <47BC6EA5.2050903@fractalweb.com> Chris Yuzik wrote: > Our server downloaded what I believe to be either a corrupt > sanesecurity definition file or a valid file with a false-positive. In > any case, hundreds of messages were incorrectly tagged as infected. > Not a good day. > > How do I go about releasing these? > > And how can we prevent this from happening in the future? > > Any help would be much appreciated. I suppose I should point out that it hit on the rule "Email.Hdr.Sanesecurity.07021900" From Denis.Beauchemin at usherbrooke.ca Wed Feb 20 18:23:48 2008 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Wed Feb 20 18:24:37 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6998.3060801@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> Message-ID: <47BC7034.1050602@USherbrooke.ca> Chris Yuzik a ?crit : > Our server downloaded what I believe to be either a corrupt > sanesecurity definition file or a valid file with a false-positive. In > any case, hundreds of messages were incorrectly tagged as infected. > Not a good day. > > How do I go about releasing these? > > And how can we prevent this from happening in the future? > > Any help would be much appreciated. Chris, I've seen many download errors since yesterday: CURL had a problem getting scam.ndb.gz , error code : 7 Check : /var/tmp/clamdb/SCAM-UpdateSession.log CURL had a problem getting phish.ndb.gz , error code : 7 Check : /var/tmp/clamdb/PHISH-UpdateSession.log The download script I use seems robust enough to not install incomplete files: http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Wed Feb 20 18:28:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 18:29:21 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC6EA5.2050903@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> Message-ID: <47BC7161.6040603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > Chris Yuzik wrote: >> Our server downloaded what I believe to be either a corrupt >> sanesecurity definition file or a valid file with a false-positive. >> In any case, hundreds of messages were incorrectly tagged as >> infected. Not a good day. >> >> How do I go about releasing these? >> >> And how can we prevent this from happening in the future? >> >> Any help would be much appreciated. > I suppose I should point out that it hit on the rule > "Email.Hdr.Sanesecurity.07021900" > > What MTA are you using? Do you quarantine viruses at all? Do you quarantine them as Raw Queue Files? All of this lot are in your MailScanner.conf file. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvHFrEfZZRxQVtlQRArX7AKCgUl3Mr1Udy1226jhGVUkt1IP7QgCfQZqb znH6KxhHWD4e4di5VsCQJGI= =mlGj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From itdept at fractalweb.com Wed Feb 20 18:37:54 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 18:38:10 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC7161.6040603@ecs.soton.ac.uk> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> Message-ID: <47BC7382.1090909@fractalweb.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Chris Yuzik wrote: > >> Chris Yuzik wrote: >> >>> Our server downloaded what I believe to be either a corrupt >>> sanesecurity definition file or a valid file with a false-positive. >>> In any case, hundreds of messages were incorrectly tagged as >>> infected. Not a good day. >>> >>> How do I go about releasing these? >>> >>> And how can we prevent this from happening in the future? >>> >>> Any help would be much appreciated. >>> >> I suppose I should point out that it hit on the rule >> "Email.Hdr.Sanesecurity.07021900" >> >> >> > What MTA are you using? Do you quarantine viruses at all? Do you > quarantine them as Raw Queue Files? All of this lot are in your > MailScanner.conf file. > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.0 (Build 2158) > Comment: Use Thunderbird Enigmail to verify this message > Charset: ISO-8859-1 > > wj8DBQFHvHFrEfZZRxQVtlQRArX7AKCgUl3Mr1Udy1226jhGVUkt1IP7QgCfQZqb > znH6KxhHWD4e4di5VsCQJGI= > =mlGj > -----END PGP SIGNATURE----- > > Julian, Using Sendmail. We DO quarantine viruses. They are NOT quarantined as raw queue files. So, for example, we have a file called "message" in a dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. Thanks, Chris From wolfee at earthlink.net Wed Feb 20 18:49:52 2008 From: wolfee at earthlink.net (Matthew Wolfe) Date: Wed Feb 20 18:50:02 2008 Subject: Return-Path is being rewritten. Message-ID: <17785475.1203533392418.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net> Hi, I am not sure if this is a MailScanner or Sendmail thing but hopefully you guys can point me in the right direction. I have a client who just got a new email address and when he sends email to me the return path is rewritten to user@webhostingcompany instead of user@domainname. To make things more interesting his webhosting provider and email provider are different companies. If I send email to a email address that is not being scanned by MailScanner the return address is correct. We scan about 30000 emails a day and I have never seen anything like this. Any suggestions? Thanks Matt From MailScanner at ecs.soton.ac.uk Wed Feb 20 19:14:13 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 19:14:37 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC7382.1090909@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> Message-ID: <47BC7C05.70106@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Chris Yuzik wrote: >> >>> Chris Yuzik wrote: >>> >>>> Our server downloaded what I believe to be either a corrupt >>>> sanesecurity definition file or a valid file with a false-positive. >>>> In any case, hundreds of messages were incorrectly tagged as >>>> infected. Not a good day. >>>> >>>> How do I go about releasing these? >>>> >>>> And how can we prevent this from happening in the future? >>>> >>>> Any help would be much appreciated. >>>> >>> I suppose I should point out that it hit on the rule >>> "Email.Hdr.Sanesecurity.07021900" >>> >>> >>> >> What MTA are you using? Do you quarantine viruses at all? Do you >> quarantine them as Raw Queue Files? All of this lot are in your >> MailScanner.conf file. >> >> Jules >> >> - -- Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.8.0 (Build 2158) >> Comment: Use Thunderbird Enigmail to verify this message >> Charset: ISO-8859-1 >> >> wj8DBQFHvHFrEfZZRxQVtlQRArX7AKCgUl3Mr1Udy1226jhGVUkt1IP7QgCfQZqb >> znH6KxhHWD4e4di5VsCQJGI= >> =mlGj >> -----END PGP SIGNATURE----- >> >> > Julian, > > Using Sendmail. We DO quarantine viruses. They are NOT quarantined as > raw queue files. So, for example, we have a file called "message" in a > dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. In which case something like this should do the trick more or less: bash cd /var/spool/MailScanner/quarantine/20080220 for F in * do /usr/sbin/sendmail -t < $F echo $F done That should deliver the message to where the mail said it was addressed to in the headers, not the original envelope, but it's probably close enough. I have just had a good look at a sample of messages caught by this signature, and yes there are a lot of them. However they all appear to be spam. So I'm just going to let MailScanner deal with them appropriately, no need for panic actions here. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvHwIEfZZRxQVtlQRAjMEAJ97uTelKrxys03R+7Dk2neaHIrC5wCfXQp0 AWSiTNy/MGSSmeIpsME3sCQ= =CRV7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Feb 20 19:28:08 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 19:28:42 2008 Subject: HTML mangle Message-ID: Hi, src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" (should be src="http://www.domain.com/path/to/image.jpg"" Anyone seen this kind of html mangle done by MailScanner? The image doesn't show in the HTML message. I can provide more details off-list if needed. Regards, Ugo From uxbod at splatnix.net Wed Feb 20 19:34:24 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 19:34:48 2008 Subject: HTML mangle In-Reply-To: Message-ID: <21611048.1741203536064776.JavaMail.root@office.splatnix.net> do you happen to have the original email you could post somewhere ? you could change the headers etc. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Ugo Bellavance" wrote: > Hi, > > src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" > > (should be src="http://www.domain.com/path/to/image.jpg"" > > Anyone seen this kind of html mangle done by MailScanner? > > The image doesn't show in the HTML message. > > I can provide more details off-list if needed. > > Regards, > > Ugo -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Feb 20 19:56:18 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 19:56:46 2008 Subject: HTML mangle In-Reply-To: <21611048.1741203536064776.JavaMail.root@office.splatnix.net> References: <21611048.1741203536064776.JavaMail.root@office.splatnix.net> Message-ID: --[ UxBoD ]-- wrote: > do you happen to have the original email you could post somewhere ? you could change the headers etc. The original e-mail, you mean the original code? No, I don't have it on hand. Regards, Ugo From itdept at fractalweb.com Wed Feb 20 20:00:49 2008 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 20 20:01:09 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC7C05.70106@ecs.soton.ac.uk> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> <47BC7C05.70106@ecs.soton.ac.uk> Message-ID: <47BC86F1.4080403@fractalweb.com> Julian Field wrote: >> Julian, >> >> Using Sendmail. We DO quarantine viruses. They are NOT quarantined as >> raw queue files. So, for example, we have a file called "message" in a >> dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. >> > In which case something like this should do the trick more or less: > > bash > cd /var/spool/MailScanner/quarantine/20080220 > for F in * > do > /usr/sbin/sendmail -t < $F > echo $F > done > > That should deliver the message to where the mail said it was addressed > to in the headers, not the original envelope, but it's probably close > enough. > > I have just had a good look at a sample of messages caught by this > signature, and yes there are a lot of them. > However they all appear to be spam. > So I'm just going to let MailScanner deal with them appropriately, no > need for panic actions here. > > Jules > Jules, I had to modify this a bit because there were approximately 3.2 bazillion files from postmaster to postmaster that were also tagged. Needless to say, I didn't want to re-inject those into the queue. Most of the emails nailed by this false positive were not spam in our case. So what I did was: 1) created MySQL query to give me a list of the message IDs that were incorrectly tagged as being virus infected, and saved that as a text file. 2) created a small perl script ( I suck at bash scripting ) to loop over the text file and do a system command that looks like '/usr/sbin/sendmail -t < m1KEoKOn020766/message' If anyone wants a copy of my script, please let me know. Thank you again for your help. Cheers, Chris From MailScanner at ecs.soton.ac.uk Wed Feb 20 20:00:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 20:01:12 2008 Subject: HTML mangle In-Reply-To: References: Message-ID: <47BC86F1.8050401@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Hi, > > src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" > > (should be src="http://www.domain.com/path/to/image.jpg"" > > Anyone seen this kind of html mangle done by MailScanner? Nope. Never see that. A URL with an embedded CR+LF sequence? Eek. > > The image doesn't show in the HTML message. > > I can provide more details off-list if needed. > > Regards, > > Ugo > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvIbzEfZZRxQVtlQRAvyrAKDphGHoXrDK3ng3a06Obu2xz6jwegCfQ3h0 nlso6PEBbx5JVDRus8rJ29U= =Ye54 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Feb 20 20:01:52 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 20:02:20 2008 Subject: HTML mangle In-Reply-To: Message-ID: <10206824.1771203537712933.JavaMail.root@office.splatnix.net> I have seen that happen before, but on closer inspection of the email there were some dodgy characters in the email which caused it to be mangled. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Ugo Bellavance" wrote: --[ UxBoD ]-- wrote: > do you happen to have the original email you could post somewhere ? you could change the headers etc. The original e-mail, you mean the original code? No, I don't have it on hand. Regards, Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From amoore at dekalbmemorial.com Wed Feb 20 20:06:06 2008 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Feb 20 20:06:16 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: References: <47BC6998.3060801@fractalweb.com> Message-ID: <60D398EB2DB948409CA1F50D8AF12257033F6604@exch1.dekalbmemorial.local> My coworker discovered the same issue before I got into work this morning. It was repeatedly marking system generated e-mails too. It had hit a few thousand messages in a couple of hours. Did anyone submit some of their false positives to the sanesecurity folks? -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From steve.freegard at fsl.com Wed Feb 20 20:15:12 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Feb 20 20:15:50 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC6684.7080300@ecs.soton.ac.uk> References: <47BC4F49.204@ecs.soton.ac.uk> <47BC6684.7080300@ecs.soton.ac.uk> Message-ID: <47BC8A50.9000109@fsl.com> Julian Field wrote: > When you run MailScanner --lint, a polite warning is already shown, > which I reckon is sufficient for that case. But when you run MailScanner > - --debug, there was no obvious warning, so now you get this printed > instead, which I think is obvious enough for nearly everyone (the rows > of "*"s are included in the output) : > ************************************************************************ > In MailScanner.conf, your "%org-name%" or "Mail Header" setting > contains spaces and/or other illegal characters. > > Including any spaces will break all your mail system. > > Otherwise, it should only contain characters from the set a-z, A-Z, > 0-9 and "-". While theoretically some other characters are allowed, > many commercial mail systems fail to handle them correctly. > > This is clearly noted in the MailScanner.conf file, immediately above > the %org-name% setting. Please read the documentation! > ************************************************************************ > > Clear enough for you? :-) As this still requires someone to run --lint to get this warning (which a newbie might skip) why not just do the equivalent of: $orgname =~ s/\s+/-/g That way they can't break their mail system accidentally. Cheers, Steve. From ugob at lubik.ca Wed Feb 20 20:23:24 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 20:23:52 2008 Subject: possible corrupt sanesecurity defs In-Reply-To: <47BC86F1.4080403@fractalweb.com> References: <47BC6998.3060801@fractalweb.com> <47BC6EA5.2050903@fractalweb.com> <47BC7161.6040603@ecs.soton.ac.uk> <47BC7382.1090909@fractalweb.com> <47BC7C05.70106@ecs.soton.ac.uk> <47BC86F1.4080403@fractalweb.com> Message-ID: Chris Yuzik wrote: > Julian Field wrote: >>> Julian, >>> >>> Using Sendmail. We DO quarantine viruses. They are NOT quarantined as >>> raw queue files. So, for example, we have a file called "message" in >>> a dir called /var/spool/MailScanner/quarantine/20080220/m1KHWhuB006243. >>> >> In which case something like this should do the trick more or less: >> >> bash >> cd /var/spool/MailScanner/quarantine/20080220 >> for F in * >> do >> /usr/sbin/sendmail -t < $F >> echo $F >> done >> >> That should deliver the message to where the mail said it was >> addressed to in the headers, not the original envelope, but it's >> probably close enough. >> >> I have just had a good look at a sample of messages caught by this >> signature, and yes there are a lot of them. >> However they all appear to be spam. >> So I'm just going to let MailScanner deal with them appropriately, no >> need for panic actions here. >> >> Jules >> > > Jules, > > I had to modify this a bit because there were approximately 3.2 > bazillion files from postmaster to postmaster that were also tagged. > Needless to say, I didn't want to re-inject those into the queue. > > Most of the emails nailed by this false positive were not spam in our case. > > So what I did was: > 1) created MySQL query to give me a list of the message IDs that were > incorrectly tagged as being virus infected, and saved that as a text file. > 2) created a small perl script ( I suck at bash scripting ) to loop over > the text file and do a system command that looks like > '/usr/sbin/sendmail -t < m1KEoKOn020766/message' > > If anyone wants a copy of my script, please let me know. For those who are using MailWatch, I think that there is a way to acheive this... maybe a script is already on the MW list... Ugo From brose at med.wayne.edu Wed Feb 20 20:25:53 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Feb 20 20:26:09 2008 Subject: FW: [FP] possible corrupt sanesecurity defs Message-ID: <610C64469748E84DB6BDD5BD23F01A764DFB@MED-CORE03-MS1.med.wayne.edu> -----Original Message----- From: Steve Basford [mailto:steveb_clamav@sanesecurity.com] Sent: Wednesday, February 20, 2008 3:08 PM To: Rose, Bobby Subject: Re: [FP] Rose, Bobby wrote: What is this look for? Email.Hdr.Sanesecurity.07021900 This def had "alot" of false positives from all over the place. Here's are two header samples. Hi, I've just fixed this problem....when I checked the sig I noticed it had the end bit of the sig chopped off compared to version the other day... not exactly sure how it happened... and very annoyed with myself if it was finger trouble...but it's fixed and uploaded, so should be with the mirrors in about an hour. I can only apologise for the problems caused :( Cheers, Steve From ugob at lubik.ca Wed Feb 20 20:24:59 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Feb 20 20:30:21 2008 Subject: HTML mangle In-Reply-To: <47BC86F1.8050401@ecs.soton.ac.uk> References: <47BC86F1.8050401@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ugo Bellavance wrote: >> Hi, >> >> src="http://www.dom!%0d%0a%20ain.com/path/to/image.jpg" >> >> (should be src="http://www.domain.com/path/to/image.jpg"" >> >> Anyone seen this kind of html mangle done by MailScanner? > Nope. Never see that. A URL with an embedded CR+LF sequence? Eek. So you're saying that the probleme is in the source HTML code? Is MailScanner changing the CR+LF to the '!%0d%0a%20'? Ugo From MailScanner at ecs.soton.ac.uk Wed Feb 20 20:30:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Feb 20 20:30:34 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC8A50.9000109@fsl.com> References: <47BC4F49.204@ecs.soton.ac.uk> <47BC6684.7080300@ecs.soton.ac.uk> <47BC8A50.9000109@fsl.com> Message-ID: <47BC8DD3.9040209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Julian Field wrote: > >> When you run MailScanner --lint, a polite warning is already shown, >> which I reckon is sufficient for that case. But when you run >> MailScanner - --debug, there was no obvious warning, so now you get >> this printed instead, which I think is obvious enough for nearly >> everyone (the rows of "*"s are included in the output) : >> ************************************************************************ >> In MailScanner.conf, your "%org-name%" or "Mail Header" setting >> contains spaces and/or other illegal characters. >> >> Including any spaces will break all your mail system. >> >> Otherwise, it should only contain characters from the set a-z, A-Z, >> 0-9 and "-". While theoretically some other characters are allowed, >> many commercial mail systems fail to handle them correctly. >> >> This is clearly noted in the MailScanner.conf file, immediately above >> the %org-name% setting. Please read the documentation! >> ************************************************************************ >> >> Clear enough for you? :-) > > > As this still requires someone to run --lint to get this warning > (which a newbie might skip) why not just do the equivalent of: > > $orgname =~ s/\s+/-/g > > That way they can't break their mail system accidentally. I could, but what happens if they have upgraded their way from an early version and don't use %org-name%? It really needs doing to a whole bunch of settings which are used as header names. I could try to find all the header settings and automatically apply it to all of the headers, I'll take a look at doing that. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.0 (Build 2158) Comment: Use Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFHvI3VEfZZRxQVtlQRAnlbAJwNtOpFxs/voZG7Cs+sQiXPVblkhgCgzJ8G bgeNkr/jRtEmqzAvoRO+A+w= =seLu -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Wed Feb 20 20:32:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 20 20:32:13 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC4F49.204@ecs.soton.ac.uk> References: <47BC4F49.204@ecs.soton.ac.uk> Message-ID: on 2/20/2008 8:03 AM Julian Field spake the following: > > > Mark Sapiro wrote: >> Steve Freegard wrote: > > >>> Andrew Chester wrote: >>> >>>> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >>>> >>> ^^^ >>> >>> There's your problem - you have spaces in your %org-name% setting in >>> MailScanner.conf. >>> >> While the space in %org-name% is wrong, it does not seem to be the >> cause of the problem. > >> Here's what I see in the last few headers and body: > >> --------------------------------------------------------------- >> content-transfer-encoding: base64 >> content-type: text/plain; charset=utf-8 > >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No > >> X-Ukuvuma Solutions-MailScanner-From: support@kalahari.net >> X-Spam-Status: No > >> WW91ciBLYWxhaGFyaS5uZXQgcGFzc3dvcmQgaXMgODAwNjAwCi0tIApUaGlz >> IG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQKZGFu >> Z2Vyb3VzIGNvbnRlbnQgYnkgdGhlIFVrdXZ1bWEgQXBvbGxvIGdhdGV3YXkg >> YW5kIGlzCmJlbGlldmVkIHRvIGJlIGNsZWFuLgoK >> ----------------------------------------------------------------- > >> The two sets of MailScanner headers are curious, but it looks from the >> Received: headers that the message passed twice through >> apollo.ukuvuma.co.za so it was probably scanned twice. > >> The real problem is the empty lines preceeding each set of MailScanner >> headers. This causes the MailScanner headers to be part of the body >> which totally destroys the base64 encoding and results in the garbled >> message. > >> I suspect that all base64 encoded messages get garbled this way and >> non-bas64 encoded messages show the MailScanner headers in the body. > >> Perhaps someone with more MailScanner experience has a clue as to why >> the MailScanner headers are preceded by an empty line. > > It's probably the MTA (or MailScanner) attempting to render the message > in a form correct for the next mail handling program it passes through. > There should always be a blank line after the last header. But I don't > guarantee what MailScanner will do if the headers end on an incomplete > line, as it never happens in real mail that hasn't been screwed by > something (in your case, the space in %org-name%). > > The point about spaces in %org-name% is very clearly documented in the > MailScanner.conf file. > > If you break that rule I make no guarantees what may happen to your mail. > > I will add some more code to check for that and flag it very boldly in > the logs, and ensure that MailScanner --debug and MailScanner --lint > check for it too. > > Jules > If you have to check for the space anyway, how hard would it be to force the space to be an underscore? Still pound the logs with messages, but at least it would work. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080220/b4d67183/signature.bin From uxbod at splatnix.net Wed Feb 20 20:41:20 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Feb 20 20:41:51 2008 Subject: HTML/Newsletters being received as unreadable code In-Reply-To: <47BC8DD3.9040209@ecs.soton.ac.uk> Message-ID: <7838822.1801203540080285.JavaMail.root@office.splatnix.net> Jules, Is the danger though that if somebody has put in a space instead of say a '-' then MS would just continue on its merry way. Would it be better that MS does just not start, but reports out a error ? You could even put in the error message the place in the documentation where it says how to set it correctly ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Julian Field wrote: > >> When you run MailScanner --lint, a polite warning is already shown, >> which I reckon is sufficient for that case. But when you run >> MailScanner - --debug, there was no obvious warning, so now you get >> this printed instead, which I think is obvious enough for nearly >> everyone (the rows of "*"s are included in the output) : >> ************************************************************************ >> In MailScanner.conf, your "%org-name%" or "Mail Header" setting >> contains spaces and/or other illegal characters. >> >> Including any spaces will break all your mail system. >> >> Otherwise, it should only contain characters from the set a-z, A-Z, >> 0-9 and "-". While theoretically some other characters are allowed, >> many commercial mail systems fail to handle them correctly. >> >> This is clearly noted in the MailScanner.conf file, immediately above >> the %org-name% setting. Please read the documentation! >> ************************************************************************ >> >> Clear enough for you? :-) > > > As this still requires someone to run --lint to get this warning > (which a newbie might skip) why not just do the equivalent of: > > $orgname =~ s/\s+/-/g > > That way they can't break their mail system accidentally. I could, but what happens if they have upgraded their way from an early version and don't use %org-name%? It really needs doing to a whole bunch of settings which are used as header names. I could try to find all the header settings and automatically apply it to all of the headers, I'll take a look at doing that. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at J